135 files changed, 0 insertions, 12469 deletions
diff --git a/src/lib/libcrypto/doc/DES_set_key.pod b/src/lib/libcrypto/doc/DES_set_key.pod
deleted file mode 100644
index d1bd43c592..0000000000
--- a/src/lib/libcrypto/doc/DES_set_key.pod
+++ /dev/null
@@ -1,339 +0,0 @@
-=pod
-=head1 NAME
-DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked,
-DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key,
-DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt,
-DES_cfb_encrypt, DES_ofb_encrypt, DES_pcbc_encrypt, DES_cfb64_encrypt,
-DES_ofb64_encrypt, DES_xcbc_encrypt, DES_ede2_cbc_encrypt,
-DES_ede2_cfb64_encrypt, DES_ede2_ofb64_encrypt, DES_ede3_cbc_encrypt,
-DES_ede3_cbcm_encrypt, DES_ede3_cfb64_encrypt, DES_ede3_ofb64_encrypt,
-DES_cbc_cksum, DES_quad_cksum, DES_string_to_key, DES_string_to_2keys,
-DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write - DES encryption
-=head1 SYNOPSIS
- #include <openssl/des.h>
- void DES_random_key(DES_cblock *ret);
- int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule);
- int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
- int DES_set_key_checked(const_DES_cblock *key,
-        DES_key_schedule *schedule);
- void DES_set_key_unchecked(const_DES_cblock *key,
-        DES_key_schedule *schedule);
- void DES_set_odd_parity(DES_cblock *key);
- int DES_is_weak_key(const_DES_cblock *key);
- void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
-        DES_key_schedule *ks, int enc);
- void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output,
-        DES_key_schedule *ks1, DES_key_schedule *ks2, int enc);
- void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
-        DES_key_schedule *ks1, DES_key_schedule *ks2,
-        DES_key_schedule *ks3, int enc);
- void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output,
-        long length, DES_key_schedule *schedule, DES_cblock *ivec,
-        int enc);
- void DES_cfb_encrypt(const unsigned char *in, unsigned char *out,
-        int numbits, long length, DES_key_schedule *schedule,
-        DES_cblock *ivec, int enc);
- void DES_ofb_encrypt(const unsigned char *in, unsigned char *out,
-        int numbits, long length, DES_key_schedule *schedule,
-        DES_cblock *ivec);
- void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output,
-        long length, DES_key_schedule *schedule, DES_cblock *ivec,
-        int enc);
- void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-        long length, DES_key_schedule *schedule, DES_cblock *ivec,
-        int *num, int enc);
- void DES_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-        long length, DES_key_schedule *schedule, DES_cblock *ivec,
-        int *num);
- void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output,
-        long length, DES_key_schedule *schedule, DES_cblock *ivec,
-        const_DES_cblock *inw, const_DES_cblock *outw, int enc);
- void DES_ede2_cbc_encrypt(const unsigned char *input,
-        unsigned char *output, long length, DES_key_schedule *ks1,
-        DES_key_schedule *ks2, DES_cblock *ivec, int enc);
- void DES_ede2_cfb64_encrypt(const unsigned char *in,
-        unsigned char *out, long length, DES_key_schedule *ks1,
-        DES_key_schedule *ks2, DES_cblock *ivec, int *num, int enc);
- void DES_ede2_ofb64_encrypt(const unsigned char *in,
-        unsigned char *out, long length, DES_key_schedule *ks1,
-        DES_key_schedule *ks2, DES_cblock *ivec, int *num);
- void DES_ede3_cbc_encrypt(const unsigned char *input,
-        unsigned char *output, long length, DES_key_schedule *ks1,
-        DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec,
-        int enc);
- void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
-        long length, DES_key_schedule *ks1, DES_key_schedule *ks2,
-        DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2,
-        int enc);
- void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-        long length, DES_key_schedule *ks1, DES_key_schedule *ks2,
-        DES_key_schedule *ks3, DES_cblock *ivec, int *num, int enc);
- void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-        long length, DES_key_schedule *ks1,
-        DES_key_schedule *ks2, DES_key_schedule *ks3,
-        DES_cblock *ivec, int *num);
- DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output,
-        long length, DES_key_schedule *schedule,
-        const_DES_cblock *ivec);
- DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[],
-        long length, int out_count, DES_cblock *seed);
- void DES_string_to_key(const char *str, DES_cblock *key);
- void DES_string_to_2keys(const char *str, DES_cblock *key1,
-        DES_cblock *key2);
- char *DES_fcrypt(const char *buf, const char *salt, char *ret);
- char *DES_crypt(const char *buf, const char *salt);
- int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
-        DES_cblock *iv);
- int DES_enc_write(int fd, const void *buf, int len,
-        DES_key_schedule *sched, DES_cblock *iv);
-=head1 DESCRIPTION
-This library contains a fast implementation of the DES encryption
-algorithm.
-There are two phases to the use of DES encryption.  The first is the
-generation of a I<DES_key_schedule> from a key, the second is the
-actual encryption.  A DES key is of type I<DES_cblock>. This type is
-consists of 8 bytes with odd parity.  The least significant bit in
-each byte is the parity bit.  The key schedule is an expanded form of
-the key; it is used to speed the encryption process.
-DES_random_key() generates a random key in odd parity.
-Before a DES key can be used, it must be converted into the
-architecture dependent I<DES_key_schedule> via the
-DES_set_key_checked() or DES_set_key_unchecked() function.
-DES_set_key_checked() will check that the key passed is of odd parity
-and is not a week or semi-weak key.  If the parity is wrong, then -1
-is returned.  If the key is a weak key, then -2 is returned.  If an
-error is returned, the key schedule is not generated.
-DES_set_key() works like
-DES_set_key_checked() if the I<DES_check_key> flag is non-zero,
-otherwise like DES_set_key_unchecked().  These functions are available
-for compatibility; it is recommended to use a function that does not
-depend on a global variable.
-DES_set_odd_parity() sets the parity of the passed I<key> to odd.
-DES_is_weak_key() returns 1 is the passed key is a weak key, 0 if it
-is ok.
-The following routines mostly operate on an input and output stream of
-I<DES_cblock>s.
-DES_ecb_encrypt() is the basic DES encryption routine that encrypts or
-decrypts a single 8-byte I<DES_cblock> in I<electronic code book>
-(ECB) mode.  It always transforms the input data, pointed to by
-I<input>, into the output data, pointed to by the I<output> argument.
-If the I<encrypt> argument is non-zero (DES_ENCRYPT), the I<input>
-(cleartext) is encrypted in to the I<output> (ciphertext) using the
-key_schedule specified by the I<schedule> argument, previously set via
-I<DES_set_key>. If I<encrypt> is zero (DES_DECRYPT), the I<input> (now
-ciphertext) is decrypted into the I<output> (now cleartext).  Input
-and output may overlap.  DES_ecb_encrypt() does not return a value.
-DES_ecb3_encrypt() encrypts/decrypts the I<input> block by using
-three-key Triple-DES encryption in ECB mode.  This involves encrypting
-the input with I<ks1>, decrypting with the key schedule I<ks2>, and
-then encrypting with I<ks3>.  This routine greatly reduces the chances
-of brute force breaking of DES and has the advantage of if I<ks1>,
-I<ks2> and I<ks3> are the same, it is equivalent to just encryption
-using ECB mode and I<ks1> as the key.
-The macro DES_ecb2_encrypt() is provided to perform two-key Triple-DES
-encryption by using I<ks1> for the final encryption.
-DES_ncbc_encrypt() encrypts/decrypts using the I<cipher-block-chaining>
-(CBC) mode of DES.  If the I<encrypt> argument is non-zero, the
-routine cipher-block-chain encrypts the cleartext data pointed to by
-the I<input> argument into the ciphertext pointed to by the I<output>
-argument, using the key schedule provided by the I<schedule> argument,
-and initialization vector provided by the I<ivec> argument.  If the
-I<length> argument is not an integral multiple of eight bytes, the
-last block is copied to a temporary area and zero filled.  The output
-is always an integral multiple of eight bytes.
-DES_xcbc_encrypt() is RSA's DESX mode of DES.  It uses I<inw> and
-I<outw> to 'whiten' the encryption.  I<inw> and I<outw> are secret
-(unlike the iv) and are as such, part of the key.  So the key is sort
-of 24 bytes.  This is much better than CBC DES.
-DES_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
-three keys. This means that each DES operation inside the CBC mode is
-really an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
-The DES_ede2_cbc_encrypt() macro implements two-key Triple-DES by
-reusing I<ks1> for the final encryption.  C<C=E(ks1,D(ks2,E(ks1,M)))>.
-This form of Triple-DES is used by the RSAREF library.
-DES_pcbc_encrypt() encrypt/decrypts using the propagating cipher block
-chaining mode used by Kerberos v4. Its parameters are the same as
-DES_ncbc_encrypt().
-DES_cfb_encrypt() encrypt/decrypts using cipher feedback mode.  This
-method takes an array of characters as input and outputs and array of
-characters.  It does not require any padding to 8 character groups.
-Note: the I<ivec> variable is changed and the new changed value needs to
-be passed to the next call to this function.  Since this function runs
-a complete DES ECB encryption per I<numbits>, this function is only
-suggested for use when sending small numbers of characters.
-DES_cfb64_encrypt()
-implements CFB mode of DES with 64bit feedback.  Why is this
-useful you ask?  Because this routine will allow you to encrypt an
-arbitrary number of bytes, no 8 byte padding.  Each call to this
-routine will encrypt the input bytes to output and then update ivec
-and num.  num contains 'how far' we are though ivec.  If this does
-not make much sense, read more about cfb mode of DES :-).
-DES_ede3_cfb64_encrypt() and DES_ede2_cfb64_encrypt() is the same as
-DES_cfb64_encrypt() except that Triple-DES is used.
-DES_ofb_encrypt() encrypts using output feedback mode.  This method
-takes an array of characters as input and outputs and array of
-characters.  It does not require any padding to 8 character groups.
-Note: the I<ivec> variable is changed and the new changed value needs to
-be passed to the next call to this function.  Since this function runs
-a complete DES ECB encryption per numbits, this function is only
-suggested for use when sending small numbers of characters.
-DES_ofb64_encrypt() is the same as DES_cfb64_encrypt() using Output
-Feed Back mode.
-DES_ede3_ofb64_encrypt() and DES_ede2_ofb64_encrypt() is the same as
-DES_ofb64_encrypt(), using Triple-DES.
-The following functions are included in the DES library for
-compatibility with the MIT Kerberos library.
-DES_cbc_cksum() produces an 8 byte checksum based on the input stream
-(via CBC encryption).  The last 4 bytes of the checksum are returned
-and the complete 8 bytes are placed in I<output>. This function is
-used by Kerberos v4.  Other applications should use
-L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead.
-DES_quad_cksum() is a Kerberos v4 function.  It returns a 4 byte
-checksum from the input bytes.  The algorithm can be iterated over the
-input, depending on I<out_count>, 1, 2, 3 or 4 times.  If I<output> is
-non-NULL, the 8 bytes generated by each pass are written into
-I<output>.
-The following are DES-based transformations:
-DES_fcrypt() is a fast version of the Unix crypt(3) function.  This
-version takes only a small amount of space relative to other fast
-crypt() implementations.  This is different to the normal crypt in
-that the third parameter is the buffer that the return value is
-written into.  It needs to be at least 14 bytes long.  This function
-is thread safe, unlike the normal crypt.
-DES_crypt() is a faster replacement for the normal system crypt().
-This function calls DES_fcrypt() with a static array passed as the
-third parameter.  This emulates the normal non-thread safe semantics
-of crypt(3).
-DES_enc_write() writes I<len> bytes to file descriptor I<fd> from
-buffer I<buf>. The data is encrypted via I<pcbc_encrypt> (default)
-using I<sched> for the key and I<iv> as a starting vector.  The actual
-data send down I<fd> consists of 4 bytes (in network byte order)
-containing the length of the following encrypted data.  The encrypted
-data then follows, padded with random data out to a multiple of 8
-bytes.
-DES_enc_read() is used to read I<len> bytes from file descriptor
-I<fd> into buffer I<buf>. The data being read from I<fd> is assumed to
-have come from DES_enc_write() and is decrypted using I<sched> for
-the key schedule and I<iv> for the initial vector.
-B<Warning:> The data format used by DES_enc_write() and DES_enc_read()
-has a cryptographic weakness: When asked to write more than MAXWRITE
-bytes, DES_enc_write() will split the data into several chunks that
-are all encrypted using the same IV.  So don't use these functions
-unless you are sure you know what you do (in which case you might not
-want to use them anyway).  They cannot handle non-blocking sockets.
-DES_enc_read() uses an internal state and thus cannot be used on
-multiple files.
-I<DES_rw_mode> is used to specify the encryption mode to use with
-DES_enc_read() and DES_end_write().  If set to I<DES_PCBC_MODE> (the
-default), DES_pcbc_encrypt is used.  If set to I<DES_CBC_MODE>
-DES_cbc_encrypt is used.
-=head1 NOTES
-Single-key DES is insecure due to its short key size.  ECB mode is
-not suitable for most applications.
-The L<evp(3)|evp(3)> library provides higher-level encryption functions.
-=head1 BUGS
-DES_cbc_encrypt() does not modify B<ivec>; use DES_ncbc_encrypt()
-instead.
-DES_cfb_encrypt() and DES_ofb_encrypt() operates on input of 8 bits.
-What this means is that if you set numbits to 12, and length to 2, the
-first 12 bits will come from the 1st input byte and the low half of
-the second input byte.  The second 12 bits will have the low 8 bits
-taken from the 3rd input byte and the top 4 bits taken from the 4th
-input byte.  The same holds for output.  This function has been
-implemented this way because most people will be using a multiple of 8
-and because once you get into pulling bytes input bytes apart things
-get ugly!
-DES_string_to_key() is available for backward compatibility with the
-MIT library.  New applications should use a cryptographic hash function.
-The same applies for DES_string_to_2key().
-=head1 CONFORMING TO
-ANSI X3.106
-The B<des> library was initially written to be source code compatible with
-the MIT Kerberos library.
-=head1 SEE ALSO
-crypt(3), L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
-=head1 HISTORY
-In OpenSSL 0.9.7, all des_ functions were renamed to DES_ to avoid
-clashes with older versions of libdes.
-DES_set_key_checked() and DES_set_key_unchecked() were added in
-OpenSSL 0.9.5.
-des_generate_random_block(), des_init_random_number_generator(),
-des_new_random_key(), des_set_random_generator_seed() and
-des_set_sequence_number() and des_rand_data() are used in newer
-versions of Kerberos but are not implemented here.
-DES_random_key() generated cryptographically weak random data in
-SSLeay and in OpenSSL prior version 0.9.5, as well as in the original
-MIT library.
-=head1 AUTHOR
-Eric Young (eay@cryptsoft.com). Modified for the OpenSSL project
-(http://www.openssl.org).
-=cut
diff --git a/src/lib/libcrypto/doc/DH_generate_key.pod b/src/lib/libcrypto/doc/DH_generate_key.pod
deleted file mode 100644
index 148e13762b..0000000000
--- a/src/lib/libcrypto/doc/DH_generate_key.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-=head1 NAME
-DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- int DH_generate_key(DH *dh);
- int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
-=head1 DESCRIPTION
-DH_generate_key() performs the first step of a Diffie-Hellman key
-exchange by generating private and public DH values. By calling
-DH_compute_key(), these are combined with the other party's public
-value to compute the shared key.
-DH_generate_key() expects B<dh> to contain the shared parameters
-B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
-unless B<dh-E<gt>priv_key> is already set, and computes the
-corresponding public value B<dh-E<gt>pub_key>, which can then be
-published.
-DH_compute_key() computes the shared secret from the private DH value
-in B<dh> and the other party's public value in B<pub_key> and stores
-it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
-=head1 RETURN VALUES
-DH_generate_key() returns 1 on success, 0 otherwise.
-DH_compute_key() returns the size of the shared secret on success, -1
-on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DH_size(3)|DH_size(3)>
-=head1 HISTORY
-DH_generate_key() and DH_compute_key() are available in all versions
-of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/DH_generate_parameters.pod b/src/lib/libcrypto/doc/DH_generate_parameters.pod
deleted file mode 100644
index bd0782cb0c..0000000000
--- a/src/lib/libcrypto/doc/DH_generate_parameters.pod
+++ /dev/null
@@ -1,80 +0,0 @@
-=pod
-=head1 NAME
-DH_generate_parameters_ex, DH_generate_parameters,
-DH_check - generate and check Diffie-Hellman parameters
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- int DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb);
- int DH_check(DH *dh, int *codes);
-Deprecated:
- DH *DH_generate_parameters(int prime_len, int generator,
-     void (*callback)(int, int, void *), void *cb_arg);
-=head1 DESCRIPTION
-DH_generate_parameters_ex() generates Diffie-Hellman parameters that can
-be shared among a group of users, and stores them in the provided B<DH>
-structure.
-B<prime_len> is the length in bits of the safe prime to be generated.
-B<generator> is a small number E<gt> 1, typically 2 or 5.
-A callback function may be used to provide feedback about the progress
-of the key generation. If B<cb> is not B<NULL>, it will be
-called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime number is
-generated, and when a prime has been found, B<BN_GENCB_call(cb, 3, 0)> is
-called. See L<BN_generate_prime(3)|BN_generate_prime(3)> for information on
-the BN_GENCB_call() function.
-DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
-a safe prime, and that B<g> is a suitable generator. In the case of an
-error, the bit flags DH_CHECK_P_NOT_SAFE_PRIME or
-DH_NOT_SUITABLE_GENERATOR are set in B<*codes>.
-DH_UNABLE_TO_CHECK_GENERATOR is set if the generator cannot be
-checked, i.e. it does not equal 2 or 5.
-=head1 RETURN VALUES
-DH_generate_parameters_ex() and DH_check() return 1 if the check could be
-performed, 0 otherwise.
-DH_generate_parameters() (deprecated) returns a pointer to the DH structure, or
-NULL if the parameter generation fails.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTES
-DH_generate_parameters_ex() and DH_generate_parameters() may run for several
-hours before finding a suitable prime.
-The parameters generated by DH_generate_parameters_ex() and DH_generate_parameters()
-are not to be used in signature schemes.
-=head1 BUGS
-If B<generator> is not 2 or 5, B<dh-E<gt>g>=B<generator> is not
-a usable generator.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DH_free(3)|DH_free(3)>
-=head1 HISTORY
-DH_check() is available in all versions of SSLeay and OpenSSL.
-The B<cb_arg> argument to DH_generate_parameters() was added in SSLeay 0.9.0.
-In versions before OpenSSL 0.9.5, DH_CHECK_P_NOT_STRONG_PRIME is used
-instead of DH_CHECK_P_NOT_SAFE_PRIME.
-=cut
diff --git a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
deleted file mode 100644
index 934ec094bb..0000000000
--- a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
+++ /dev/null
@@ -1,37 +0,0 @@
-=pod
-=head1 NAME
-DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific
-data to DH structures
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- int DH_get_ex_new_index(long argl, void *argp,
-                CRYPTO_EX_new *new_func,
-                CRYPTO_EX_dup *dup_func,
-                CRYPTO_EX_free *free_func);
- int DH_set_ex_data(DH *d, int idx, void *arg);
- char *DH_get_ex_data(DH *d, int idx);
-=head1 DESCRIPTION
-These functions handle application specific data in DH
-structures. Their usage is identical to that of
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
-as described in L<RSA_get_ex_new_index(3)>.
-=head1 SEE ALSO
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dh(3)|dh(3)>
-=head1 HISTORY
-DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
-available since OpenSSL 0.9.5.
-=cut
diff --git a/src/lib/libcrypto/doc/DH_new.pod b/src/lib/libcrypto/doc/DH_new.pod
deleted file mode 100644
index 0fdb7b9680..0000000000
--- a/src/lib/libcrypto/doc/DH_new.pod
+++ /dev/null
@@ -1,38 +0,0 @@
-=pod
-=head1 NAME
-DH_new, DH_free - allocate and free DH objects
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- DH* DH_new(void);
- void DH_free(DH *dh);
-=head1 DESCRIPTION
-DH_new() allocates and initializes a B<DH> structure.
-DH_free() frees the B<DH> structure and its components. The values are
-erased before the memory is returned to the system.
-=head1 RETURN VALUES
-If the allocation fails, DH_new() returns B<NULL> and sets an error code that
-can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a
-pointer to the newly allocated structure.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
-L<DH_generate_key(3)|DH_generate_key(3)>
-=head1 HISTORY
-DH_new() and DH_free() are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/DH_set_method.pod b/src/lib/libcrypto/doc/DH_set_method.pod
deleted file mode 100644
index d82fe7377a..0000000000
--- a/src/lib/libcrypto/doc/DH_set_method.pod
+++ /dev/null
@@ -1,129 +0,0 @@
-=pod
-=head1 NAME
-DH_set_default_method, DH_get_default_method,
-DH_set_method, DH_new_method, DH_OpenSSL,
-DH_set_default_openssl_method, DH_get_default_openssl_method
- select DH method
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- #include <openssl/engine.h>
- void DH_set_default_method(const DH_METHOD *meth);
- const DH_METHOD *DH_get_default_method(void);
- int DH_set_method(DH *dh, const DH_METHOD *meth);
- DH *DH_new_method(ENGINE *engine);
- const DH_METHOD *DH_OpenSSL(void);
-=head1 DESCRIPTION
-A B<DH_METHOD> specifies the functions that OpenSSL uses for Diffie-Hellman
-operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
-important information about how these DH API functions are affected by the use
-of B<ENGINE> API calls.
-Initially, the default DH_METHOD is the OpenSSL internal implementation, as
-returned by DH_OpenSSL().
-DH_set_default_method() makes B<meth> the default method for all DH
-structures created later. B<NB>: This is true only whilst no ENGINE has been set
-as a default for DH, so this function is no longer recommended.
-DH_get_default_method() returns a pointer to the current default DH_METHOD.
-However, the meaningfulness of this result is dependent on whether the ENGINE
-API is being used, so this function is no longer recommended.
-DH_set_method() selects B<meth> to perform all operations using the key B<dh>.
-This will replace the DH_METHOD used by the DH key and if the previous method
-was supplied by an ENGINE, the handle to that ENGINE will be released during the
-change. It is possible to have DH keys that only work with certain DH_METHOD
-implementations (eg. from an ENGINE module that supports embedded
-hardware-protected keys), and in such cases attempting to change the DH_METHOD
-for the key can have unexpected results.
-DH_new_method() allocates and initializes a DH structure so that B<engine> will
-be used for the DH operations. If B<engine> is NULL, the default ENGINE for DH
-operations is used, and if no default ENGINE is set, the DH_METHOD controlled by
-DH_set_default_method() is used.
-=head1 THE DH_METHOD STRUCTURE
- typedef struct dh_meth_st
- {
-     /* name of the implementation */
-        const char *name;
-     /* generate private and public DH values for key agreement */
-        int (*generate_key)(DH *dh);
-     /* compute shared secret */
-        int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh);
-     /* compute r = a ^ p mod m (May be NULL for some implementations) */
-        int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                                const BIGNUM *m, BN_CTX *ctx,
-                                BN_MONT_CTX *m_ctx);
-     /* called at DH_new */
-        int (*init)(DH *dh);
-     /* called at DH_free */
-        int (*finish)(DH *dh);
-        int flags;
-        char *app_data; /* ?? */
- } DH_METHOD;
-=head1 RETURN VALUES
-DH_OpenSSL() and DH_get_default_method() return pointers to the respective
-B<DH_METHOD>s.
-DH_set_method() returns non-zero if the provided B<meth> was successfully set as
-the method for B<dh> (including unloading the ENGINE handle if the previous
-method was supplied by an ENGINE).
-DH_new_method() returns NULL and sets an error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
-returns a pointer to the newly allocated structure.
-=head1 NOTES
-As of version 0.9.7, DH_METHOD implementations are grouped together with other
-algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
-default ENGINE is specified for DH functionality using an ENGINE API function,
-that will override any DH defaults set using the DH API (ie.
-DH_set_default_method()). For this reason, the ENGINE API is the recommended way
-to control default implementations for use in DH and other cryptographic
-algorithms.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
-=head1 HISTORY
-DH_set_default_method(), DH_get_default_method(), DH_set_method(),
-DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
-DH_set_default_openssl_method() and DH_get_default_openssl_method() replaced
-DH_set_default_method() and DH_get_default_method() respectively, and
-DH_set_method() and DH_new_method() were altered to use B<ENGINE>s rather than
-B<DH_METHOD>s during development of the engine version of OpenSSL 0.9.6. For
-0.9.7, the handling of defaults in the ENGINE API was restructured so that this
-change was reversed, and behaviour of the other functions resembled more closely
-the previous behaviour. The behaviour of defaults in the ENGINE API now
-transparently overrides the behaviour of defaults in the DH API without
-requiring changing these function prototypes.
-=cut
diff --git a/src/lib/libcrypto/doc/DH_size.pod b/src/lib/libcrypto/doc/DH_size.pod
deleted file mode 100644
index 97f26fda78..0000000000
--- a/src/lib/libcrypto/doc/DH_size.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-=head1 NAME
-DH_size - get Diffie-Hellman prime size
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- int DH_size(DH *dh);
-=head1 DESCRIPTION
-This function returns the Diffie-Hellman size in bytes. It can be used
-to determine how much memory must be allocated for the shared secret
-computed by DH_compute_key().
-B<dh-E<gt>p> must not be B<NULL>.
-=head1 RETURN VALUE
-The size in bytes.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<DH_generate_key(3)|DH_generate_key(3)>
-=head1 HISTORY
-DH_size() is available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_SIG_new.pod b/src/lib/libcrypto/doc/DSA_SIG_new.pod
deleted file mode 100644
index 77aa649db0..0000000000
--- a/src/lib/libcrypto/doc/DSA_SIG_new.pod
+++ /dev/null
@@ -1,38 +0,0 @@
-=pod
-=head1 NAME
-DSA_SIG_new, DSA_SIG_free - allocate and free DSA signature objects
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- DSA_SIG *DSA_SIG_new(void);
- void   DSA_SIG_free(DSA_SIG *a);
-=head1 DESCRIPTION
-DSA_SIG_new() allocates and initializes a B<DSA_SIG> structure.
-DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
-values are erased before the memory is returned to the system.
-=head1 RETURN VALUES
-If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an
-error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
-to the newly allocated structure.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DSA_do_sign(3)|DSA_do_sign(3)>
-=head1 HISTORY
-DSA_SIG_new() and DSA_SIG_free() were added in OpenSSL 0.9.3.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_do_sign.pod b/src/lib/libcrypto/doc/DSA_do_sign.pod
deleted file mode 100644
index 5dfc733b20..0000000000
--- a/src/lib/libcrypto/doc/DSA_do_sign.pod
+++ /dev/null
@@ -1,47 +0,0 @@
-=pod
-=head1 NAME
-DSA_do_sign, DSA_do_verify - raw DSA signature operations
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
- int DSA_do_verify(const unsigned char *dgst, int dgst_len,
-             DSA_SIG *sig, DSA *dsa);
-=head1 DESCRIPTION
-DSA_do_sign() computes a digital signature on the B<len> byte message
-digest B<dgst> using the private key B<dsa> and returns it in a
-newly allocated B<DSA_SIG> structure.
-L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
-of the signing operation in case signature generation is
-time-critical.
-DSA_do_verify() verifies that the signature B<sig> matches a given
-message digest B<dgst> of size B<len>.  B<dsa> is the signer's public
-key.
-=head1 RETURN VALUES
-DSA_do_sign() returns the signature, NULL on error.  DSA_do_verify()
-returns 1 for a valid signature, 0 for an incorrect signature and -1
-on error. The error codes can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
-L<DSA_sign(3)|DSA_sign(3)>
-=head1 HISTORY
-DSA_do_sign() and DSA_do_verify() were added in OpenSSL 0.9.3.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_dup_DH.pod b/src/lib/libcrypto/doc/DSA_dup_DH.pod
deleted file mode 100644
index 7f6f0d1115..0000000000
--- a/src/lib/libcrypto/doc/DSA_dup_DH.pod
+++ /dev/null
@@ -1,36 +0,0 @@
-=pod
-=head1 NAME
-DSA_dup_DH - create a DH structure out of DSA structure
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- DH * DSA_dup_DH(const DSA *r);
-=head1 DESCRIPTION
-DSA_dup_DH() duplicates DSA parameters/keys as DH parameters/keys. q
-is lost during that conversion, but the resulting DH parameters
-contain its length.
-=head1 RETURN VALUE
-DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The
-error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTE
-Be careful to avoid small subgroup attacks when using this.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 HISTORY
-DSA_dup_DH() was added in OpenSSL 0.9.4.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_generate_key.pod b/src/lib/libcrypto/doc/DSA_generate_key.pod
deleted file mode 100644
index 069a05767c..0000000000
--- a/src/lib/libcrypto/doc/DSA_generate_key.pod
+++ /dev/null
@@ -1,32 +0,0 @@
-=pod
-=head1 NAME
-DSA_generate_key - generate DSA key pair
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- int DSA_generate_key(DSA *a);
-=head1 DESCRIPTION
-DSA_generate_key() expects B<a> to contain DSA parameters. It generates
-a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>.
-=head1 RETURN VALUE
-DSA_generate_key() returns 1 on success, 0 otherwise.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
-=head1 HISTORY
-DSA_generate_key() is available since SSLeay 0.8.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_generate_parameters.pod b/src/lib/libcrypto/doc/DSA_generate_parameters.pod
deleted file mode 100644
index 698b555a0e..0000000000
--- a/src/lib/libcrypto/doc/DSA_generate_parameters.pod
+++ /dev/null
@@ -1,122 +0,0 @@
-=pod
-=head1 NAME
-DSA_generate_parameters_ex, DSA_generate_parameters - generate DSA parameters
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- int DSA_generate_parameters_ex(DSA *dsa, int bits,
-                const unsigned char *seed,int seed_len,
-                int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
-Deprecated:
- DSA *DSA_generate_parameters(int bits, unsigned char *seed,
-                int seed_len, int *counter_ret, unsigned long *h_ret,
-                void (*callback)(int, int, void *), void *cb_arg);
-=head1 DESCRIPTION
-DSA_generate_parameters_ex() generates primes p and q and a generator g
-for use in the DSA and stores the result in B<dsa>.
-B<bits> is the length of the prime to be generated; the DSS allows a
-maximum of 1024 bits.
-If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
-generated at random. Otherwise, the seed is used to generate
-them. If the given seed does not yield a prime q, a new random
-seed is chosen and placed at B<seed>.
-DSA_generate_parameters_ex() places the iteration count in
-*B<counter_ret> and a counter used for finding a generator in
-*B<h_ret>, unless these are B<NULL>.
-A callback function may be used to provide feedback about the progress
-of the key generation. If B<cb> is not B<NULL>, it will be
-called as shown below. For information on the BN_GENCB structure and the
-BN_GENCB_call function discussed below, refer to
-L<BN_generate_prime(3)|BN_generate_prime(3)>.
-=over 4
-=item *
-When a candidate for q is generated, B<BN_GENCB_call(cb, 0, m++)> is called
-(m is 0 for the first candidate).
-=item *
-When a candidate for q has passed a test by trial division,
-B<BN_GENCB_call(cb, 1, -1)> is called.
-While a candidate for q is tested by Miller-Rabin primality tests,
-B<BN_GENCB_call(cb, 1, i)> is called in the outer loop
-(once for each witness that confirms that the candidate may be prime);
-i is the loop counter (starting at 0).
-=item *
-When a prime q has been found, B<BN_GENCB_call(cb, 2, 0)> and
-B<BN_GENCB_call(cb, 3, 0)> are called.
-=item *
-Before a candidate for p (other than the first) is generated and tested,
-B<BN_GENCB_call(cb, 0, counter)> is called.
-=item *
-When a candidate for p has passed the test by trial division,
-B<BN_GENCB_call(cb, 1, -1)> is called.
-While it is tested by the Miller-Rabin primality test,
-B<BN_GENCB_call(cb, 1, i)> is called in the outer loop
-(once for each witness that confirms that the candidate may be prime).
-i is the loop counter (starting at 0).
-=item *
-When p has been found, B<BN_GENCB_call(cb, 2, 1)> is called.
-=item *
-When the generator has been found, B<BN_GENCB_call(cb, 3, 1)> is called.
-=back
-DSA_generate_parameters() (deprecated) works in much the same way as for DSA_generate_parameters_ex, except that no B<dsa> parameter is passed and
-instead a newly allocated B<DSA> structure is returned. Additionally "old
-style" callbacks are used instead of the newer BN_GENCB based approach.
-Refer to L<BN_generate_prime(3)|BN_generate_prime(3)> for further information.
-=head1 RETURN VALUE
-DSA_generate_parameters_ex() returns a 1 on success, or 0 otherwise.
-DSA_generate_parameters() returns a pointer to the DSA structure, or
-B<NULL> if the parameter generation fails.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 BUGS
-Seed lengths E<gt> 20 are not supported.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_free(3)|DSA_free(3)>, L<BN_generate_prime(3)|BN_generate_prime(3)>
-=head1 HISTORY
-DSA_generate_parameters() appeared in SSLeay 0.8. The B<cb_arg>
-argument was added in SSLeay 0.9.0.
-In versions up to OpenSSL 0.9.4, B<callback(1, ...)> was called
-in the inner loop of the Miller-Rabin test whenever it reached the
-squaring step (the parameters to B<callback> did not reveal how many
-witnesses had been tested); since OpenSSL 0.9.5, B<callback(1, ...)>
-is called as in BN_is_prime(3), i.e. once for each witness.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod b/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
deleted file mode 100644
index e2fcabf370..0000000000
--- a/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
+++ /dev/null
@@ -1,37 +0,0 @@
-=pod
-=head1 NAME
-DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application
-specific data to DSA structures
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- int DSA_get_ex_new_index(long argl, void *argp,
-                CRYPTO_EX_new *new_func,
-                CRYPTO_EX_dup *dup_func,
-                CRYPTO_EX_free *free_func);
- int DSA_set_ex_data(DSA *d, int idx, void *arg);
- char *DSA_get_ex_data(DSA *d, int idx);
-=head1 DESCRIPTION
-These functions handle application specific data in DSA
-structures. Their usage is identical to that of
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
-as described in L<RSA_get_ex_new_index(3)>.
-=head1 SEE ALSO
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dsa(3)|dsa(3)>
-=head1 HISTORY
-DSA_get_ex_new_index(), DSA_set_ex_data() and DSA_get_ex_data() are
-available since OpenSSL 0.9.5.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_new.pod b/src/lib/libcrypto/doc/DSA_new.pod
deleted file mode 100644
index e1e30b9a07..0000000000
--- a/src/lib/libcrypto/doc/DSA_new.pod
+++ /dev/null
@@ -1,40 +0,0 @@
-=pod
-=head1 NAME
-DSA_new, DSA_free - allocate and free DSA objects
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- DSA* DSA_new(void);
- void DSA_free(DSA *dsa);
-=head1 DESCRIPTION
-DSA_new() allocates and initializes a B<DSA> structure. It is equivalent to
-calling DSA_new_method(NULL).
-DSA_free() frees the B<DSA> structure and its components. The values are
-erased before the memory is returned to the system.
-=head1 RETURN VALUES
-If the allocation fails, DSA_new() returns B<NULL> and sets an error
-code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
-to the newly allocated structure.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
-L<DSA_generate_key(3)|DSA_generate_key(3)>
-=head1 HISTORY
-DSA_new() and DSA_free() are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_set_method.pod b/src/lib/libcrypto/doc/DSA_set_method.pod
deleted file mode 100644
index bc57a3e8e2..0000000000
--- a/src/lib/libcrypto/doc/DSA_set_method.pod
+++ /dev/null
@@ -1,143 +0,0 @@
-=pod
-=head1 NAME
-DSA_set_default_method, DSA_get_default_method,
-DSA_set_method, DSA_new_method, DSA_OpenSSL,
-DSA_set_default_openssl_method, DSA_get_default_openssl_method
- select DSA method
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- #include <openssl/engine.h>
- void DSA_set_default_method(const DSA_METHOD *meth);
- const DSA_METHOD *DSA_get_default_method(void);
- int DSA_set_method(DSA *dsa, const DSA_METHOD *meth);
- DSA *DSA_new_method(ENGINE *engine);
- DSA_METHOD *DSA_OpenSSL(void);
-=head1 DESCRIPTION
-A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
-operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
-important information about how these DSA API functions are affected by the use
-of B<ENGINE> API calls.
-Initially, the default DSA_METHOD is the OpenSSL internal implementation,
-as returned by DSA_OpenSSL().
-DSA_set_default_method() makes B<meth> the default method for all DSA
-structures created later. B<NB>: This is true only whilst no ENGINE has
-been set as a default for DSA, so this function is no longer recommended.
-DSA_get_default_method() returns a pointer to the current default
-DSA_METHOD. However, the meaningfulness of this result is dependent on
-whether the ENGINE API is being used, so this function is no longer
-recommended.
-DSA_set_method() selects B<meth> to perform all operations using the key
-B<rsa>. This will replace the DSA_METHOD used by the DSA key and if the
-previous method was supplied by an ENGINE, the handle to that ENGINE will
-be released during the change. It is possible to have DSA keys that only
-work with certain DSA_METHOD implementations (eg. from an ENGINE module
-that supports embedded hardware-protected keys), and in such cases
-attempting to change the DSA_METHOD for the key can have unexpected
-results.
-DSA_new_method() allocates and initializes a DSA structure so that B<engine>
-will be used for the DSA operations. If B<engine> is NULL, the default engine
-for DSA operations is used, and if no default ENGINE is set, the DSA_METHOD
-controlled by DSA_set_default_method() is used.
-=head1 THE DSA_METHOD STRUCTURE
-struct
- {
-     /* name of the implementation */
-        const char *name;
-     /* sign */
-        DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen,
-                                 DSA *dsa);
-     /* pre-compute k^-1 and r */
-        int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-                                 BIGNUM **rp);
-     /* verify */
-        int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
-                                 DSA_SIG *sig, DSA *dsa);
-     /* compute rr = a1^p1 * a2^p2 mod m (May be NULL for some
-                                          implementations) */
-        int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
-                                 BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
-                                 BN_CTX *ctx, BN_MONT_CTX *in_mont);
-     /* compute r = a ^ p mod m (May be NULL for some implementations) */
-        int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a,
-                                 const BIGNUM *p, const BIGNUM *m,
-                                 BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-     /* called at DSA_new */
-        int (*init)(DSA *DSA);
-     /* called at DSA_free */
-        int (*finish)(DSA *DSA);
-        int flags;
-        char *app_data; /* ?? */
- } DSA_METHOD;
-=head1 RETURN VALUES
-DSA_OpenSSL() and DSA_get_default_method() return pointers to the respective
-B<DSA_METHOD>s.
-DSA_set_method() returns non-zero if the provided B<meth> was successfully set
-as the method for B<dsa> (including unloading the ENGINE handle if the previous
-method was supplied by an ENGINE).
-DSA_new_method() returns NULL and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
-fails. Otherwise it returns a pointer to the newly allocated structure.
-=head1 NOTES
-As of version 0.9.7, DSA_METHOD implementations are grouped together with other
-algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
-default ENGINE is specified for DSA functionality using an ENGINE API function,
-that will override any DSA defaults set using the DSA API (ie.
-DSA_set_default_method()). For this reason, the ENGINE API is the recommended
-way to control default implementations for use in DSA and other cryptographic
-algorithms.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
-=head1 HISTORY
-DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
-DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
-DSA_set_default_openssl_method() and DSA_get_default_openssl_method() replaced
-DSA_set_default_method() and DSA_get_default_method() respectively, and
-DSA_set_method() and DSA_new_method() were altered to use B<ENGINE>s rather than
-B<DSA_METHOD>s during development of the engine version of OpenSSL 0.9.6. For
-0.9.7, the handling of defaults in the ENGINE API was restructured so that this
-change was reversed, and behaviour of the other functions resembled more closely
-the previous behaviour. The behaviour of defaults in the ENGINE API now
-transparently overrides the behaviour of defaults in the DSA API without
-requiring changing these function prototypes.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_sign.pod b/src/lib/libcrypto/doc/DSA_sign.pod
deleted file mode 100644
index 4e78a71390..0000000000
--- a/src/lib/libcrypto/doc/DSA_sign.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-=head1 NAME
-DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- int    DSA_sign(int type, const unsigned char *dgst, int len,
-                unsigned char *sigret, unsigned int *siglen, DSA *dsa);
- int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
-                BIGNUM **rp);
- int    DSA_verify(int type, const unsigned char *dgst, int len,
-                unsigned char *sigbuf, int siglen, DSA *dsa);
-=head1 DESCRIPTION
-DSA_sign() computes a digital signature on the B<len> byte message
-digest B<dgst> using the private key B<dsa> and places its ASN.1 DER
-encoding at B<sigret>. The length of the signature is places in
-*B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory.
-DSA_sign_setup() may be used to precompute part of the signing
-operation in case signature generation is time-critical. It expects
-B<dsa> to contain DSA parameters. It places the precomputed values
-in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
-the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
-be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
-B<ctx> is a pre-allocated B<BN_CTX> or NULL.
-DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
-matches a given message digest B<dgst> of size B<len>.
-B<dsa> is the signer's public key.
-The B<type> parameter is ignored.
-=head1 RETURN VALUES
-DSA_sign() and DSA_sign_setup() return 1 on success, 0 on error.
-DSA_verify() returns 1 for a valid signature, 0 for an incorrect
-signature and -1 on error. The error codes can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 CONFORMING TO
-US Federal Information Processing Standard FIPS 186 (Digital Signature
-Standard, DSS), ANSI X9.30
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_do_sign(3)|DSA_do_sign(3)>
-=head1 HISTORY
-DSA_sign() and DSA_verify() are available in all versions of SSLeay.
-DSA_sign_setup() was added in SSLeay 0.8.
-=cut
diff --git a/src/lib/libcrypto/doc/DSA_size.pod b/src/lib/libcrypto/doc/DSA_size.pod
deleted file mode 100644
index ba4f650361..0000000000
--- a/src/lib/libcrypto/doc/DSA_size.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-=head1 NAME
-DSA_size - get DSA signature size
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- int DSA_size(const DSA *dsa);
-=head1 DESCRIPTION
-This function returns the size of an ASN.1 encoded DSA signature in
-bytes. It can be used to determine how much memory must be allocated
-for a DSA signature.
-B<dsa-E<gt>q> must not be B<NULL>.
-=head1 RETURN VALUE
-The size in bytes.
-=head1 SEE ALSO
-L<dsa(3)|dsa(3)>, L<DSA_sign(3)|DSA_sign(3)>
-=head1 HISTORY
-DSA_size() is available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/EC_GFp_simple_method.pod b/src/lib/libcrypto/doc/EC_GFp_simple_method.pod
deleted file mode 100644
index aff20ac175..0000000000
--- a/src/lib/libcrypto/doc/EC_GFp_simple_method.pod
+++ /dev/null
@@ -1,60 +0,0 @@
-=pod
-=head1 NAME
-EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method, EC_GF2m_simple_method, EC_METHOD_get_field_type - Functions for obtaining B<EC_METHOD> objects.
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- const EC_METHOD *EC_GFp_simple_method(void);
- const EC_METHOD *EC_GFp_mont_method(void);
- const EC_METHOD *EC_GFp_nist_method(void);
- const EC_METHOD *EC_GFp_nistp224_method(void);
- const EC_METHOD *EC_GFp_nistp256_method(void);
- const EC_METHOD *EC_GFp_nistp521_method(void);
- const EC_METHOD *EC_GF2m_simple_method(void);
- int EC_METHOD_get_field_type(const EC_METHOD *meth);
-=head1 DESCRIPTION
-The Elliptic Curve library provides a number of different implementations through a single common interface.
-When constructing a curve using EC_GROUP_new (see L<EC_GROUP_new(3)|EC_GROUP_new(3)>) an
-implementation method must be provided. The functions described here all return a const pointer to an
-B<EC_METHOD> structure that can be passed to EC_GROUP_NEW. It is important that the correct implementation
-type for the form of curve selected is used.
-For F2^m curves there is only one implementation choice, i.e. EC_GF2_simple_method.
-For Fp curves the lowest common denominator implementation is the EC_GFp_simple_method implementation. All
-other implementations are based on this one. EC_GFp_mont_method builds on EC_GFp_simple_method but adds the
-use of montgomery multiplication (see L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>). EC_GFp_nist_method
-offers an implementation optimised for use with NIST recommended curves (NIST curves are available through
-EC_GROUP_new_by_curve_name as described in L<EC_GROUP_new(3)|EC_GROUP_new(3)>).
-The functions EC_GFp_nistp224_method, EC_GFp_nistp256_method and EC_GFp_nistp521_method offer 64 bit
-optimised implementations for the NIST P224, P256 and P521 curves respectively. Note, however, that these
-implementations are not available on all platforms.
-EC_METHOD_get_field_type identifies what type of field the EC_METHOD structure supports, which will be either
-F2^m or Fp. If the field type is Fp then the value B<NID_X9_62_prime_field> is returned. If the field type is
-F2^m then the value B<NID_X9_62_characteristic_two_field> is returned. These values are defined in the
-obj_mac.h header file.
-=head1 RETURN VALUES
-All EC_GFp* functions and EC_GF2m_simple_method always return a const pointer to an EC_METHOD structure.
-EC_METHOD_get_field_type returns an integer that identifies the type of field the EC_METHOD structure supports.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EC_GROUP_copy.pod b/src/lib/libcrypto/doc/EC_GROUP_copy.pod
deleted file mode 100644
index d4896af1d5..0000000000
--- a/src/lib/libcrypto/doc/EC_GROUP_copy.pod
+++ /dev/null
@@ -1,174 +0,0 @@
-=pod
-=head1 NAME
-EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator, EC_GROUP_get0_generator, EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_set_curve_name, EC_GROUP_get_curve_name, EC_GROUP_set_asn1_flag, EC_GROUP_get_asn1_flag, EC_GROUP_set_point_conversion_form, EC_GROUP_get_point_conversion_form, EC_GROUP_get0_seed, EC_GROUP_get_seed_len, EC_GROUP_set_seed, EC_GROUP_get_degree, EC_GROUP_check, EC_GROUP_check_discriminant, EC_GROUP_cmp, EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis, EC_GROUP_get_pentanomial_basis - Functions for manipulating B<EC_GROUP> objects.
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- #include <openssl/bn.h>
- int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src);
- EC_GROUP *EC_GROUP_dup(const EC_GROUP *src);
- const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
- int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
- const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);
- int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx);
- int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx);
- void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
- int EC_GROUP_get_curve_name(const EC_GROUP *group);
- void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
- int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
- void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
- point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
- unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
- size_t EC_GROUP_get_seed_len(const EC_GROUP *);
- size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
- int EC_GROUP_get_degree(const EC_GROUP *group);
- int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
- int EC_GROUP_get_basis_type(const EC_GROUP *);
- int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
- int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, 
-        unsigned int *k2, unsigned int *k3);
-=head1 DESCRIPTION
-EC_GROUP_copy copies the curve B<src> into B<dst>. Both B<src> and B<dst> must use the same EC_METHOD.
-EC_GROUP_dup creates a new EC_GROUP object and copies the content from B<src> to the newly created
-EC_GROUP object.
-EC_GROUP_method_of obtains the EC_METHOD of B<group>.
-EC_GROUP_set_generator sets curve paramaters that must be agreed by all participants using the curve. These
-paramaters include the B<generator>, the B<order> and the B<cofactor>. The B<generator> is a well defined point on the
-curve chosen for cryptographic operations. Integers used for point multiplications will be between 0 and
-n-1 where n is the B<order>. The B<order> multipied by the B<cofactor> gives the number of points on the curve.
-EC_GROUP_get0_generator returns the generator for the identified B<group>.
-The functions EC_GROUP_get_order and EC_GROUP_get_cofactor populate the provided B<order> and B<cofactor> parameters
-with the respective order and cofactors for the B<group>.
-The functions EC_GROUP_set_curve_name and EC_GROUP_get_curve_name, set and get the NID for the curve respectively
-(see L<EC_GROUP_new(3)|EC_GROUP_new(3)>). If a curve does not have a NID associated with it, then EC_GROUP_get_curve_name
-will return 0.
-The asn1_flag value on a curve is used to determine whether there is a specific ASN1 OID to describe the curve or not.
-If the asn1_flag is 1 then this is a named curve with an associated ASN1 OID. If not then asn1_flag is 0. The functions
-EC_GROUP_get_asn1_flag and EC_GROUP_set_asn1_flag get and set the status of the asn1_flag for the curve. If set then
-the curve_name must also be set.
-The point_conversion_form for a curve controls how EC_POINT data is encoded as ASN1 as defined in X9.62 (ECDSA).
-point_conversion_form_t is an enum defined as follows: 
- typedef enum {
-        /** the point is encoded as z||x, where the octet z specifies 
-         *   which solution of the quadratic equation y is  */
-        POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x02  */
-        POINT_CONVERSION_UNCOMPRESSED = 4,
-        /** the point is encoded as z||x||y, where the octet z specifies
-         *  which solution of the quadratic equation y is  */
-        POINT_CONVERSION_HYBRID = 6
- } point_conversion_form_t;
- 
-For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by
-the octets for x, followed by the octets for y.
-For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For
-POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of
-the two possible solutions for y has been used, followed by the octets for x. 
-For POINT_CONVERSION_HYBRID the point is encoded as an octet signifying the HYBRID form has been used AND which of the two
-possible solutions for y has been used, followed by the octets for x, followed by the octets for y.
-The functions EC_GROUP_set_point_conversion_form and EC_GROUP_get_point_conversion_form set and get the point_conversion_form
-for the curve respectively.
-ANSI X9.62 (ECDSA standard) defines a method of generating the curve parameter b from a random number. This provides advantages
-in that a parameter obtained in this way is highly unlikely to be susceptible to special purpose attacks, or have any trapdoors in it.
-If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL EC library
-does not use this seed value but does enable you to inspect it using EC_GROUP_get0_seed. This returns a pointer to a memory block
-containing the seed that was used. The length of the memory block can be obtained using EC_GROUP_get_seed_len. A number of the
-builtin curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using
-EC_GROUP_set_seed and passing a pointer to a memory block, along with the length of the seed. Again, the EC library will not use
-this seed value, although it will be preserved in any ASN1 based communications.
-EC_GROUP_get_degree gets the degree of the field. For Fp fields this will be the number of bits in p.  For F2^m fields this will be
-the value m.
-The function EC_GROUP_check_discriminant calculates the discriminant for the curve and verifies that it is valid.
-For a curve defined over Fp the discriminant is given by the formula 4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is
-simply b. In either case for the curve to be valid the discriminant must be non zero.
-The function EC_GROUP_check performs a number of checks on a curve to verify that it is valid. Checks performed include
-verifying that the discriminant is non zero; that a generator has been defined; that the generator is on the curve and has
-the correct order.
-EC_GROUP_cmp compares B<a> and B<b> to determine whether they represent the same curve or not.
-The functions EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis and EC_GROUP_get_pentanomial_basis should only be called for curves
-defined over an F2^m field. Addition and multiplication operations within an F2^m field are performed using an irreducible polynomial
-function f(x). This function is either a trinomial of the form:
-f(x) = x^m + x^k + 1 with m > k >= 1
-or a pentanomial of the form:
-f(x) = x^m + x^k3 + x^k2 + x^k1 + 1 with m > k3 > k2 > k1 >= 1
-The function EC_GROUP_get_basis_type returns a NID identifying whether a trinomial or pentanomial is in use for the field. The
-function EC_GROUP_get_trinomial_basis must only be called where f(x) is of the trinomial form, and returns the value of B<k>. Similarly
-the function EC_GROUP_get_pentanomial_basis must only be called where f(x) is of the pentanomial form, and returns the values of B<k1>,
-B<k2> and B<k3> respectively.
-=head1 RETURN VALUES
-The following functions return 1 on success or 0 on error: EC_GROUP_copy, EC_GROUP_set_generator, EC_GROUP_check,
-EC_GROUP_check_discriminant, EC_GROUP_get_trinomial_basis and EC_GROUP_get_pentanomial_basis.
-EC_GROUP_dup returns a pointer to the duplicated curve, or NULL on error.
-EC_GROUP_method_of returns the EC_METHOD implementation in use for the given curve or NULL on error.
-EC_GROUP_get0_generator returns the generator for the given curve or NULL on error.
-EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_get_curve_name, EC_GROUP_get_asn1_flag, EC_GROUP_get_point_conversion_form
-and EC_GROUP_get_degree return the order, cofactor, curve name (NID), ASN1 flag, point_conversion_form and degree for the
-specified curve respectively. If there is no curve name associated with a curve then EC_GROUP_get_curve_name will return 0.
-EC_GROUP_get0_seed returns a pointer to the seed that was used to generate the parameter b, or NULL if the seed is not
-specified. EC_GROUP_get_seed_len returns the length of the seed or 0 if the seed is not specified.
-EC_GROUP_set_seed returns the length of the seed that has been set. If the supplied seed is NULL, or the supplied seed length is
-0, the return value will be 1. On error 0 is returned.
-EC_GROUP_cmp returns 0 if the curves are equal, 1 if they are not equal, or -1 on error.
-EC_GROUP_get_basis_type returns the values NID_X9_62_tpBasis or NID_X9_62_ppBasis (as defined in <openssl/obj_mac.h>) for a
-trinomial or pentanomial respectively. Alternatively in the event of an error a 0 is returned.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EC_GROUP_new.pod b/src/lib/libcrypto/doc/EC_GROUP_new.pod
deleted file mode 100644
index 9ab3566e65..0000000000
--- a/src/lib/libcrypto/doc/EC_GROUP_new.pod
+++ /dev/null
@@ -1,95 +0,0 @@
-=pod
-=head1 NAME
-EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_new_curve_GFp, EC_GROUP_new_curve_GF2m, EC_GROUP_new_by_curve_name, EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m, EC_get_builtin_curves - Functions for creating and destroying B<EC_GROUP> objects.
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- #include <openssl/bn.h>
- EC_GROUP *EC_GROUP_new(const EC_METHOD *meth);
- void EC_GROUP_free(EC_GROUP *group);
- void EC_GROUP_clear_free(EC_GROUP *group);
- EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
- int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems);
-=head1 DESCRIPTION
-Within the library there are two forms of elliptic curve that are of interest. The first form is those defined over the
-prime field Fp. The elements of Fp are the integers 0 to p-1, where p is a prime number. This gives us a revised
-elliptic curve equation as follows:
-y^2 mod p = x^3 +ax + b mod p
-The second form is those defined over a binary field F2^m where the elements of the field are integers of length at
-most m bits. For this form the elliptic curve equation is modified to:
-y^2 + xy = x^3 + ax^2 + b (where b != 0)
-Operations in a binary field are performed relative to an B<irreducible polynomial>. All such curves with OpenSSL
-use a trinomial or a pentanomial for this parameter.
-A new curve can be constructed by calling EC_GROUP_new, using the implementation provided by B<meth> (see
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>). It is then necessary to call either EC_GROUP_set_curve_GFp or
-EC_GROUP_set_curve_GF2m as appropriate to create a curve defined over Fp or over F2^m respectively. 
-EC_GROUP_set_curve_GFp sets the curve parameters B<p>, B<a> and B<b> for a curve over Fp stored in B<group>.
-EC_group_get_curve_GFp obtains the previously set curve parameters.
-EC_GROUP_set_curve_GF2m sets the equivalent curve parameters for a curve over F2^m. In this case B<p> represents
-the irreducible polynomial - each bit represents a term in the polynomial. Therefore there will either be three
-or five bits set dependent on whether the polynomial is a trinomial or a pentanomial.
-EC_group_get_curve_GF2m obtains the previously set curve parameters.
-The functions EC_GROUP_new_curve_GFp and EC_GROUP_new_curve_GF2m are shortcuts for calling EC_GROUP_new and the
-appropriate EC_group_set_curve function. An appropriate default implementation method will be used.
-Whilst the library can be used to create any curve using the functions described above, there are also a number of
-predefined curves that are available. In order to obtain a list of all of the predefined curves, call the function
-EC_get_builtin_curves. The parameter B<r> should be an array of EC_builtin_curve structures of size B<nitems>. The function
-will populate the B<r> array with information about the builtin curves. If B<nitems> is less than the total number of
-curves available, then the first B<nitems> curves will be returned. Otherwise the total number of curves will be
-provided. The return value is the total number of curves available (whether that number has been populated in B<r> or
-not). Passing a NULL B<r>, or setting B<nitems> to 0 will do nothing other than return the total number of curves available.
-The EC_builtin_curve structure is defined as follows:
- typedef struct { 
-        int nid;
-        const char *comment;
-        } EC_builtin_curve;
-Each EC_builtin_curve item has a unique integer id (B<nid>), and a human readable comment string describing the curve.
-In order to construct a builtin curve use the function EC_GROUP_new_by_curve_name and provide the B<nid> of the curve to
-be constructed.
-EC_GROUP_free frees the memory associated with the EC_GROUP.
-EC_GROUP_clear_free destroys any sensitive data held within the EC_GROUP and then frees its memory.
-=head1 RETURN VALUES
-All EC_GROUP_new* functions return a pointer to the newly constructed group, or NULL on error.
-EC_get_builtin_curves returns the number of builtin curves that are available.
-EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m return 1 on success or 0 on error.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EC_KEY_new.pod b/src/lib/libcrypto/doc/EC_KEY_new.pod
deleted file mode 100644
index 02d7bac82c..0000000000
--- a/src/lib/libcrypto/doc/EC_KEY_new.pod
+++ /dev/null
@@ -1,115 +0,0 @@
-=pod
-=head1 NAME
-EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_by_curve_name, EC_KEY_free, EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key, EC_KEY_get_enc_flags, EC_KEY_set_enc_flags, EC_KEY_get_conv_form, EC_KEY_set_conv_form, EC_KEY_get_key_method_data, EC_KEY_insert_key_method_data, EC_KEY_set_asn1_flag, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates - Functions for creating, destroying and manipulating B<EC_KEY> objects.
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- #include <openssl/bn.h>
- EC_KEY *EC_KEY_new(void);
- int EC_KEY_get_flags(const EC_KEY *key);
- void EC_KEY_set_flags(EC_KEY *key, int flags);
- void EC_KEY_clear_flags(EC_KEY *key, int flags);
- EC_KEY *EC_KEY_new_by_curve_name(int nid);
- void EC_KEY_free(EC_KEY *key);
- EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
- EC_KEY *EC_KEY_dup(const EC_KEY *src);
- int EC_KEY_up_ref(EC_KEY *key);
- const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
- int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
- const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
- int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
- const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
- int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
- unsigned int EC_KEY_get_enc_flags(const EC_KEY *key);
- void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
- point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
- void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
- void *EC_KEY_get_key_method_data(EC_KEY *key, 
-        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
- void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
-        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
- void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
- int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
- int EC_KEY_generate_key(EC_KEY *key);
- int EC_KEY_check_key(const EC_KEY *key);
- int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
-=head1 DESCRIPTION
-An EC_KEY represents a public key and (optionally) an associated private key. A new EC_KEY (with no associated curve) can be constructed by calling EC_KEY_new.
-The reference count for the newly created EC_KEY is initially set to 1. A curve can be associated with the EC_KEY by calling
-EC_KEY_set_group.
-Alternatively a new EC_KEY can be constructed by calling EC_KEY_new_by_curve_name and supplying the nid of the associated curve. Refer to L<EC_GROUP_new(3)|EC_GROUP_new(3)> for a description of curve names. This function simply wraps calls to EC_KEY_new and 
-EC_GROUP_new_by_curve_name.
-Calling EC_KEY_free decrements the reference count for the EC_KEY object, and if it has dropped to zero then frees the memory associated
-with it.
-EC_KEY_copy copies the contents of the EC_KEY in B<src> into B<dest>.
-EC_KEY_dup creates a new EC_KEY object and copies B<ec_key> into it.
-EC_KEY_up_ref increments the reference count associated with the EC_KEY object.
-EC_KEY_generate_key generates a new public and private key for the supplied B<eckey> object. B<eckey> must have an EC_GROUP object
-associated with it before calling this function. The private key is a random integer (0 < priv_key < order, where order is the order
-of the EC_GROUP object). The public key is an EC_POINT on the curve calculated by multiplying the generator for the curve by the
-private key.
-EC_KEY_check_key performs various sanity checks on the EC_KEY object to confirm that it is valid.
-EC_KEY_set_public_key_affine_coordinates sets the public key for B<key> based on its affine co-ordinates, i.e. it constructs an EC_POINT
-object based on the supplied B<x> and B<y> values and sets the public key to be this EC_POINT. It will also performs certain sanity checks
-on the key to confirm that it is valid.
-The functions EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, and EC_KEY_set_public_key get and set the EC_GROUP object, the private key and the EC_POINT public key for the B<key> respectively.
-The functions EC_KEY_get_enc_flags and EC_KEY_set_enc_flags get and set the value of the encoding flags for the B<key>. There are two encoding
-flags currently defined - EC_PKEY_NO_PARAMETERS and EC_PKEY_NO_PUBKEY.  These flags define the behaviour of how the  B<key> is
-converted into ASN1 in a call to i2d_ECPrivateKey. If EC_PKEY_NO_PARAMETERS is set then the public parameters for the curve are not encoded
-along with the private key. If EC_PKEY_NO_PUBKEY is set then the public key is not encoded along with the private key.
-The functions EC_KEY_get_conv_form and EC_KEY_set_conv_form get and set the point_conversion_form for the B<key>. For a description
-of point_conversion_forms please refer to L<EC_POINT_new(3)|EC_POINT_new(3)>.
-EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the
-elliptic curve scheme being used with the EC_KEY object. This data is treated as a "black box" by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the B<data> parameter, which must have associated functions for duplicating, freeing and "clear_freeing" the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and "clear_freeing" the data item must be provided again, and they must be the same as they were when the data item was inserted.
-EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flags are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state.
-EC_KEY_set_asn1_flag sets the asn1_flag on the underlying EC_GROUP object (if set). Refer to L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for further information on the asn1_flag.
-EC_KEY_precompute_mult stores multiples of the underlying EC_GROUP generator for faster point multiplication. See also L<EC_POINT_add(3)|EC_POINT_add(3)>.
-=head1 RETURN VALUES
-EC_KEY_new, EC_KEY_new_by_curve_name and EC_KEY_dup return a pointer to the newly created EC_KEY object, or NULL on error.
-EC_KEY_get_flags returns the flags associated with the EC_KEY object as an integer.
-EC_KEY_copy returns a pointer to the destination key, or NULL on error.
-EC_KEY_up_ref, EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key and EC_KEY_set_public_key_affine_coordinates return 1 on success or 0 on error.
-EC_KEY_get0_group returns the EC_GROUP associated with the EC_KEY.
-EC_KEY_get0_private_key returns the private key associated with the EC_KEY.
-EC_KEY_get_enc_flags returns the value of the current encoding flags for the EC_KEY.
-EC_KEY_get_conv_form return the point_conversion_form for the EC_KEY.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EC_POINT_add.pod b/src/lib/libcrypto/doc/EC_POINT_add.pod
deleted file mode 100644
index ae92640843..0000000000
--- a/src/lib/libcrypto/doc/EC_POINT_add.pod
+++ /dev/null
@@ -1,72 +0,0 @@
-=pod
-=head1 NAME
-EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp, EC_POINT_make_affine, EC_POINTs_make_affine, EC_POINTs_mul, EC_POINT_mul, EC_GROUP_precompute_mult, EC_GROUP_have_precompute_mult - Functions for performing mathematical operations and tests on B<EC_POINT> objects.
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- #include <openssl/bn.h>
- int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
- int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx);
- int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx);
- int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p);
- int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx);
- int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
- int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
- int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
- int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx);
- int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
- int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
-=head1 DESCRIPTION
-EC_POINT_add adds the two points B<a> and B<b> and places the result in B<r>. Similarly EC_POINT_dbl doubles the point B<a> and places the
-result in B<r>. In both cases it is valid for B<r> to be one of B<a> or B<b>.
-EC_POINT_invert calculates the inverse of the supplied point B<a>. The result is placed back in B<a>.
-The function EC_POINT_is_at_infinity tests whether the supplied point is at infinity or not.
-EC_POINT_is_on_curve tests whether the supplied point is on the curve or not.
-EC_POINT_cmp compares the two supplied points and tests whether or not they are equal.
-The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the EC_POINT(s) into the affine
-co-ordinate system. In the case of EC_POINTs_make_affine the value B<num> provides the number of points in the array B<points> to be
-forced.
-EC_POINT_mul calculates the value generator * B<n> + B<q> * B<m> and stores the result in B<r>. The value B<n> may be NULL in which case the result is just B<q> * B<m>.
-EC_POINTs_mul calculates the value generator * B<n> + B<q[0]> * B<m[0]> + ... + B<q[num-1]> * B<m[num-1]>. As for EC_POINT_mul the value
-B<n> may be NULL.
-The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst
-EC_GROUP_have_precompute_mult tests whether precomputation has already been done. See L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for information
-about the generator.
-=head1 RETURN VALUES
-The following functions return 1 on success or 0 on error: EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_make_affine,
-EC_POINTs_make_affine, EC_POINTs_make_affine, EC_POINT_mul, EC_POINTs_mul and EC_GROUP_precompute_mult.
-EC_POINT_is_at_infinity returns 1 if the point is at infinity, or 0 otherwise.
-EC_POINT_is_on_curve returns 1 if the point is on the curve, 0 if not, or -1 on error.
-EC_POINT_cmp returns 1 if the points are not equal, 0 if they are, or -1 on error.
-EC_GROUP_have_precompute_mult return 1 if a precomputation has been done, or 0 if not.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EC_POINT_new.pod b/src/lib/libcrypto/doc/EC_POINT_new.pod
deleted file mode 100644
index b41ca0ed0c..0000000000
--- a/src/lib/libcrypto/doc/EC_POINT_new.pod
+++ /dev/null
@@ -1,123 +0,0 @@
-=pod
-=head1 NAME
-EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy, EC_POINT_dup, EC_POINT_method_of, EC_POINT_set_to_infinity, EC_POINT_set_Jprojective_coordinates, EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m, EC_POINT_set_compressed_coordinates_GF2m, EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex, EC_POINT_hex2point - Functions for creating, destroying and manipulating B<EC_POINT> objects.
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- #include <openssl/bn.h>
- EC_POINT *EC_POINT_new(const EC_GROUP *group);
- void EC_POINT_free(EC_POINT *point);
- void EC_POINT_clear_free(EC_POINT *point);
- int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src);
- EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group);
- const EC_METHOD *EC_POINT_method_of(const EC_POINT *point);
- int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
- int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx);
- int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
-        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx);
- int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
-        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, int y_bit, BN_CTX *ctx);
- int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
-        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, int y_bit, BN_CTX *ctx);
- size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
-        point_conversion_form_t form,
-        unsigned char *buf, size_t len, BN_CTX *ctx);
- int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p,
-        const unsigned char *buf, size_t len, BN_CTX *ctx);
- BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
-        point_conversion_form_t form, BIGNUM *, BN_CTX *);
- EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *,
-        EC_POINT *, BN_CTX *);
- char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *,
-        point_conversion_form_t form, BN_CTX *);
- EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *,
-        EC_POINT *, BN_CTX *);
-=head1 DESCRIPTION
-An EC_POINT represents a point on a curve. A new point is constructed by calling the function EC_POINT_new and providing the B<group>
-object that the point relates to.
-EC_POINT_free frees the memory associated with the EC_POINT.
-EC_POINT_clear_free destroys any sensitive data held within the EC_POINT and then frees its memory.
-EC_POINT_copy copies the point B<src> into B<dst>. Both B<src> and B<dst> must use the same EC_METHOD.
-EC_POINT_dup creates a new EC_POINT object and copies the content from B<src> to the newly created
-EC_POINT object.
-EC_POINT_method_of obtains the EC_METHOD associated with B<point>.
-A valid point on a curve is the special point at  infinity. A point is set to be at infinity by calling EC_POINT_set_to_infinity.
-The affine co-ordinates for a point describe a point in terms of its x and y position. The functions
-EC_POINT_set_affine_coordinates_GFp and EC_POINT_set_affine_coordinates_GF2m set the B<x> and B<y> co-ordinates for the point
-B<p> defined over the curve given in B<group>.
-As well as the affine co-ordinates, a point can alternatively be described in terms of its Jacobian
-projective co-ordinates (for Fp curves only). Jacobian projective co-ordinates are expressed as three values x, y and z. Working in
-this co-ordinate system provides more efficient point multiplication operations.
-A mapping exists between Jacobian projective co-ordinates and affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian projective to affine co-ordinates is simple. The co-ordinate (x, y) is
-mapped to (x, y, 1). To set or get the projective co-ordinates use EC_POINT_set_Jprojective_coordinates_GFp and
-EC_POINT_get_Jprojective_coordinates_GFp respectively.
-Points can also be described in terms of their compressed co-ordinates. For a point (x, y), for any given value for x such that the point is
-on the curve there will only ever be two possible values for y. Therefore a point can be set using the EC_POINT_set_compressed_coordinates_GFp
-and EC_POINT_set_compressed_coordinates_GF2m functions where B<x> is the x co-ordinate and B<y_bit> is a value 0 or 1 to identify which of
-the two possible values for y should be used.
-In addition EC_POINTs can be converted to and from various external representations. Supported representations are octet strings, BIGNUMs and hexadecimal. The format of the external representation is described by the point_conversion_form. See L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for
-a description of point_conversion_form. Octet strings are stored in a buffer along with an associated buffer length. A point held in a BIGNUM is calculated by converting the point to an octet string and then converting that octet string into a BIGNUM integer. Points in hexadecimal format are stored in a NULL terminated character string where each character is one of the printable values 0-9 or A-F (or a-f).
-The functions EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex and EC_POINT_hex2point convert
-from and to EC_POINTs for the formats: octet string, BIGNUM and hexadecimal respectively.
-The function EC_POINT_point2oct must be supplied with a buffer long enough to store the octet string. The return value provides the number of
-octets stored. Calling the function with a NULL buffer will not perform the conversion but will still return the required buffer length.
-The function EC_POINT_point2hex will allocate sufficient memory to store the hexadecimal string. It is the caller's responsibility to free
-this memory with a subsequent call to free().
-=head1 RETURN VALUES
-EC_POINT_new and EC_POINT_dup return the newly allocated EC_POINT or NULL on error.
-The following functions return 1 on success or 0 on error: EC_POINT_copy, EC_POINT_set_to_infinity, EC_POINT_set_Jprojective_coordinates_GFp,
-EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp,
-EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m,
-EC_POINT_set_compressed_coordinates_GF2m and EC_POINT_oct2point.
-EC_POINT_method_of returns the EC_METHOD associated with the supplied EC_POINT.
-EC_POINT_point2oct returns the length of the required buffer, or 0 on error.
-EC_POINT_point2bn returns the pointer to the BIGNUM supplied, or NULL on error.
-EC_POINT_bn2point returns the pointer to the EC_POINT supplied, or NULL on error.
-EC_POINT_point2hex returns a pointer to the hex string, or NULL on error.
-EC_POINT_hex2point returns the pointer to the EC_POINT supplied, or NULL on error.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/ERR.pod b/src/lib/libcrypto/doc/ERR.pod
deleted file mode 100644
index 343a9b84c2..0000000000
--- a/src/lib/libcrypto/doc/ERR.pod
+++ /dev/null
@@ -1,185 +0,0 @@
-=pod
-=head1 NAME
-ERR - error codes
-=head1 SYNOPSIS
- #include <openssl/err.h>
- unsigned long ERR_get_error(void);
- unsigned long ERR_peek_error(void);
- unsigned long ERR_get_error_line(const char **file, int *line);
- unsigned long ERR_peek_error_line(const char **file, int *line);
- unsigned long ERR_get_error_line_data(const char **file, int *line,
-         const char **data, int *flags);
- unsigned long ERR_peek_error_line_data(const char **file, int *line,
-         const char **data, int *flags);
- int ERR_GET_LIB(unsigned long e);
- int ERR_GET_FUNC(unsigned long e);
- int ERR_GET_REASON(unsigned long e);
- void ERR_clear_error(void);
- char *ERR_error_string(unsigned long e, char *buf);
- const char *ERR_lib_error_string(unsigned long e);
- const char *ERR_func_error_string(unsigned long e);
- const char *ERR_reason_error_string(unsigned long e);
- void ERR_print_errors(BIO *bp);
- void ERR_print_errors_fp(FILE *fp);
- void ERR_load_crypto_strings(void);
- void ERR_free_strings(void);
- void ERR_remove_state(unsigned long pid);
- void ERR_put_error(int lib, int func, int reason, const char *file,
-         int line);
- void ERR_add_error_data(int num, ...);
- void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
- unsigned long ERR_PACK(int lib, int func, int reason);
- int ERR_get_next_error_library(void);
-=head1 DESCRIPTION
-When a call to the OpenSSL library fails, this is usually signalled
-by the return value, and an error code is stored in an error queue
-associated with the current thread. The B<err> library provides
-functions to obtain these error codes and textual error messages.
-The L<ERR_get_error(3)|ERR_get_error(3)> manpage describes how to
-access error codes.
-Error codes contain information about where the error occurred, and
-what went wrong. L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> describes how to
-extract this information. A method to obtain human-readable error
-messages is described in L<ERR_error_string(3)|ERR_error_string(3)>.
-L<ERR_clear_error(3)|ERR_clear_error(3)> can be used to clear the
-error queue.
-Note that L<ERR_remove_state(3)|ERR_remove_state(3)> should be used to
-avoid memory leaks when threads are terminated.
-=head1 ADDING NEW ERROR CODES TO OPENSSL
-See L<ERR_put_error(3)> if you want to record error codes in the
-OpenSSL error system from within your application.
-The remainder of this section is of interest only if you want to add
-new error codes to OpenSSL or add error codes from external libraries.
-=head2 Reporting errors
-Each sub-library has a specific macro XXXerr() that is used to report
-errors. Its first argument is a function code B<XXX_F_...>, the second
-argument is a reason code B<XXX_R_...>. Function codes are derived
-from the function names; reason codes consist of textual error
-descriptions. For example, the function ssl23_read() reports a
-"handshake failure" as follows:
- SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
-Function and reason codes should consist of upper case characters,
-numbers and underscores only. The error file generation script translates
-function codes into function names by looking in the header files
-for an appropriate function name, if none is found it just uses
-the capitalized form such as "SSL23_READ" in the above example.
-The trailing section of a reason code (after the "_R_") is translated
-into lower case and underscores changed to spaces.
-When you are using new function or reason codes, run B<make errors>.
-The necessary B<#define>s will then automatically be added to the
-sub-library's header file.
-Although a library will normally report errors using its own specific
-XXXerr macro, another library's macro can be used. This is normally
-only done when a library wants to include ASN1 code which must use
-the ASN1err() macro.
-=head2 Adding new libraries
-When adding a new sub-library to OpenSSL, assign it a library number
-B<ERR_LIB_XXX>, define a macro XXXerr() (both in B<err.h>), add its
-name to B<ERR_str_libraries[]> (in B<crypto/err/err.c>), and add
-C<ERR_load_XXX_strings()> to the ERR_load_crypto_strings() function
-(in B<crypto/err/err_all.c>). Finally, add an entry
- L      XXX     xxx.h   xxx_err.c
-to B<crypto/err/openssl.ec>, and add B<xxx_err.c> to the Makefile.
-Running B<make errors> will then generate a file B<xxx_err.c>, and
-add all error codes used in the library to B<xxx.h>.
-Additionally the library include file must have a certain form.
-Typically it will initially look like this:
- #ifndef HEADER_XXX_H
- #define HEADER_XXX_H
- #ifdef __cplusplus
- extern "C" {
- #endif
- /* Include files */
- #include <openssl/bio.h>
- #include <openssl/x509.h>
- /* Macros, structures and function prototypes */
- /* BEGIN ERROR CODES */
-The B<BEGIN ERROR CODES> sequence is used by the error code
-generation script as the point to place new error codes, any text
-after this point will be overwritten when B<make errors> is run.
-The closing #endif etc will be automatically added by the script.
-The generated C error code file B<xxx_err.c> will load the header
-files B<stdio.h>, B<openssl/err.h> and B<openssl/xxx.h> so the
-header file must load any additional header files containing any
-definitions it uses.
-=head1 USING ERROR CODES IN EXTERNAL LIBRARIES
-It is also possible to use OpenSSL's error code scheme in external
-libraries. The library needs to load its own codes and call the OpenSSL
-error code insertion script B<mkerr.pl> explicitly to add codes to
-the header file and generate the C error code file. This will normally
-be done if the external library needs to generate new ASN1 structures
-but it can also be used to add more general purpose error code handling.
-=head1 INTERNALS
-The error queues are stored in a hash table with one B<ERR_STATE>
-entry for each pid. ERR_get_state() returns the current thread's
-B<ERR_STATE>. An B<ERR_STATE> can hold up to B<ERR_NUM_ERRORS> error
-codes. When more error codes are added, the old ones are overwritten,
-on the assumption that the most recent errors are most important.
-Error strings are also stored in hash table. The hash tables can
-be obtained by calling ERR_get_err_state_table(void) and
-ERR_get_string_table(void) respectively.
-=head1 SEE ALSO
-L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>,
-L<CRYPTO_set_locking_callback(3)|CRYPTO_set_locking_callback(3)>,
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
-L<ERR_clear_error(3)|ERR_clear_error(3)>,
-L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_print_errors(3)|ERR_print_errors(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<ERR_remove_state(3)|ERR_remove_state(3)>,
-L<ERR_put_error(3)|ERR_put_error(3)>,
-L<ERR_load_strings(3)|ERR_load_strings(3)>,
-L<SSL_get_error(3)|SSL_get_error(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_GET_LIB.pod b/src/lib/libcrypto/doc/ERR_GET_LIB.pod
deleted file mode 100644
index 2a129da036..0000000000
--- a/src/lib/libcrypto/doc/ERR_GET_LIB.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-=head1 NAME
-ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON - get library, function and
-reason code
-=head1 SYNOPSIS
- #include <openssl/err.h>
- int ERR_GET_LIB(unsigned long e);
- int ERR_GET_FUNC(unsigned long e);
- int ERR_GET_REASON(unsigned long e);
-=head1 DESCRIPTION
-The error code returned by ERR_get_error() consists of a library
-number, function code and reason code. ERR_GET_LIB(), ERR_GET_FUNC()
-and ERR_GET_REASON() can be used to extract these.
-The library number and function code describe where the error
-occurred, the reason code is the information about what went wrong.
-Each sub-library of OpenSSL has a unique library number; function and
-reason codes are unique within each sub-library.  Note that different
-libraries may use the same value to signal different functions and
-reasons.
-B<ERR_R_...> reason codes such as B<ERR_R_MALLOC_FAILURE> are globally
-unique. However, when checking for sub-library specific reason codes,
-be sure to also compare the library number.
-ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are macros.
-=head1 RETURN VALUES
-The library number, function code and reason code respectively.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 HISTORY
-ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are available in
-all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_clear_error.pod b/src/lib/libcrypto/doc/ERR_clear_error.pod
deleted file mode 100644
index 566e1f4e31..0000000000
--- a/src/lib/libcrypto/doc/ERR_clear_error.pod
+++ /dev/null
@@ -1,29 +0,0 @@
-=pod
-=head1 NAME
-ERR_clear_error - clear the error queue
-=head1 SYNOPSIS
- #include <openssl/err.h>
- void ERR_clear_error(void);
-=head1 DESCRIPTION
-ERR_clear_error() empties the current thread's error queue.
-=head1 RETURN VALUES
-ERR_clear_error() has no return value.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 HISTORY
-ERR_clear_error() is available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_error_string.pod b/src/lib/libcrypto/doc/ERR_error_string.pod
deleted file mode 100644
index cdfa7fe1fe..0000000000
--- a/src/lib/libcrypto/doc/ERR_error_string.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-=head1 NAME
-ERR_error_string, ERR_error_string_n, ERR_lib_error_string,
-ERR_func_error_string, ERR_reason_error_string - obtain human-readable
-error message
-=head1 SYNOPSIS
- #include <openssl/err.h>
- char *ERR_error_string(unsigned long e, char *buf);
- void ERR_error_string_n(unsigned long e, char *buf, size_t len);
- const char *ERR_lib_error_string(unsigned long e);
- const char *ERR_func_error_string(unsigned long e);
- const char *ERR_reason_error_string(unsigned long e);
-=head1 DESCRIPTION
-ERR_error_string() generates a human-readable string representing the
-error code I<e>, and places it at I<buf>. I<buf> must be at least 120
-bytes long. If I<buf> is B<NULL>, the error string is placed in a
-static buffer.
-ERR_error_string_n() is a variant of ERR_error_string() that writes
-at most I<len> characters (including the terminating 0)
-and truncates the string if necessary.
-For ERR_error_string_n(), I<buf> may not be B<NULL>.
-The string will have the following format:
- error:[error code]:[library name]:[function name]:[reason string]
-I<error code> is an 8 digit hexadecimal number, I<library name>,
-I<function name> and I<reason string> are ASCII text.
-ERR_lib_error_string(), ERR_func_error_string() and
-ERR_reason_error_string() return the library name, function
-name and reason string respectively.
-The OpenSSL error strings should be loaded by calling
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)> or, for SSL
-applications, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-first.
-If there is no text string registered for the given error code,
-the error string will contain the numeric code.
-L<ERR_print_errors(3)|ERR_print_errors(3)> can be used to print
-all error codes currently in the queue.
-=head1 RETURN VALUES
-ERR_error_string() returns a pointer to a static buffer containing the
-string if I<buf> B<== NULL>, I<buf> otherwise.
-ERR_lib_error_string(), ERR_func_error_string() and
-ERR_reason_error_string() return the strings, and B<NULL> if
-none is registered for the error code.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-L<ERR_print_errors(3)|ERR_print_errors(3)>
-=head1 HISTORY
-ERR_error_string() is available in all versions of SSLeay and OpenSSL.
-ERR_error_string_n() was added in OpenSSL 0.9.6.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_get_error.pod b/src/lib/libcrypto/doc/ERR_get_error.pod
deleted file mode 100644
index 460a79f3f6..0000000000
--- a/src/lib/libcrypto/doc/ERR_get_error.pod
+++ /dev/null
@@ -1,79 +0,0 @@
-=pod
-=head1 NAME
-ERR_get_error, ERR_peek_error, ERR_peek_last_error,
-ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line,
-ERR_get_error_line_data, ERR_peek_error_line_data,
-ERR_peek_last_error_line_data - obtain error code and data
-=head1 SYNOPSIS
- #include <openssl/err.h>
- unsigned long ERR_get_error(void);
- unsigned long ERR_peek_error(void);
- unsigned long ERR_peek_last_error(void);
- unsigned long ERR_get_error_line(const char **file, int *line);
- unsigned long ERR_peek_error_line(const char **file, int *line);
- unsigned long ERR_peek_last_error_line(const char **file, int *line);
- unsigned long ERR_get_error_line_data(const char **file, int *line,
-         const char **data, int *flags);
- unsigned long ERR_peek_error_line_data(const char **file, int *line,
-         const char **data, int *flags);
- unsigned long ERR_peek_last_error_line_data(const char **file, int *line,
-         const char **data, int *flags);
-=head1 DESCRIPTION
-ERR_get_error() returns the earliest error code from the thread's error
-queue and removes the entry. This function can be called repeatedly
-until there are no more error codes to return.
-ERR_peek_error() returns the earliest error code from the thread's
-error queue without modifying it.
-ERR_peek_last_error() returns the latest error code from the thread's
-error queue without modifying it.
-See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
-location and reason of the error, and
-L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
-messages.
-ERR_get_error_line(), ERR_peek_error_line() and
-ERR_peek_last_error_line() are the same as the above, but they
-additionally store the file name and line number where
-the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
-ERR_get_error_line_data(), ERR_peek_error_line_data() and
-ERR_peek_last_error_line_data() store additional data and flags
-associated with the error code in *B<data>
-and *B<flags>, unless these are B<NULL>. *B<data> contains a string
-if *B<flags>&B<ERR_TXT_STRING> is true.
-An application B<MUST NOT> free the *B<data> pointer (or any other pointers
-returned by these functions) with free() as freeing is handled
-automatically by the error library.
-=head1 RETURN VALUES
-The error code, or 0 if there is no error in the queue.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>
-=head1 HISTORY
-ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and
-ERR_peek_error_line() are available in all versions of SSLeay and
-OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data()
-were added in SSLeay 0.9.0.
-ERR_peek_last_error(), ERR_peek_last_error_line() and
-ERR_peek_last_error_line_data() were added in OpenSSL 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_load_crypto_strings.pod b/src/lib/libcrypto/doc/ERR_load_crypto_strings.pod
deleted file mode 100644
index 9bdec75a46..0000000000
--- a/src/lib/libcrypto/doc/ERR_load_crypto_strings.pod
+++ /dev/null
@@ -1,46 +0,0 @@
-=pod
-=head1 NAME
-ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings -
-load and free error strings
-=head1 SYNOPSIS
- #include <openssl/err.h>
- void ERR_load_crypto_strings(void);
- void ERR_free_strings(void);
- #include <openssl/ssl.h>
- void SSL_load_error_strings(void);
-=head1 DESCRIPTION
-ERR_load_crypto_strings() registers the error strings for all
-B<libcrypto> functions. SSL_load_error_strings() does the same,
-but also registers the B<libssl> error strings.
-One of these functions should be called before generating
-textual error messages. However, this is not required when memory
-usage is an issue.
-ERR_free_strings() frees all previously loaded error strings.
-=head1 RETURN VALUES
-ERR_load_crypto_strings(), SSL_load_error_strings() and
-ERR_free_strings() return no values.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>
-=head1 HISTORY
-ERR_load_error_strings(), SSL_load_error_strings() and
-ERR_free_strings() are available in all versions of SSLeay and
-OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_load_strings.pod b/src/lib/libcrypto/doc/ERR_load_strings.pod
deleted file mode 100644
index e9c5cf0fc5..0000000000
--- a/src/lib/libcrypto/doc/ERR_load_strings.pod
+++ /dev/null
@@ -1,54 +0,0 @@
-=pod
-=head1 NAME
-ERR_load_strings, ERR_PACK, ERR_get_next_error_library - load
-arbitrary error strings
-=head1 SYNOPSIS
- #include <openssl/err.h>
- void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
- int ERR_get_next_error_library(void);
- unsigned long ERR_PACK(int lib, int func, int reason);
-=head1 DESCRIPTION
-ERR_load_strings() registers error strings for library number B<lib>.
-B<str> is an array of error string data:
- typedef struct ERR_string_data_st
- {
-        unsigned long error;
-        char *string;
- } ERR_STRING_DATA;
-The error code is generated from the library number and a function and
-reason code: B<error> = ERR_PACK(B<lib>, B<func>, B<reason>).
-ERR_PACK() is a macro.
-The last entry in the array is {0,0}.
-ERR_get_next_error_library() can be used to assign library numbers
-to user libraries at runtime.
-=head1 RETURN VALUE
-ERR_PACK() return the error code.
-ERR_get_next_error_library() returns a new library number.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
-=head1 HISTORY
-ERR_load_error_strings() and ERR_PACK() are available in all versions
-of SSLeay and OpenSSL. ERR_get_next_error_library() was added in
-SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_print_errors.pod b/src/lib/libcrypto/doc/ERR_print_errors.pod
deleted file mode 100644
index b100a5fa2b..0000000000
--- a/src/lib/libcrypto/doc/ERR_print_errors.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-=head1 NAME
-ERR_print_errors, ERR_print_errors_fp - print error messages
-=head1 SYNOPSIS
- #include <openssl/err.h>
- void ERR_print_errors(BIO *bp);
- void ERR_print_errors_fp(FILE *fp);
-=head1 DESCRIPTION
-ERR_print_errors() is a convenience function that prints the error
-strings for all errors that OpenSSL has recorded to B<bp>, thus
-emptying the error queue.
-ERR_print_errors_fp() is the same, except that the output goes to a
-B<FILE>.
-The error strings will have the following format:
- [pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
-I<error code> is an 8 digit hexadecimal number. I<library name>,
-I<function name> and I<reason string> are ASCII text, as is I<optional
-text message> if one was set for the respective error code.
-If there is no text string registered for the given error code,
-the error string will contain the numeric code.
-=head1 RETURN VALUES
-ERR_print_errors() and ERR_print_errors_fp() return no values.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-=head1 HISTORY
-ERR_print_errors() and ERR_print_errors_fp()
-are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_put_error.pod b/src/lib/libcrypto/doc/ERR_put_error.pod
deleted file mode 100644
index acd241fbe4..0000000000
--- a/src/lib/libcrypto/doc/ERR_put_error.pod
+++ /dev/null
@@ -1,44 +0,0 @@
-=pod
-=head1 NAME
-ERR_put_error, ERR_add_error_data - record an error
-=head1 SYNOPSIS
- #include <openssl/err.h>
- void ERR_put_error(int lib, int func, int reason, const char *file,
-         int line);
- void ERR_add_error_data(int num, ...);
-=head1 DESCRIPTION
-ERR_put_error() adds an error code to the thread's error queue. It
-signals that the error of reason code B<reason> occurred in function
-B<func> of library B<lib>, in line number B<line> of B<file>.
-This function is usually called by a macro.
-ERR_add_error_data() associates the concatenation of its B<num> string
-arguments with the error code added last.
-L<ERR_load_strings(3)|ERR_load_strings(3)> can be used to register
-error strings so that the application can a generate human-readable
-error messages for the error code.
-=head1 RETURN VALUES
-ERR_put_error() and ERR_add_error_data() return
-no values.
-=head1 SEE ALSO
-L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
-=head1 HISTORY
-ERR_put_error() is available in all versions of SSLeay and OpenSSL.
-ERR_add_error_data() was added in SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_remove_state.pod b/src/lib/libcrypto/doc/ERR_remove_state.pod
deleted file mode 100644
index a4d38c17fd..0000000000
--- a/src/lib/libcrypto/doc/ERR_remove_state.pod
+++ /dev/null
@@ -1,45 +0,0 @@
-=pod
-=head1 NAME
-ERR_remove_thread_state, ERR_remove_state - free a thread's error queue
-=head1 SYNOPSIS
- #include <openssl/err.h>
- void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
-Deprecated:
- void ERR_remove_state(unsigned long pid);
-=head1 DESCRIPTION
-ERR_remove_thread_state() frees the error queue associated with thread B<tid>.
-If B<tid> == B<NULL>, the current thread will have its error queue removed.
-Since error queue data structures are allocated automatically for new
-threads, they must be freed when threads are terminated in order to
-avoid memory leaks.
-ERR_remove_state is deprecated and has been replaced by
-ERR_remove_thread_state. Since threads in OpenSSL are no longer identified
-by unsigned long values any argument to this function is ignored. Calling
-ERR_remove_state is equivalent to B<ERR_remove_thread_state(NULL)>.
-=head1 RETURN VALUE
-ERR_remove_thread_state and ERR_remove_state() return no value.
-=head1 SEE ALSO
-L<err(3)|err(3)>
-=head1 HISTORY
-ERR_remove_state() is available in all versions of SSLeay and OpenSSL. It
-was deprecated in OpenSSL 1.0.0 when ERR_remove_thread_state was introduced
-and thread IDs were introduced to identify threads instead of 'unsigned long'. 
-=cut
diff --git a/src/lib/libcrypto/doc/ERR_set_mark.pod b/src/lib/libcrypto/doc/ERR_set_mark.pod
deleted file mode 100644
index d3ca4f2e77..0000000000
--- a/src/lib/libcrypto/doc/ERR_set_mark.pod
+++ /dev/null
@@ -1,38 +0,0 @@
-=pod
-=head1 NAME
-ERR_set_mark, ERR_pop_to_mark - set marks and pop errors until mark
-=head1 SYNOPSIS
- #include <openssl/err.h>
- int ERR_set_mark(void);
- int ERR_pop_to_mark(void);
-=head1 DESCRIPTION
-ERR_set_mark() sets a mark on the current topmost error record if there
-is one.
-ERR_pop_to_mark() will pop the top of the error stack until a mark is found.
-The mark is then removed.  If there is no mark, the whole stack is removed.
-=head1 RETURN VALUES
-ERR_set_mark() returns 0 if the error stack is empty, otherwise 1.
-ERR_pop_to_mark() returns 0 if there was no mark in the error stack, which
-implies that the stack became empty, otherwise 1.
-=head1 SEE ALSO
-L<err(3)|err(3)>
-=head1 HISTORY
-ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_BytesToKey.pod b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
deleted file mode 100644
index 2dffaa1efa..0000000000
--- a/src/lib/libcrypto/doc/EVP_BytesToKey.pod
+++ /dev/null
@@ -1,68 +0,0 @@
-=pod
-=head1 NAME
-EVP_BytesToKey - password based encryption routine
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
-                       const unsigned char *salt,
-                       const unsigned char *data, int datal, int count,
-                       unsigned char *key,unsigned char *iv);
-=head1 DESCRIPTION
-EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
-the cipher to derive the key and IV for. B<md> is the message digest to use.
-The B<salt> parameter is used as a salt in the derivation: it should point to
-an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
-B<datal> bytes which is used to derive the keying data. B<count> is the
-iteration count to use. The derived key and IV will be written to B<key>
-and B<iv> respectively.
-=head1 NOTES
-A typical application of this function is to derive keying material for an
-encryption algorithm from a password in the B<data> parameter.
-Increasing the B<count> parameter slows down the algorithm which makes it
-harder for an attacker to perform a brute force attack using a large number
-of candidate passwords.
-If the total key and IV length is less than the digest length and
-B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
-otherwise a non standard extension is used to derive the extra data.
-Newer applications should use more standard algorithms such as PBKDF2 as
-defined in PKCS#5v2.1 for key derivation.
-=head1 KEY DERIVATION ALGORITHM
-The key and IV is derived by concatenating D_1, D_2, etc until
-enough data is available for the key and IV. D_i is defined as:
-        D_i = HASH^count(D_(i-1) || data || salt)
-where || denotes concatenation, D_0 is empty, HASH is the digest
-algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
-is HASH(HASH(data)) and so on.
-The initial bytes are used for the key and the subsequent bytes for
-the IV.
-=head1 RETURN VALUES
-EVP_BytesToKey() returns the size of the derived key in bytes.
-=head1 SEE ALSO
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<PKCS5_PBKDF2_HMAC(3)|PKCS5_PBKDF2_HMAC(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
-=head1 HISTORY
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
deleted file mode 100644
index c83dcc736f..0000000000
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ /dev/null
@@ -1,277 +0,0 @@
-=pod
-=head1 NAME
-EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
-EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type,
-EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
-EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5,
-EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1,
-EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid,
-EVP_get_digestbyobj, EVP_DigestInit, EVP_DigestFinal - EVP digest routines
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
- EVP_MD_CTX *EVP_MD_CTX_create(void);
- int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
- int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,
-        unsigned int *s);
- int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
- void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
- int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
- int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
-        unsigned int *s);
- int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);
- #define EVP_MAX_MD_SIZE 64     /* SHA512 */
- int EVP_MD_type(const EVP_MD *md);
- int EVP_MD_pkey_type(const EVP_MD *md);
- int EVP_MD_size(const EVP_MD *md);
- int EVP_MD_block_size(const EVP_MD *md);
- const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
- #define EVP_MD_CTX_size(e)             EVP_MD_size(EVP_MD_CTX_md(e))
- #define EVP_MD_CTX_block_size(e)       EVP_MD_block_size((e)->digest)
- #define EVP_MD_CTX_type(e)             EVP_MD_type((e)->digest)
- const EVP_MD *EVP_md_null(void);
- const EVP_MD *EVP_md2(void);
- const EVP_MD *EVP_md5(void);
- const EVP_MD *EVP_sha1(void);
- const EVP_MD *EVP_dss(void);
- const EVP_MD *EVP_dss1(void);
- const EVP_MD *EVP_ripemd160(void);
- const EVP_MD *EVP_sha224(void);
- const EVP_MD *EVP_sha256(void);
- const EVP_MD *EVP_sha384(void);
- const EVP_MD *EVP_sha512(void);
- const EVP_MD *EVP_get_digestbyname(const char *name);
- #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
- #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
-=head1 DESCRIPTION
-The EVP digest routines are a high level interface to message digests.
-EVP_MD_CTX_init() initializes digest context B<ctx>.
-EVP_MD_CTX_create() allocates, initializes and returns a digest context.
-EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
-B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
-function. B<type> will typically be supplied by a function such as EVP_sha1().
-If B<impl> is NULL then the default implementation of digest B<type> is used.
-EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-digest context B<ctx>. This function can be called several times on the
-same B<ctx> to hash additional data.
-EVP_DigestFinal_ex() retrieves the digest value from B<ctx> and places
-it in B<md>. If the B<s> parameter is not NULL then the number of
-bytes of data written (i.e. the length of the digest) will be written
-to the integer at B<s>, at most B<EVP_MAX_MD_SIZE> bytes will be written.
-After calling EVP_DigestFinal_ex() no additional calls to EVP_DigestUpdate()
-can be made, but EVP_DigestInit_ex() can be called to initialize a new
-digest operation.
-EVP_MD_CTX_cleanup() cleans up digest context B<ctx>, it should be called
-after a digest context is no longer needed.
-EVP_MD_CTX_destroy() cleans up digest context B<ctx> and frees up the
-space allocated to it, it should be called only on a context created
-using EVP_MD_CTX_create().
-EVP_MD_CTX_copy_ex() can be used to copy the message digest state from
-B<in> to B<out>. This is useful if large amounts of data are to be
-hashed which only differ in the last few bytes. B<out> must be initialized
-before calling this function.
-EVP_DigestInit() behaves in the same way as EVP_DigestInit_ex() except
-the passed context B<ctx> does not have to be initialized, and it always
-uses the default digest implementation.
-EVP_DigestFinal() is similar to EVP_DigestFinal_ex() except the digest
-context B<ctx> is automatically cleaned up.
-EVP_MD_CTX_copy() is similar to EVP_MD_CTX_copy_ex() except the destination
-B<out> does not have to be initialized.
-EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest
-when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure, i.e. the size of the
-hash.
-EVP_MD_block_size() and EVP_MD_CTX_block_size() return the block size of the
-message digest when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure.
-EVP_MD_type() and EVP_MD_CTX_type() return the NID of the OBJECT IDENTIFIER
-representing the given message digest when passed an B<EVP_MD> structure.
-For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is
-normally used when setting ASN1 OIDs.
-EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
-B<EVP_MD_CTX>.
-EVP_MD_pkey_type() returns the NID of the public key signing algorithm
-associated with this digest. For example EVP_sha1() is associated with RSA so
-this will return B<NID_sha1WithRSAEncryption>. Since digests and signature
-algorithms are no longer linked this function is only retained for
-compatibility reasons.
-EVP_md2(), EVP_md5(), EVP_sha1(), EVP_sha224(), EVP_sha256(), EVP_sha384(),
-EVP_sha512() and EVP_ripemd160() return B<EVP_MD> structures for the MD2, MD5,
-SHA1, SHA224, SHA256, SHA384, SHA512 and RIPEMD160 digest algorithms
-respectively.
-EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA1 digest
-algorithms but using DSS (DSA) for the signature algorithm. Note: there is
-no need to use these pseudo-digests in OpenSSL 1.0.0 and later, they are
-however retained for compatibility.
-EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it
-returns is of zero length.
-EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
-return an B<EVP_MD> structure when passed a digest name, a digest NID or
-an ASN1_OBJECT structure respectively. The digest table must be initialized
-using, for example, OpenSSL_add_all_digests() for these functions to work.
-=head1 RETURN VALUES
-EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for
-success and 0 for failure.
-EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure.
-EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
-corresponding OBJECT IDENTIFIER or NID_undef if none exists.
-EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
-EVP_MD_CTX_block_size() return the digest or block size in bytes.
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(), EVP_dss(),
-EVP_dss1() and EVP_ripemd160() return pointers to the
-corresponding EVP_MD structures.
-EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
-return either an B<EVP_MD> structure or NULL if an error occurs.
-=head1 NOTES
-The B<EVP> interface to message digests should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the digest used and much more flexible.
-New applications should use the SHA2 digest algorithms such as SHA256.
-The other digest algorithms are still in common use.
-For most applications the B<impl> parameter to EVP_DigestInit_ex() will be
-set to NULL to use the default digest implementation.
-The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are
-obsolete but are retained to maintain compatibility with existing code. New
-applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and
-EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context
-instead of initializing and cleaning it up on each call and allow non default
-implementations of digests to be specified.
-In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use
-memory leaks will occur.
-Stack allocation of EVP_MD_CTX structures is common, for example:
- EVP_MD_CTX mctx;
- EVP_MD_CTX_init(&mctx);
-This will cause binary compatibility issues if the size of EVP_MD_CTX
-structure changes (this will only happen with a major release of OpenSSL).
-Applications wishing to avoid this should use EVP_MD_CTX_create() instead:
- EVP_MD_CTX *mctx;
- mctx = EVP_MD_CTX_create();
-=head1 EXAMPLE
-This example digests the data "Test Message\n" and "Hello World\n", using the
-digest name passed on the command line.
- #include <stdio.h>
- #include <openssl/evp.h>
- int
- main(int argc, char *argv[])
- {
-        EVP_MD_CTX *mdctx;
-        const EVP_MD *md;
-        const char mess1[] = "Test Message\n";
-        const char mess2[] = "Hello World\n";
-        unsigned char md_value[EVP_MAX_MD_SIZE];
-        int md_len, i;
-        OpenSSL_add_all_digests();
-        if (argc <= 1) {
-                printf("Usage: mdtest digestname\n");
-                exit(1);
-        }
-        md = EVP_get_digestbyname(argv[1]);
-        if (md == NULL) {
-                printf("Unknown message digest %s\n", argv[1]);
-                exit(1);
-        }
-        mdctx = EVP_MD_CTX_create();
-        EVP_DigestInit_ex(mdctx, md, NULL);
-        EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
-        EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
-        EVP_DigestFinal_ex(mdctx, md_value, &md_len);
-        EVP_MD_CTX_destroy(mdctx);
-        printf("Digest is: ");
-        for(i = 0; i < md_len; i++)
-                printf("%02x", md_value[i]);
-        printf("\n");
- }
-=head1 SEE ALSO
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-=head1 HISTORY
-EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
-available in all versions of SSLeay and OpenSSL.
-EVP_MD_CTX_init(), EVP_MD_CTX_create(), EVP_MD_CTX_copy_ex(),
-EVP_MD_CTX_cleanup(), EVP_MD_CTX_destroy(), EVP_DigestInit_ex()
-and EVP_DigestFinal_ex() were added in OpenSSL 0.9.7.
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(),
-EVP_dss(), EVP_dss1() and EVP_ripemd160() were
-changed to return truely const EVP_MD * in OpenSSL 0.9.7.
-The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
-later, so now EVP_sha1() can be used with RSA and DSA, there is no need to
-use EVP_dss1() any more.
-OpenSSL 1.0 and later does not include the MD2 digest algorithm in the
-default configuration due to its security weaknesses.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_DigestSignInit.pod b/src/lib/libcrypto/doc/EVP_DigestSignInit.pod
deleted file mode 100644
index 00205d2ae9..0000000000
--- a/src/lib/libcrypto/doc/EVP_DigestSignInit.pod
+++ /dev/null
@@ -1,85 +0,0 @@
-=pod
-=head1 NAME
-EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing
-functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
-                        const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
- int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
-=head1 DESCRIPTION
-The EVP signature routines are a high level interface to digital signatures.
-EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from
-ENGINE B<impl> and private key B<pkey>. B<ctx> must be initialized with
-EVP_MD_CTX_init() before calling this function. If B<pctx> is not NULL the
-EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can
-be used to set alternative signing options.
-EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the
-signature context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data. This function is currently implemented
-using a macro.
-EVP_DigestSignFinal() signs the data in B<ctx> places the signature in B<sig>.
-If B<sig> is B<NULL> then the maximum size of the output buffer is written to
-the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the
-B<siglen> parameter should contain the length of the B<sig> buffer, if the
-call is successful the signature is written to B<sig> and the amount of data
-written to B<siglen>.
-=head1 RETURN VALUES
-EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return
-1 for success and 0 or a negative value for failure. In particular a return
-value of -2 indicates the operation is not supported by the public key
-algorithm.
-The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTES
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-In previous versions of OpenSSL there was a link between message digest types
-and public key algorithms. This meant that "clone" digests such as EVP_dss1()
-needed to be used to sign using SHA1 and DSA. This is no longer necessary and
-the use of clone digest is now discouraged.
-The call to EVP_DigestSignFinal() internally finalizes a copy of the digest
-context. This means that calls to EVP_DigestSignUpdate() and
-EVP_DigestSignFinal() can be called later to digest and sign additional data.
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-The use of EVP_PKEY_size() with these functions is discouraged because some
-signature operations may have a signature length which depends on the
-parameters set. As a result EVP_PKEY_size() would have to return a value
-which indicates the maximum possible signature for any set of parameters.
-=head1 SEE ALSO
-L<EVP_DigestVerifyInit(3)|EVP_DigestVerifyInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-=head1 HISTORY
-EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal()
-were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod b/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod
deleted file mode 100644
index 5dcfec1837..0000000000
--- a/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod
+++ /dev/null
@@ -1,80 +0,0 @@
-=pod
-=head1 NAME
-EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP
-signature verification functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
-                        const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
- int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t siglen);
-=head1 DESCRIPTION
-The EVP signature routines are a high level interface to digital signatures.
-EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest
-B<type> from ENGINE B<impl> and public key B<pkey>. B<ctx> must be initialized
-with EVP_MD_CTX_init() before calling this function. If B<pctx> is not NULL the
-EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this
-can be used to set alternative verification options.
-EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
-verification context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data. This function is currently implemented
-using a macro.
-EVP_DigestVerifyFinal() verifies the data in B<ctx> against the signature in
-B<sig> of length B<siglen>.
-=head1 RETURN VALUES
-EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2 indicates
-the operation is not supported by the public key algorithm.
-Unlike other functions the return value 0 from EVP_DigestVerifyFinal() only
-indicates that the signature did not verify successfully (that is tbs did
-not match the original data or the signature was of invalid form) it is not an
-indication of a more serious error.
-The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTES
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-In previous versions of OpenSSL there was a link between message digest types
-and public key algorithms. This meant that "clone" digests such as EVP_dss1()
-needed to be used to sign using SHA1 and DSA. This is no longer necessary and
-the use of clone digest is now discouraged.
-The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest
-context. This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can
-be called later to digest and verify additional data.
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-=head1 SEE ALSO
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-=head1 HISTORY
-EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal()
-were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
deleted file mode 100644
index 02d02ba5f5..0000000000
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ /dev/null
@@ -1,548 +0,0 @@
-=pod
-=head1 NAME
-EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate,
-EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate,
-EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate,
-EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length,
-EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit,
-EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal,
-EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname,
-EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid,
-EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length,
-EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher,
-EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length,
-EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data,
-EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags,
-EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
-EVP_CIPHER_CTX_set_padding,  EVP_enc_null, EVP_des_cbc, EVP_des_ecb,
-EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb,
-EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb,
-EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc,
-EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc,
-EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc,
-EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc,
-EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, 
-EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm,
-EVP_aes_192_ccm, EVP_aes_256_ccm, EVP_rc5_32_12_16_cbc,
-EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_ofb
- EVP cipher routines
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
- int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         ENGINE *impl, unsigned char *key, unsigned char *iv);
- int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
- int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl);
- int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         ENGINE *impl, unsigned char *key, unsigned char *iv);
- int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
- int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
-         int *outl);
- int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         ENGINE *impl, unsigned char *key, unsigned char *iv, int enc);
- int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
- int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
-         int *outl);
- int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         unsigned char *key, unsigned char *iv);
- int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl);
- int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         unsigned char *key, unsigned char *iv);
- int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
-         int *outl);
- int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         unsigned char *key, unsigned char *iv, int enc);
- int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
-         int *outl);
- int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
- int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
- int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
- int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
- const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
- #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
- #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
- #define EVP_CIPHER_nid(e)              ((e)->nid)
- #define EVP_CIPHER_block_size(e)       ((e)->block_size)
- #define EVP_CIPHER_key_length(e)       ((e)->key_len)
- #define EVP_CIPHER_iv_length(e)                ((e)->iv_len)
- #define EVP_CIPHER_flags(e)            ((e)->flags)
- #define EVP_CIPHER_mode(e)             ((e)->flags) & EVP_CIPH_MODE)
- int EVP_CIPHER_type(const EVP_CIPHER *ctx);
- #define EVP_CIPHER_CTX_cipher(e)       ((e)->cipher)
- #define EVP_CIPHER_CTX_nid(e)          ((e)->cipher->nid)
- #define EVP_CIPHER_CTX_block_size(e)   ((e)->cipher->block_size)
- #define EVP_CIPHER_CTX_key_length(e)   ((e)->key_len)
- #define EVP_CIPHER_CTX_iv_length(e)    ((e)->cipher->iv_len)
- #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
- #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
- #define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
- #define EVP_CIPHER_CTX_flags(e)                ((e)->cipher->flags)
- #define EVP_CIPHER_CTX_mode(e)         ((e)->cipher->flags & EVP_CIPH_MODE)
- int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
- int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
-=head1 DESCRIPTION
-The EVP cipher routines are a high level interface to certain
-symmetric ciphers.
-EVP_CIPHER_CTX_init() initializes cipher context B<ctx>.
-EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption
-with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized
-before calling this function. B<type> is normally supplied
-by a function such as EVP_aes_256_cbc(). If B<impl> is NULL then the
-default implementation is used. B<key> is the symmetric key to use
-and B<iv> is the IV to use (if necessary), the actual number of bytes
-used for the key and IV depends on the cipher. It is possible to set
-all parameters to NULL except B<type> in an initial call and supply
-the remaining parameters in subsequent calls, all of which have B<type>
-set to NULL. This is done when the default cipher parameters are not
-appropriate.
-EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
-writes the encrypted version to B<out>. This function can be called
-multiple times to encrypt successive blocks of data. The amount
-of data written depends on the block alignment of the encrypted data:
-as a result the amount of data written may be anything from zero bytes
-to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
-room. The actual number of bytes written is placed in B<outl>.
-If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
-the "final" data, that is any data that remains in a partial block.
-It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted
-final data is written to B<out> which should have sufficient space for
-one cipher block. The number of bytes written is placed in B<outl>. After
-this function is called the encryption operation is finished and no further
-calls to EVP_EncryptUpdate() should be made.
-If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
-data and it will return an error if any data remains in a partial block:
-that is if the total data length is not a multiple of the block size.
-EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the
-corresponding decryption operations. EVP_DecryptFinal() will return an
-error code if padding is enabled and the final block is not correctly
-formatted. The parameters and restrictions are identical to the encryption
-operations except that if padding is enabled the decrypted data buffer B<out>
-passed to EVP_DecryptUpdate() should have sufficient room for
-(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in
-which case B<inl> bytes is sufficient.
-EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are
-functions that can be used for decryption or encryption. The operation
-performed depends on the value of the B<enc> parameter. It should be set
-to 1 for encryption, 0 for decryption and -1 to leave the value unchanged
-(the actual value of 'enc' being supplied in a previous call).
-EVP_CIPHER_CTX_cleanup() clears all information from a cipher context
-and free up any allocated memory associate with it. It should be called
-after all operations using a cipher are complete so sensitive information
-does not remain in memory.
-EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
-similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
-EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
-initialized and they always use the default cipher implementation.
-EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() are
-identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
-EVP_CipherFinal_ex(). In previous releases they also used to clean up
-the B<ctx>, but this is no longer done and EVP_CIPHER_CTX_clean()
-must be called to free any context resources.
-EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
-return an EVP_CIPHER structure when passed a cipher name, a NID or an
-ASN1_OBJECT structure.
-EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
-passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure.  The actual NID
-value is an internal value which may not have a corresponding OBJECT
-IDENTIFIER.
-EVP_CIPHER_CTX_set_padding() enables or disables padding. By default
-encryption operations are padded using standard block padding and the
-padding is checked and removed when decrypting. If the B<pad> parameter
-is zero then no padding is performed, the total amount of data encrypted
-or decrypted must then be a multiple of the block size or an error will
-occur.
-EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
-length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
-structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
-for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for a
-given cipher, the value of EVP_CIPHER_CTX_key_length() may be different
-for variable key length ciphers.
-EVP_CIPHER_CTX_set_key_length() sets the key length of the cipher ctx.
-If the cipher is a fixed length cipher then attempting to set the key
-length to any value other than the fixed value is an error.
-EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
-length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
-It will return zero if the cipher does not use an IV.  The constant
-B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
-EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
-size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
-structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
-length for all ciphers.
-EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
-cipher or context. This "type" is the actual NID of the cipher OBJECT
-IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
-128 bit RC2 have the same NID. If the cipher does not have an object
-identifier or does not have ASN1 support this function will return
-B<NID_undef>.
-EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
-an B<EVP_CIPHER_CTX> structure.
-EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode:
-EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE or
-EVP_CIPH_OFB_MODE. If the cipher is a stream cipher then
-EVP_CIPH_STREAM_CIPHER is returned.
-EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
-on the passed cipher. This will typically include any parameters and an
-IV. The cipher IV (if any) must be set when this call is made. This call
-should be made before the cipher is actually "used" (before any
-EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
-may fail if the cipher does not have any ASN1 support.
-EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
-AlgorithmIdentifier "parameter". The precise effect depends on the cipher
-In the case of RC2, for example, it will set the IV and effective key length.
-This function should be called after the base cipher type is set but before
-the key is set. For example EVP_CipherInit() will be called with the IV and
-key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
-EVP_CipherInit() again with all parameters except the key set to NULL. It is
-possible for this function to fail if the cipher does not have any ASN1 support
-or the parameters cannot be set (for example the RC2 effective key length
-is not supported.
-EVP_CIPHER_CTX_ctrl() allows various cipher specific parameters to be determined
-and set. Currently only the RC2 effective key length and the number of rounds of
-RC5 can be set.
-=head1 RETURN VALUES
-EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
-return 1 for success and 0 for failure.
-EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for
-failure.  EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for
-success.
-EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for
-failure.  EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for
-success.
-EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
-EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
-return an B<EVP_CIPHER> structure or NULL on error.
-EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
-EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
-size.
-EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
-length.
-EVP_CIPHER_CTX_set_padding() always returns 1.
-EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
-length or zero if the cipher does not use an IV.
-EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
-OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
-EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
-EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for
-success or zero for failure.
-=head1 CIPHER LISTING
-All algorithms have a fixed key length unless otherwise stated.
-=over 4
-=item EVP_enc_null(void)
-Null cipher: does nothing.
-=item EVP_aes_128_cbc(void), EVP_aes_128_ecb(void), EVP_aes_128_cfb(void), EVP_aes_128_ofb(void)
-128-bit AES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_aes_192_cbc(void), EVP_aes_192_ecb(void), EVP_aes_192_cfb(void), EVP_aes_192_ofb(void)
-192-bit AES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_aes_256_cbc(void), EVP_aes_256_ecb(void), EVP_aes_256_cfb(void), EVP_aes_256_ofb(void)
-256-bit AES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)
-DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void),
-EVP_des_ede_cfb(void)
-Two key triple DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void),
-EVP_des_ede3_cfb(void)
-Three key triple DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_desx_cbc(void)
-DESX algorithm in CBC mode.
-=item EVP_rc4(void)
-RC4 stream cipher. This is a variable key length cipher with default key length
-128 bits.
-=item EVP_rc4_40(void)
-RC4 stream cipher with 40 bit key length. This is obsolete and new code should
-use EVP_rc4() and the EVP_CIPHER_CTX_set_key_length() function.
-=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void),
-EVP_idea_ofb(void), EVP_idea_cbc(void)
-IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)
-RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a
-variable key length cipher with an additional parameter called "effective key
-bits" or "effective key length".  By default both are set to 128 bits.
-=item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)
-RC2 algorithm in CBC mode with a default key length and effective key length of
-40 and 64 bits.  These are obsolete and new code should use EVP_rc2_cbc(),
-EVP_CIPHER_CTX_set_key_length() and EVP_CIPHER_CTX_ctrl() to set the key length
-and effective key length.
-=item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);
-Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This
-is a variable key length cipher.
-=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void),
-EVP_cast5_ofb(void)
-CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is
-a variable key length cipher.
-=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void),
-EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
-RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a
-variable key length cipher with an additional "number of rounds" parameter. By
-default the key length is set to 128 bits and 12 rounds.
-=back
-=head1 NOTES
-Where possible the B<EVP> interface to symmetric ciphers should be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the cipher used and much more flexible.
-PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
-length of the encrypted data a multiple of the block size. Padding is always
-added so if the data is already a multiple of the block size B<n> will equal
-the block size. For example if the block size is 8 and 11 bytes are to be
-encrypted then 5 padding bytes of value 5 will be added.
-When decrypting the final block is checked to see if it has the correct form.
-Although the decryption operation can produce an error if padding is enabled,
-it is not a strong test that the input data or key is correct. A random block
-has better than 1 in 256 chance of being of the correct format and problems with
-the input data earlier on will not produce a final decrypt error.
-If padding is disabled then the decryption operation will always succeed if
-the total amount of data decrypted is a multiple of the block size.
-The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(),
-EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for
-compatibility with existing code. New code should use EVP_EncryptInit_ex(),
-EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(),
-EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an
-existing context without allocating and freeing it up on each call.
-=head1 BUGS
-For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is
-a limitation of the current RC5 code rather than the EVP interface.
-EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with
-default key lengths. If custom ciphers exceed these values the results are
-unpredictable. This is because it has become standard practice to define a
-generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes.
-The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
-for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
-=head1 EXAMPLES
-Get the number of rounds used in RC5:
- int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
-Get the RC2 effective key length:
- int key_bits;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
-Set the number of rounds used in RC5:
- int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
-Set the effective key length used in RC2:
- int key_bits;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
-Encrypt a string using blowfish:
- int
- do_crypt(char *outfile)
- {
-        unsigned char outbuf[1024];
-        int outlen, tmplen;
-        /*
-         * Bogus key and IV: we'd normally set these from
-         * another source.
-         */
-        unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
-        unsigned char iv[] = {1,2,3,4,5,6,7,8};
-        const char intext[] = "Some Crypto Text";
-        EVP_CIPHER_CTX ctx;
-        FILE *out;
-        EVP_CIPHER_CTX_init(&ctx);
-        EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
-        if (!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext,
-            strlen(intext))) {
-                /* Error */
-                return 0;
-        }
-        /*
-         * Buffer passed to EVP_EncryptFinal() must be after data just
-         * encrypted to avoid overwriting it.
-         */
-        if (!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen)) {
-                /* Error */
-                return 0;
-        }
-        outlen += tmplen;
-        EVP_CIPHER_CTX_cleanup(&ctx);
-        /*
-         * Need binary mode for fopen because encrypted data is
-         * binary data. Also cannot use strlen() on it because
-         * it won't be NUL terminated and may contain embedded
-         * NULs.
-         */
-        out = fopen(outfile, "wb");
-        fwrite(outbuf, 1, outlen, out);
-        fclose(out);
-        return 1;
- }
-The ciphertext from the above example can be decrypted using the B<openssl>
-utility with the command line:
- S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d>
-General encryption, decryption function example using FILE I/O and RC2 with an
-80 bit key:
- int
- do_crypt(FILE *in, FILE *out, int do_encrypt)
- {
-        /* Allow enough space in output buffer for additional block */
-        inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
-        int inlen, outlen;
-        /*
-         * Bogus key and IV: we'd normally set these from
-         * another source.
-         */
-        unsigned char key[] = "0123456789";
-        unsigned char iv[] = "12345678";
-        /* Don't set key or IV because we will modify the parameters */
-        EVP_CIPHER_CTX_init(&ctx);
-        EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt);
-        EVP_CIPHER_CTX_set_key_length(&ctx, 10);
-        /* We finished modifying parameters so now we can set key and IV */
-        EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
-        for(;;) {
-                inlen = fread(inbuf, 1, 1024, in);
-                if (inlen <= 0)
-                        break;
-                if (!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf,
-                    inlen)) {
-                        /* Error */
-                        EVP_CIPHER_CTX_cleanup(&ctx);
-                        return 0;
-                }
-                fwrite(outbuf, 1, outlen, out);
-        }
-        if (!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) {
-                /* Error */
-                EVP_CIPHER_CTX_cleanup(&ctx);
-                return 0;
-        }
-        fwrite(outbuf, 1, outlen, out);
-        EVP_CIPHER_CTX_cleanup(&ctx);
-        return 1;
- }
-=head1 SEE ALSO
-L<evp(3)|evp(3)>
-=head1 HISTORY
-EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(),
-EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
-EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
-OpenSSL 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_OpenInit.pod b/src/lib/libcrypto/doc/EVP_OpenInit.pod
deleted file mode 100644
index 0242f66715..0000000000
--- a/src/lib/libcrypto/doc/EVP_OpenInit.pod
+++ /dev/null
@@ -1,61 +0,0 @@
-=pod
-=head1 NAME
-EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal - EVP envelope decryption
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
-                int ekl,unsigned char *iv,EVP_PKEY *priv);
- int EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
- int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl);
-=head1 DESCRIPTION
-The EVP envelope routines are a high level interface to envelope
-decryption. They decrypt a public key encrypted symmetric key and
-then decrypt data using it.
-EVP_OpenInit() initializes a cipher context B<ctx> for decryption
-with cipher B<type>. It decrypts the encrypted symmetric key of length
-B<ekl> bytes passed in the B<ek> parameter using the private key B<priv>.
-The IV is supplied in the B<iv> parameter.
-EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties
-as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as
-documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
-page.
-=head1 NOTES
-It is possible to call EVP_OpenInit() twice in the same way as
-EVP_DecryptInit(). The first call should have B<priv> set to NULL
-and (after setting any cipher parameters) it should be called again
-with B<type> set to NULL.
-If the cipher passed in the B<type> parameter is a variable length
-cipher then the key length will be set to the value of the recovered
-key length. If the cipher is a fixed length cipher then the recovered
-key length must match the fixed cipher length.
-=head1 RETURN VALUES
-EVP_OpenInit() returns 0 on error or a non zero integer (actually the
-recovered secret key size) if successful.
-EVP_OpenUpdate() returns 1 for success or 0 for failure.
-EVP_OpenFinal() returns 0 if the decrypt failed or 1 for success.
-=head1 SEE ALSO
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_SealInit(3)|EVP_SealInit(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
deleted file mode 100644
index e8776e1e67..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
+++ /dev/null
@@ -1,135 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str, EVP_PKEY_get_default_digest_nid,
-EVP_PKEY_CTX_set_signature_md, EVP_PKEY_CTX_set_rsa_padding,
-EVP_PKEY_CTX_set_rsa_pss_saltlen, EVP_PKEY_CTX_set_rsa_rsa_keygen_bits,
-EVP_PKEY_CTX_set_rsa_keygen_pubexp, EVP_PKEY_CTX_set_dsa_paramgen_bits,
-EVP_PKEY_CTX_set_dh_paramgen_prime_len,
-EVP_PKEY_CTX_set_dh_paramgen_generator,
-EVP_PKEY_CTX_set_ec_paramgen_curve_nid - algorithm specific control operations
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
-                                int cmd, int p1, void *p2);
- int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
-                                                const char *value);
- int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
- #include <openssl/rsa.h>
- int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
- int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
- int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
- int EVP_PKEY_CTX_set_rsa_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits);
- int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
- #include <openssl/dsa.h>
- int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits);
- #include <openssl/dh.h>
- int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len);
- int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen);
- #include <openssl/ec.h>
- int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
-=head1 DESCRIPTION
-The function EVP_PKEY_CTX_ctrl() sends a control operation to the context
-B<ctx>. The key type used must match B<keytype> if it is not -1. The parameter
-B<optype> is a mask indicating which operations the control can be applied to.
-The control command is indicated in B<cmd> and any additional arguments in
-B<p1> and B<p2>.
-Applications will not normally call EVP_PKEY_CTX_ctrl() directly but will
-instead call one of the algorithm specific macros below.
-The function EVP_PKEY_CTX_ctrl_str() allows an application to send an algorithm
-specific control operation to a context B<ctx> in string form. This is
-intended to be used for options specified on the command line or in text
-files. The commands supported are documented in the openssl utility
-command line pages for the option B<-pkeyopt> which is supported by the
-B<pkeyutl>, B<genpkey> and B<req> commands.
-All the remaining "functions" are implemented as macros.
-The EVP_PKEY_CTX_set_signature_md() macro sets the message digest type used
-in a signature. It can be used with any public key algorithm supporting
-signature operations.
-The macro EVP_PKEY_CTX_set_rsa_padding() sets the RSA padding mode for B<ctx>.
-The B<pad> parameter can take the value RSA_PKCS1_PADDING for PKCS#1 padding,
-RSA_SSLV23_PADDING for SSLv23 padding, RSA_NO_PADDING for no padding,
-RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only),
-RSA_X931_PADDING for X9.31 padding (signature operations only) and
-RSA_PKCS1_PSS_PADDING (sign and verify only).
-Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md() is
-used. If this macro is called for PKCS#1 padding the plaintext buffer is an
-actual digest value and is encapsulated in a DigestInfo structure according to
-PKCS#1 when signing and this structure is expected (and stripped off) when
-verifying. If this control is not used with RSA and PKCS#1 padding then the
-supplied data is used directly and not encapsulated. In the case of X9.31
-padding for RSA the algorithm identifier byte is added or checked and removed
-if this control is called. If it is not called then the first byte of the
-plaintext buffer is expected to be the algorithm identifier byte.
-The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to
-B<len> as its name implies it is only supported for PSS padding.  Two special
-values are supported: -1 sets the salt length to the digest length. When
-signing -2 sets the salt length to the maximum permissible value. When
-verifying -2 causes the salt length to be automatically determined based on the
-B<PSS> block structure. If this macro is not called a salt length value of -2
-is used by default.
-The EVP_PKEY_CTX_set_rsa_rsa_keygen_bits() macro sets the RSA key length for
-RSA key generation to B<bits>. If not specified 1024 bits is used.
-The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value
-for RSA key generation to B<pubexp> currently it should be an odd integer. The
-B<pubexp> pointer is used internally by this function so it should not be
-modified or free after the call. If this macro is not called then 65537 is used.
-The macro EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used
-for DSA parameter generation to B<bits>. If not specified 1024 is used.
-The macro EVP_PKEY_CTX_set_dh_paramgen_prime_len() sets the length of the DH
-prime parameter B<p> for DH parameter generation. If this macro is not called
-then 1024 is used.
-The EVP_PKEY_CTX_set_dh_paramgen_generator() macro sets DH generator to B<gen>
-for DH parameter generation. If not specified 2 is used.
-The EVP_PKEY_CTX_set_ec_paramgen_curve_nid() sets the EC curve for EC parameter
-generation to B<nid>. For EC parameter generation this macro must be called
-or an error occurs because there is no default curve.
-=head1 RETURN VALUES
-EVP_PKEY_CTX_ctrl() and its macros return a positive value for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod b/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod
deleted file mode 100644
index 60ad61e853..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free -
-public key algorithm context functions.
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
- EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);
- EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx);
- void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
-=head1 DESCRIPTION
-The EVP_PKEY_CTX_new() function allocates public key algorithm context using
-the algorithm specified in B<pkey> and ENGINE B<e>.
-The EVP_PKEY_CTX_new_id() function allocates public key algorithm context
-using the algorithm specified by B<id> and ENGINE B<e>. It is normally used
-when no B<EVP_PKEY> structure is associated with the operations, for example
-during parameter generation of key generation for some algorithms.
-EVP_PKEY_CTX_dup() duplicates the context B<ctx>.
-EVP_PKEY_CTX_free() frees up the context B<ctx>.
-=head1 NOTES
-The B<EVP_PKEY_CTX> structure is an opaque public key algorithm context used
-by the OpenSSL high level public key API. Contexts B<MUST NOT> be shared between
-threads: that is it is not permissible to use the same context simultaneously
-in two threads.
-=head1 RETURN VALUES
-EVP_PKEY_CTX_new(), EVP_PKEY_CTX_new_id(), EVP_PKEY_CTX_dup() returns either
-the newly allocated B<EVP_PKEY_CTX> structure of B<NULL> if an error occurred.
-EVP_PKEY_CTX_free() does not return a value.
-=head1 SEE ALSO
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod b/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod
deleted file mode 100644
index 7a690247bf..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod
+++ /dev/null
@@ -1,62 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters,
-EVP_PKEY_cmp - public key parameter and comparison functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
- int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
- int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
- int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
-=head1 DESCRIPTION
-The function EVP_PKEY_missing_parameters() returns 1 if the public key
-parameters of B<pkey> are missing and 0 if they are present or the algorithm
-doesn't use parameters.
-The function EVP_PKEY_copy_parameters() copies the parameters from key
-B<from> to key B<to>.
-The function EVP_PKEY_cmp_parameters() compares the parameters of keys
-B<a> and B<b>.
-The function EVP_PKEY_cmp() compares the public key components and parameters
-(if present) of keys B<a> and B<b>.
-=head1 NOTES
-The main purpose of the functions EVP_PKEY_missing_parameters() and
-EVP_PKEY_copy_parameters() is to handle public keys in certificates where the
-parameters are sometimes omitted from a public key if they are inherited from
-the CA that signed it.
-Since OpenSSL private keys contain public key components too the function
-EVP_PKEY_cmp() can also be used to determine if a private key matches
-a public key.
-=head1 RETURN VALUES
-The function EVP_PKEY_missing_parameters() returns 1 if the public key
-parameters of B<pkey> are missing and 0 if they are present or the algorithm
-doesn't use parameters.
-These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for
-failure.
-The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the
-keys match, 0 if they don't match, -1 if the key types are different and
-2 if the operation is not supported.
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod b/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
deleted file mode 100644
index a64ef12866..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
+++ /dev/null
@@ -1,93 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_decrypt_init, EVP_PKEY_decrypt - decrypt using a public key algorithm
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
-                        unsigned char *out, size_t *outlen,
-                        const unsigned char *in, size_t inlen);
-=head1 DESCRIPTION
-The EVP_PKEY_decrypt_init() function initializes a public key algorithm
-context using key B<pkey> for a decryption operation.
-The EVP_PKEY_decrypt() function performs a public key decryption operation
-using B<ctx>. The data to be decrypted is specified using the B<in> and
-B<inlen> parameters. If B<out> is B<NULL> then the maximum size of the output
-buffer is written to the B<outlen> parameter. If B<out> is not B<NULL> then
-before the call the B<outlen> parameter should contain the length of the
-B<out> buffer, if the call is successful the decrypted data is written to
-B<out> and the amount of data written to B<outlen>.
-=head1 NOTES
-After the call to EVP_PKEY_decrypt_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-The function EVP_PKEY_decrypt() can be called more than once on the same
-context if several operations are performed using the same parameters.
-=head1 RETURN VALUES
-EVP_PKEY_decrypt_init() and EVP_PKEY_decrypt() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-=head1 EXAMPLE
-Decrypt data using OAEP (for RSA keys):
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- unsigned char *out, *in;
- size_t outlen, inlen;
- EVP_PKEY *key;
- /* NB: assumes key in, inlen are already set up
-  * and that key is an RSA private key
-  */
- ctx = EVP_PKEY_CTX_new(key);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_decrypt_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
-        /* Error */
- /* Determine buffer length */
- if (EVP_PKEY_decrypt(ctx, NULL, &outlen, in, inlen) <= 0)
-        /* Error */
- out = malloc(outlen);
- if (!out)
-        /* malloc failure */
- if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0)
-        /* Error */
- /* Decrypted data is outlen bytes written to buffer out */
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
deleted file mode 100644
index 09654e1b81..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
+++ /dev/null
@@ -1,94 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive - derive public
-key algorithm shared secret.
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
- int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
-=head1 DESCRIPTION
-The EVP_PKEY_derive_init() function initializes a public key algorithm
-context using key B<pkey> for shared secret derivation.
-The EVP_PKEY_derive_set_peer() function sets the peer key: this will normally
-be a public key.
-The EVP_PKEY_derive() derives a shared secret using B<ctx>.
-If B<key> is B<NULL> then the maximum size of the output buffer is written to
-the B<keylen> parameter. If B<key> is not B<NULL> then before the call the
-B<keylen> parameter should contain the length of the B<key> buffer, if the call
-is successful the shared secret is written to B<key> and the amount of data
-written to B<keylen>.
-=head1 NOTES
-After the call to EVP_PKEY_derive_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-The function EVP_PKEY_derive() can be called more than once on the same
-context if several operations are performed using the same parameters.
-=head1 RETURN VALUES
-EVP_PKEY_derive_init() and EVP_PKEY_derive() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-=head1 EXAMPLE
-Derive shared secret (for example DH or EC keys):
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- unsigned char *skey;
- size_t skeylen;
- EVP_PKEY *pkey, *peerkey;
- /* NB: assumes pkey, peerkey have been already set up */
- ctx = EVP_PKEY_CTX_new(pkey);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_derive_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_derive_set_peer(ctx, peerkey) <= 0)
-        /* Error */
- /* Determine buffer length */
- if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0)
-        /* Error */
- skey = malloc(skeylen);
- if (!skey)
-        /* malloc failure */
- if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0)
-        /* Error */
- /* Shared secret is skey bytes written to buffer skey */
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod b/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
deleted file mode 100644
index b3ca123df0..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
+++ /dev/null
@@ -1,93 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
-                        unsigned char *out, size_t *outlen,
-                        const unsigned char *in, size_t inlen);
-=head1 DESCRIPTION
-The EVP_PKEY_encrypt_init() function initializes a public key algorithm
-context using key B<pkey> for an encryption operation.
-The EVP_PKEY_encrypt() function performs a public key encryption operation
-using B<ctx>. The data to be encrypted is specified using the B<in> and
-B<inlen> parameters. If B<out> is B<NULL> then the maximum size of the output
-buffer is written to the B<outlen> parameter. If B<out> is not B<NULL> then
-before the call the B<outlen> parameter should contain the length of the
-B<out> buffer, if the call is successful the encrypted data is written to
-B<out> and the amount of data written to B<outlen>.
-=head1 NOTES
-After the call to EVP_PKEY_encrypt_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-The function EVP_PKEY_encrypt() can be called more than once on the same
-context if several operations are performed using the same parameters.
-=head1 RETURN VALUES
-EVP_PKEY_encrypt_init() and EVP_PKEY_encrypt() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-=head1 EXAMPLE
-Encrypt data using OAEP (for RSA keys):
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- unsigned char *out, *in;
- size_t outlen, inlen;
- EVP_PKEY *key;
- /* NB: assumes key in, inlen are already set up
-  * and that key is an RSA public key
-  */
- ctx = EVP_PKEY_CTX_new(key);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_encrypt_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
-        /* Error */
- /* Determine buffer length */
- if (EVP_PKEY_encrypt(ctx, NULL, &outlen, in, inlen) <= 0)
-        /* Error */
- out = malloc(outlen);
- if (!out)
-        /* malloc failure */
- if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0)
-        /* Error */
- /* Encrypted data is outlen bytes written to buffer out */
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod b/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
deleted file mode 100644
index 8ff597d44a..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_get_default_digest_nid - get default signature digest
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
-=head1 DESCRIPTION
-The EVP_PKEY_get_default_digest_nid() function sets B<pnid> to the default
-message digest NID for the public key signature operations associated with key
-B<pkey>.
-=head1 NOTES
-For all current standard OpenSSL public key algorithms SHA1 is returned.
-=head1 RETURN VALUES
-The EVP_PKEY_get_default_digest_nid() function returns 1 if the message digest
-is advisory (that is other digests can be used) and 2 if it is mandatory (other
-digests can not be used).  It returns 0 or a negative value for failure. In
-particular a return value of -2 indicates the operation is not supported by the
-public key algorithm.
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-=head1 HISTORY
-This function was first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
deleted file mode 100644
index adcf3560e0..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
+++ /dev/null
@@ -1,170 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init,
-EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb,
-EVP_PKEY_CTX_get_keygen_info, EVP_PKEY_CTX_set_app_data,
-EVP_PKEY_CTX_get_app_data - key and parameter generation functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
- int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
- typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx);
- void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
- EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx);
- void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data);
- void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
-=head1 DESCRIPTION
-The EVP_PKEY_keygen_init() function initializes a public key algorithm
-context using key B<pkey> for a key generation operation.
-The EVP_PKEY_keygen() function performs a key generation operation, the
-generated key is written to B<ppkey>.
-The functions EVP_PKEY_paramgen_init() and EVP_PKEY_paramgen() are similar
-except parameters are generated.
-The function EVP_PKEY_set_cb() sets the key or parameter generation callback
-to B<cb>. The function EVP_PKEY_CTX_get_cb() returns the key or parameter
-generation callback.
-The function EVP_PKEY_CTX_get_keygen_info() returns parameters associated
-with the generation operation. If B<idx> is -1 the total number of
-parameters available is returned. Any non negative value returns the value of
-that parameter. EVP_PKEY_CTX_gen_keygen_info() with a non-negative value for
-B<idx> should only be called within the generation callback.
-If the callback returns 0 then the key generation operation is aborted and an
-error occurs. This might occur during a time consuming operation where
-a user clicks on a "cancel" button.
-The functions EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() set
-and retrieve an opaque pointer. This can be used to set some application
-defined value which can be retrieved in the callback: for example a handle
-which is used to update a "progress dialog".
-=head1 NOTES
-After the call to EVP_PKEY_keygen_init() or EVP_PKEY_paramgen_init() algorithm
-specific control operations can be performed to set any appropriate parameters
-for the operation.
-The functions EVP_PKEY_keygen() and EVP_PKEY_paramgen() can be called more than
-once on the same context if several operations are performed using the same
-parameters.
-The meaning of the parameters passed to the callback will depend on the
-algorithm and the specific implementation of the algorithm. Some might not
-give any useful information at all during key or parameter generation. Others
-might not even call the callback.
-The operation performed by key or parameter generation depends on the algorithm
-used. In some cases (e.g. EC with a supplied named curve) the "generation"
-option merely sets the appropriate fields in an EVP_PKEY structure.
-In OpenSSL an EVP_PKEY structure containing a private key also contains the
-public key components and parameters (if any). An OpenSSL private key is
-equivalent to what some libraries call a "key pair". A private key can be used
-in functions which require the use of a public key or parameters.
-=head1 RETURN VALUES
-EVP_PKEY_keygen_init(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen() and
-EVP_PKEY_paramgen() return 1 for success and 0 or a negative value for failure.
-In particular a return value of -2 indicates the operation is not supported by
-the public key algorithm.
-=head1 EXAMPLES
-Generate a 2048 bit RSA key:
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- EVP_PKEY *pkey = NULL;
- ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_keygen_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0)
-        /* Error */
- /* Generate key */
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
-        /* Error */
-Generate a key from a set of parameters:
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- EVP_PKEY *pkey = NULL, *param;
- /* Assumed param is set up already */
- ctx = EVP_PKEY_CTX_new(param);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_keygen_init(ctx) <= 0)
-        /* Error */
- /* Generate key */
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
-        /* Error */
-Example of generation callback for OpenSSL public key implementations:
- /* Application data is a BIO to output status to */
- EVP_PKEY_CTX_set_app_data(ctx, status_bio);
- static int
- genpkey_cb(EVP_PKEY_CTX *ctx)
- {
-        char c = '*';
-        BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
-        int p;
-        p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
-        if (p == 0)
-                c='.';
-        if (p == 1)
-                c='+';
-        if (p == 2)
-                c='*';
-        if (p == 3)
-                c='\n';
-        BIO_write(b,&c,1);
-        (void)BIO_flush(b);
-        return 1;
- }
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_new.pod b/src/lib/libcrypto/doc/EVP_PKEY_new.pod
deleted file mode 100644
index 7792714659..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_new.pod
+++ /dev/null
@@ -1,43 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_new, EVP_PKEY_free - private key allocation functions.
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- EVP_PKEY *EVP_PKEY_new(void);
- void EVP_PKEY_free(EVP_PKEY *key);
-=head1 DESCRIPTION
-The EVP_PKEY_new() function allocates an empty B<EVP_PKEY>
-structure which is used by OpenSSL to store private keys.
-EVP_PKEY_free() frees up the private key B<key>.
-=head1 NOTES
-The B<EVP_PKEY> structure is used by various OpenSSL functions
-which require a general private key without reference to any
-particular algorithm.
-The structure returned by EVP_PKEY_new() is empty. To add a
-private key to this empty structure the functions described in
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)> should be used.
-=head1 RETURN VALUES
-EVP_PKEY_new() returns either the newly allocated B<EVP_PKEY>
-structure of B<NULL> if an error occurred.
-EVP_PKEY_free() does not return a value.
-=head1 SEE ALSO
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod b/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod
deleted file mode 100644
index eabbaed264..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod
+++ /dev/null
@@ -1,54 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params - public
-key algorithm printing routines.
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
-                                int indent, ASN1_PCTX *pctx);
- int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
-                                int indent, ASN1_PCTX *pctx);
- int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
-                                int indent, ASN1_PCTX *pctx);
-=head1 DESCRIPTION
-The functions EVP_PKEY_print_public(), EVP_PKEY_print_private() and
-EVP_PKEY_print_params() print out the public, private or parameter components
-of key B<pkey> respectively. The key is sent to BIO B<out> in human readable
-form. The parameter B<indent> indicated how far the printout should be indented.
-The B<pctx> parameter allows the print output to be finely tuned by using
-ASN1 printing options. If B<pctx> is set to NULL then default values will
-be used.
-=head1 NOTES
-Currently no public key algorithms include any options in the B<pctx> parameter
-parameter.
-If the key does not include all the components indicated by the function then
-only those contained in the key will be printed. For example passing a public
-key to EVP_PKEY_print_private() will only print the public components.
-=head1 RETURN VALUES
-These functions all return 1 for success and 0 or a negative value for failure.
-In particular a return value of -2 indicates the operation is not supported by
-the public key algorithm.
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod b/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod
deleted file mode 100644
index 096e969fa3..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod
+++ /dev/null
@@ -1,76 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
-EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
-EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH,
-EVP_PKEY_assign_EC_KEY, EVP_PKEY_type - EVP_PKEY assignment functions.
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key);
- int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key);
- int EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key);
- int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey,EC_KEY *key);
- RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
- DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
- DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
- EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
- int EVP_PKEY_assign_RSA(EVP_PKEY *pkey,RSA *key);
- int EVP_PKEY_assign_DSA(EVP_PKEY *pkey,DSA *key);
- int EVP_PKEY_assign_DH(EVP_PKEY *pkey,DH *key);
- int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey,EC_KEY *key);
- int EVP_PKEY_type(int type);
-=head1 DESCRIPTION
-EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and
-EVP_PKEY_set1_EC_KEY() set the key referenced by B<pkey> to B<key>.
-EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
-EVP_PKEY_get1_EC_KEY() return the referenced key in B<pkey> or
-B<NULL> if the key is not of the correct type.
-EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-and EVP_PKEY_assign_EC_KEY() also set the referenced key to B<key>
-however these use the supplied B<key> internally and so B<key>
-will be freed when the parent B<pkey> is freed.
-EVP_PKEY_type() returns the type of key corresponding to the value
-B<type>. The type of a key can be obtained with
-EVP_PKEY_type(pkey->type). The return value will be EVP_PKEY_RSA,
-EVP_PKEY_DSA, EVP_PKEY_DH or EVP_PKEY_EC for the corresponding
-key types or NID_undef if the key type is unassigned.
-=head1 NOTES
-In accordance with the OpenSSL naming convention the key obtained
-from or assigned to the B<pkey> using the B<1> functions must be
-freed as well as B<pkey>.
-EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-EVP_PKEY_assign_EC_KEY() are implemented as macros.
-=head1 RETURN VALUES
-EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and
-EVP_PKEY_set1_EC_KEY() return 1 for success or 0 for failure.
-EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
-EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if
-an error occurred.
-EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
-=head1 SEE ALSO
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_sign.pod b/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
deleted file mode 100644
index 1925706d96..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
+++ /dev/null
@@ -1,96 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_sign_init, EVP_PKEY_sign - sign using a public key algorithm
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
-                        unsigned char *sig, size_t *siglen,
-                        const unsigned char *tbs, size_t tbslen);
-=head1 DESCRIPTION
-The EVP_PKEY_sign_init() function initializes a public key algorithm
-context using key B<pkey> for a signing operation.
-The EVP_PKEY_sign() function performs a public key signing operation
-using B<ctx>. The data to be signed is specified using the B<tbs> and
-B<tbslen> parameters. If B<sig> is B<NULL> then the maximum size of the output
-buffer is written to the B<siglen> parameter. If B<sig> is not B<NULL> then
-before the call the B<siglen> parameter should contain the length of the
-B<sig> buffer, if the call is successful the signature is written to
-B<sig> and the amount of data written to B<siglen>.
-=head1 NOTES
-After the call to EVP_PKEY_sign_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-The function EVP_PKEY_sign() can be called more than once on the same
-context if several operations are performed using the same parameters.
-=head1 RETURN VALUES
-EVP_PKEY_sign_init() and EVP_PKEY_sign() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-=head1 EXAMPLE
-Sign data using RSA with PKCS#1 padding and SHA256 digest:
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- unsigned char *md, *sig;
- size_t mdlen, siglen;
- EVP_PKEY *signing_key;
- /* NB: assumes signing_key, md and mdlen are already set up
-  * and that signing_key is an RSA private key
-  */
- ctx = EVP_PKEY_CTX_new(signing_key);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_sign_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
-        /* Error */
- /* Determine buffer length */
- if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0)
-        /* Error */
- sig = malloc(siglen);
- if (!sig)
-        /* malloc failure */
- if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
-        /* Error */
- /* Signature is siglen bytes written to buffer sig */
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
deleted file mode 100644
index 0f092ca8e1..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
+++ /dev/null
@@ -1,92 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_verify_init, EVP_PKEY_verify - signature verification using a public
-key algorithm
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
-                        const unsigned char *sig, size_t siglen,
-                        const unsigned char *tbs, size_t tbslen);
-=head1 DESCRIPTION
-The EVP_PKEY_verify_init() function initializes a public key algorithm
-context using key B<pkey> for a signature verification operation.
-The EVP_PKEY_verify() function performs a public key verification operation
-using B<ctx>. The signature is specified using the B<sig> and
-B<siglen> parameters. The verified data (i.e. the data believed originally
-signed) is specified using the B<tbs> and B<tbslen> parameters.
-=head1 NOTES
-After the call to EVP_PKEY_verify_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-The function EVP_PKEY_verify() can be called more than once on the same
-context if several operations are performed using the same parameters.
-=head1 RETURN VALUES
-EVP_PKEY_verify_init() and EVP_PKEY_verify() return 1 if the verification was
-successful and 0 if it failed. Unlike other functions the return value 0 from
-EVP_PKEY_verify() only indicates that the signature did not verify
-successfully (that is tbs did not match the original data or the signature was
-of invalid form) it is not an indication of a more serious error.
-A negative value indicates an error other that signature verification failure.
-In particular a return value of -2 indicates the operation is not supported by
-the public key algorithm.
-=head1 EXAMPLE
-Verify signature using PKCS#1 and SHA256 digest:
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- unsigned char *md, *sig;
- size_t mdlen, siglen;
- EVP_PKEY *verify_key;
- /* NB: assumes verify_key, sig, siglen md and mdlen are already set up
-  * and that verify_key is an RSA public key
-  */
- ctx = EVP_PKEY_CTX_new(verify_key);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_verify_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
-        /* Error */
- /* Perform operation */
- ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
- /* ret == 1 indicates success, 0 verify failure and < 0 for some
-  * other error.
-  */
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
deleted file mode 100644
index 095e53ea2f..0000000000
--- a/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
+++ /dev/null
@@ -1,105 +0,0 @@
-=pod
-=head1 NAME
-EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using
-a public key algorithm
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
-                        unsigned char *rout, size_t *routlen,
-                        const unsigned char *sig, size_t siglen);
-=head1 DESCRIPTION
-The EVP_PKEY_verify_recover_init() function initializes a public key algorithm
-context using key B<pkey> for a verify recover operation.
-The EVP_PKEY_verify_recover() function recovers signed data
-using B<ctx>. The signature is specified using the B<sig> and
-B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
-buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
-before the call the B<routlen> parameter should contain the length of the
-B<rout> buffer, if the call is successful recovered data is written to
-B<rout> and the amount of data written to B<routlen>.
-=head1 NOTES
-Normally an application is only interested in whether a signature verification
-operation is successful in those cases the EVP_verify() function should be
-used.
-Sometimes however it is useful to obtain the data originally signed using a
-signing operation. Only certain public key algorithms can recover a signature
-in this way (for example RSA in PKCS padding mode).
-After the call to EVP_PKEY_verify_recover_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-The function EVP_PKEY_verify_recover() can be called more than once on the same
-context if several operations are performed using the same parameters.
-=head1 RETURN VALUES
-EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for
-success
-and 0 or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-=head1 EXAMPLE
-Recover digest originally signed using PKCS#1 and SHA256 digest:
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- EVP_PKEY_CTX *ctx;
- unsigned char *rout, *sig;
- size_t routlen, siglen;
- EVP_PKEY *verify_key;
- /* NB: assumes verify_key, sig and siglen are already set up
-  * and that verify_key is an RSA public key
-  */
- ctx = EVP_PKEY_CTX_new(verify_key);
- if (!ctx)
-        /* Error occurred */
- if (EVP_PKEY_verify_recover_init(ctx) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-        /* Error */
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
-        /* Error */
- /* Determine buffer length */
- if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
-        /* Error */
- rout = malloc(routlen);
- if (!rout)
-        /* malloc failure */
- if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
-        /* Error */
- /* Recovered data is routlen bytes written to buffer rout */
-=head1 SEE ALSO
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_SealInit.pod b/src/lib/libcrypto/doc/EVP_SealInit.pod
deleted file mode 100644
index 76eebb72a9..0000000000
--- a/src/lib/libcrypto/doc/EVP_SealInit.pod
+++ /dev/null
@@ -1,82 +0,0 @@
-=pod
-=head1 NAME
-EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-                  unsigned char **ek, int *ekl, unsigned char *iv,
-                  EVP_PKEY **pubk, int npubk);
- int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
- int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl);
-=head1 DESCRIPTION
-The EVP envelope routines are a high level interface to envelope
-encryption. They generate a random key and IV (if required) then
-"envelope" it by using public key encryption. Data can then be
-encrypted using this key.
-EVP_SealInit() initializes a cipher context B<ctx> for encryption
-with cipher B<type> using a random secret key and IV. B<type> is normally
-supplied by a function such as EVP_aes_256_cbc(). The secret key is encrypted
-using one or more public keys, this allows the same encrypted data to be
-decrypted using any of the corresponding private keys. B<ek> is an array of
-buffers where the public key encrypted secret key will be written, each buffer
-must contain enough room for the corresponding encrypted key: that is
-B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
-size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
-an array of B<npubk> public keys.
-The B<iv> parameter is a buffer where the generated IV is written to. It must
-contain enough room for the corresponding cipher's IV, as determined by (for
-example) EVP_CIPHER_iv_length(type).
-If the cipher does not require an IV then the B<iv> parameter is ignored
-and can be B<NULL>.
-EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
-as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as
-documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
-page.
-=head1 RETURN VALUES
-EVP_SealInit() returns 0 on error or B<npubk> if successful.
-EVP_SealUpdate() and EVP_SealFinal() return 1 for success and 0 for
-failure.
-=head1 NOTES
-The public key must be RSA because it is the only OpenSSL public key
-algorithm that supports key transport.
-Envelope encryption is the usual method of using public key encryption
-on large amounts of data, this is because public key encryption is slow
-but symmetric encryption is fast. So symmetric encryption is used for
-bulk encryption and the small random symmetric key used is transferred
-using public key encryption.
-It is possible to call EVP_SealInit() twice in the same way as
-EVP_EncryptInit(). The first call should have B<npubk> set to 0
-and (after setting any cipher parameters) it should be called again
-with B<type> set to NULL.
-=head1 SEE ALSO
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_OpenInit(3)|EVP_OpenInit(3)>
-=head1 HISTORY
-EVP_SealFinal() did not return a value before OpenSSL 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
deleted file mode 100644
index 6882211e02..0000000000
--- a/src/lib/libcrypto/doc/EVP_SignInit.pod
+++ /dev/null
@@ -1,103 +0,0 @@
-=pod
-=head1 NAME
-EVP_SignInit, EVP_SignUpdate, EVP_SignFinal, EVP_PKEY_size
- EVP signing functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey);
- void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- int EVP_PKEY_size(EVP_PKEY *pkey);
-=head1 DESCRIPTION
-The EVP signature routines are a high level interface to digital
-signatures.
-EVP_SignInit_ex() sets up signing context B<ctx> to use digest
-B<type> from ENGINE B<impl>. B<ctx> must be initialized with
-EVP_MD_CTX_init() before calling this function.
-EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
-signature context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data.
-EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
-places the signature in B<sig>. B<sig> must be at least EVP_PKEY_size(pkey)
-bytes in size. B<s> is an OUT parameter, and not used as an IN parameter.
-The number of bytes of data written (i.e. the length of the signature)
-will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
-will be written.
-EVP_SignInit() initializes a signing context B<ctx> to use the default
-implementation of digest B<type>.
-EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual
-signature returned by EVP_SignFinal() may be smaller.
-=head1 RETURN VALUES
-EVP_SignInit_ex(), EVP_SignUpdate() and EVP_SignFinal() return 1
-for success and 0 for failure.
-EVP_PKEY_size() returns the maximum size of a signature in bytes.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTES
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-Due to the link between message digests and public key algorithms the correct
-digest algorithm must be used with the correct public key type. A list of
-algorithms and associated public key algorithms appears in
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
-The call to EVP_SignFinal() internally finalizes a copy of the digest context.
-This means that calls to EVP_SignUpdate() and EVP_SignFinal() can be called
-later to digest and sign additional data.
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-=head1 BUGS
-Older versions of this documentation wrongly stated that calls to
-EVP_SignUpdate() could not be made after calling EVP_SignFinal().
-Since the private key is passed in the call to EVP_SignFinal() any error
-relating to the private key (for example an unsuitable key and digest
-combination) will not be indicated until after potentially large amounts of
-data have been passed through EVP_SignUpdate().
-It is not possible to change the signing parameters using these function.
-The previous two bugs are fixed in the newer EVP_SignDigest*() function.
-=head1 SEE ALSO
-L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-=head1 HISTORY
-EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
-available in all versions of SSLeay and OpenSSL.
-EVP_SignInit_ex() was added in OpenSSL 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
deleted file mode 100644
index b0d3f8e4c9..0000000000
--- a/src/lib/libcrypto/doc/EVP_VerifyInit.pod
+++ /dev/null
@@ -1,96 +0,0 @@
-=pod
-=head1 NAME
-EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification
-functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey);
- int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-=head1 DESCRIPTION
-The EVP signature verification routines are a high level interface to digital
-signatures.
-EVP_VerifyInit_ex() sets up verification context B<ctx> to use digest
-B<type> from ENGINE B<impl>. B<ctx> must be initialized by calling
-EVP_MD_CTX_init() before calling this function.
-EVP_VerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
-verification context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data.
-EVP_VerifyFinal() verifies the data in B<ctx> using the public key B<pkey>
-and against the B<siglen> bytes at B<sigbuf>.
-EVP_VerifyInit() initializes verification context B<ctx> to use the default
-implementation of digest B<type>.
-=head1 RETURN VALUES
-EVP_VerifyInit_ex() and EVP_VerifyUpdate() return 1 for success and 0 for
-failure.
-EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if
-some other error occurred.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTES
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-Due to the link between message digests and public key algorithms the correct
-digest algorithm must be used with the correct public key type. A list of
-algorithms and associated public key algorithms appears in
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
-The call to EVP_VerifyFinal() internally finalizes a copy of the digest context.
-This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can be called
-later to digest and verify additional data.
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-=head1 BUGS
-Older versions of this documentation wrongly stated that calls to
-EVP_VerifyUpdate() could not be made after calling EVP_VerifyFinal().
-Since the public key is passed in the call to EVP_SignFinal() any error
-relating to the private key (for example an unsuitable key and digest
-combination) will not be indicated until after potentially large amounts of
-data have been passed through EVP_SignUpdate().
-It is not possible to change the signing parameters using these function.
-The previous two bugs are fixed in the newer EVP_VerifyDigest*() function.
-=head1 SEE ALSO
-L<evp(3)|evp(3)>,
-L<EVP_SignInit(3)|EVP_SignInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-=head1 HISTORY
-EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() are
-available in all versions of SSLeay and OpenSSL.
-EVP_VerifyInit_ex() was added in OpenSSL 0.9.7
-=cut
diff --git a/src/lib/libcrypto/doc/HMAC.pod b/src/lib/libcrypto/doc/HMAC.pod
deleted file mode 100644
index d92138d273..0000000000
--- a/src/lib/libcrypto/doc/HMAC.pod
+++ /dev/null
@@ -1,106 +0,0 @@
-=pod
-=head1 NAME
-HMAC, HMAC_Init, HMAC_Update, HMAC_Final, HMAC_cleanup - HMAC message
-authentication code
-=head1 SYNOPSIS
- #include <openssl/hmac.h>
- unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
-               int key_len, const unsigned char *d, int n,
-               unsigned char *md, unsigned int *md_len);
- void HMAC_CTX_init(HMAC_CTX *ctx);
- int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
-               const EVP_MD *md);
- int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
-                   const EVP_MD *md, ENGINE *impl);
- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
- int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
- void HMAC_CTX_cleanup(HMAC_CTX *ctx);
- void HMAC_cleanup(HMAC_CTX *ctx);
-=head1 DESCRIPTION
-HMAC is a MAC (message authentication code), i.e. a keyed hash
-function used for message authentication, which is based on a hash
-function.
-HMAC() computes the message authentication code of the B<n> bytes at
-B<d> using the hash function B<evp_md> and the key B<key> which is
-B<key_len> bytes long.
-It places the result in B<md> (which must have space for the output of
-the hash function, which is no more than B<EVP_MAX_MD_SIZE> bytes).
-If B<md> is NULL, the digest is placed in a static array.  The size of
-the output is placed in B<md_len>, unless it is B<NULL>.
-B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
-HMAC_CTX_init() initialises a B<HMAC_CTX> before first use. It must be
-called.
-HMAC_CTX_cleanup() erases the key and other data from the B<HMAC_CTX>
-and releases any associated resources. It must be called when an
-B<HMAC_CTX> is no longer required.
-HMAC_cleanup() is an alias for HMAC_CTX_cleanup() included for back
-compatibility with 0.9.6b, it is deprecated.
-The following functions may be used if the message is not completely
-stored in memory:
-HMAC_Init() initializes a B<HMAC_CTX> structure to use the hash
-function B<evp_md> and the key B<key> which is B<key_len> bytes
-long. It is deprecated and only included for backward compatibility
-with OpenSSL 0.9.6b.
-HMAC_Init_ex() initializes or reuses a B<HMAC_CTX> structure to use
-the function B<evp_md> and key B<key>. Either can be NULL, in which
-case the existing one will be reused. HMAC_CTX_init() must have been
-called before the first use of an B<HMAC_CTX> in this
-function. B<N.B. HMAC_Init() had this undocumented behaviour in
-previous versions of OpenSSL - failure to switch to HMAC_Init_ex() in
-programs that expect it will cause them to stop working>.
-HMAC_Update() can be called repeatedly with chunks of the message to
-be authenticated (B<len> bytes at B<data>).
-HMAC_Final() places the message authentication code in B<md>, which
-must have space for the hash function output.
-=head1 RETURN VALUES
-HMAC() returns a pointer to the message authentication code or NULL if
-an error occurred.
-HMAC_Init_ex(), HMAC_Update() and HMAC_Final() return 1 for success or 0 if
-an error occurred.
-HMAC_CTX_init() and HMAC_CTX_cleanup() do not return values.
-=head1 CONFORMING TO
-RFC 2104
-=head1 SEE ALSO
-L<sha(3)|sha(3)>, L<evp(3)|evp(3)>
-=head1 HISTORY
-HMAC(), HMAC_Init(), HMAC_Update(), HMAC_Final() and HMAC_cleanup()
-are available since SSLeay 0.9.0.
-HMAC_CTX_init(), HMAC_Init_ex() and HMAC_CTX_cleanup() are available
-since OpenSSL 0.9.7.
-HMAC_Init_ex(), HMAC_Update() and HMAC_Final() did not return values in
-versions of OpenSSL before 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/MD5.pod b/src/lib/libcrypto/doc/MD5.pod
deleted file mode 100644
index b0edd5416f..0000000000
--- a/src/lib/libcrypto/doc/MD5.pod
+++ /dev/null
@@ -1,101 +0,0 @@
-=pod
-=head1 NAME
-MD2, MD4, MD5, MD2_Init, MD2_Update, MD2_Final, MD4_Init, MD4_Update,
-MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions
-=head1 SYNOPSIS
- #include <openssl/md2.h>
- unsigned char *MD2(const unsigned char *d, unsigned long n,
-                  unsigned char *md);
- int MD2_Init(MD2_CTX *c);
- int MD2_Update(MD2_CTX *c, const unsigned char *data,
-                  unsigned long len);
- int MD2_Final(unsigned char *md, MD2_CTX *c);
- #include <openssl/md4.h>
- unsigned char *MD4(const unsigned char *d, unsigned long n,
-                  unsigned char *md);
- int MD4_Init(MD4_CTX *c);
- int MD4_Update(MD4_CTX *c, const void *data,
-                  unsigned long len);
- int MD4_Final(unsigned char *md, MD4_CTX *c);
- #include <openssl/md5.h>
- unsigned char *MD5(const unsigned char *d, unsigned long n,
-                  unsigned char *md);
- int MD5_Init(MD5_CTX *c);
- int MD5_Update(MD5_CTX *c, const void *data,
-                  unsigned long len);
- int MD5_Final(unsigned char *md, MD5_CTX *c);
-=head1 DESCRIPTION
-MD2, MD4, and MD5 are cryptographic hash functions with a 128 bit output.
-MD2(), MD4(), and MD5() compute the MD2, MD4, and MD5 message digest
-of the B<n> bytes at B<d> and place it in B<md> (which must have space
-for MD2_DIGEST_LENGTH == MD4_DIGEST_LENGTH == MD5_DIGEST_LENGTH == 16
-bytes of output). If B<md> is NULL, the digest is placed in a static
-array.
-The following functions may be used if the message is not completely
-stored in memory:
-MD2_Init() initializes a B<MD2_CTX> structure.
-MD2_Update() can be called repeatedly with chunks of the message to
-be hashed (B<len> bytes at B<data>).
-MD2_Final() places the message digest in B<md>, which must have space
-for MD2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MD2_CTX>.
-MD4_Init(), MD4_Update(), MD4_Final(), MD5_Init(), MD5_Update(), and
-MD5_Final() are analogous using an B<MD4_CTX> and B<MD5_CTX> structure.
-Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
-etc. instead of calling the hash functions directly.
-=head1 NOTE
-MD2, MD4, and MD5 are recommended only for compatibility with existing
-applications. In new applications, SHA-1 or RIPEMD-160 should be
-preferred.
-=head1 RETURN VALUES
-MD2(), MD4(), and MD5() return pointers to the hash value.
-MD2_Init(), MD2_Update(), MD2_Final(), MD4_Init(), MD4_Update(),
-MD4_Final(), MD5_Init(), MD5_Update(), and MD5_Final() return 1 for
-success, 0 otherwise.
-=head1 CONFORMING TO
-RFC 1319, RFC 1320, RFC 1321
-=head1 SEE ALSO
-L<sha(3)|sha(3)>, L<ripemd(3)|ripemd(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
-=head1 HISTORY
-MD2(), MD2_Init(), MD2_Update() MD2_Final(), MD5(), MD5_Init(),
-MD5_Update() and MD5_Final() are available in all versions of SSLeay
-and OpenSSL.
-MD4(), MD4_Init(), and MD4_Update() are available in OpenSSL 0.9.6 and
-above.
-=cut
diff --git a/src/lib/libcrypto/doc/OBJ_nid2obj.pod b/src/lib/libcrypto/doc/OBJ_nid2obj.pod
deleted file mode 100644
index 95949ac091..0000000000
--- a/src/lib/libcrypto/doc/OBJ_nid2obj.pod
+++ /dev/null
@@ -1,147 +0,0 @@
-=pod
-=head1 NAME
-OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid,
-OBJ_sn2nid, OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup
- ASN1 object utility functions
-=head1 SYNOPSIS
- #include <openssl/objects.h>
- ASN1_OBJECT * OBJ_nid2obj(int n);
- const char *  OBJ_nid2ln(int n);
- const char *  OBJ_nid2sn(int n);
- int OBJ_obj2nid(const ASN1_OBJECT *o);
- int OBJ_ln2nid(const char *ln);
- int OBJ_sn2nid(const char *sn);
- int OBJ_txt2nid(const char *s);
- ASN1_OBJECT * OBJ_txt2obj(const char *s, int no_name);
- int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
- int OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b);
- ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o);
- int OBJ_create(const char *oid,const char *sn,const char *ln);
- void OBJ_cleanup(void);
-=head1 DESCRIPTION
-The ASN1 object utility functions process ASN1_OBJECT structures which are
-a representation of the ASN1 OBJECT IDENTIFIER (OID) type.
-OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to
-an ASN1_OBJECT structure, its long name and its short name respectively,
-or B<NULL> is an error occurred.
-OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID
-for the object B<o>, the long name <ln> or the short name <sn> respectively
-or NID_undef if an error occurred.
-OBJ_txt2nid() returns NID corresponding to text string <s>. B<s> can be
-a long name, a short name or the numerical representation of an object.
-OBJ_txt2obj() converts the text string B<s> into an ASN1_OBJECT structure.
-If B<no_name> is 0 then long names and short names will be interpreted
-as well as numerical forms. If B<no_name> is 1 only the numerical form
-is acceptable.
-OBJ_obj2txt() converts the B<ASN1_OBJECT> B<a> into a textual representation.
-The representation is written as a null terminated string to B<buf>
-at most B<buf_len> bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If B<no_name> is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If B<no_name> is 1 then the numerical
-form will always be used.
-OBJ_cmp() compares B<a> to B<b>. If the two are identical 0 is returned.
-OBJ_dup() returns a copy of B<o>.
-OBJ_create() adds a new object to the internal table. B<oid> is the
-numerical form of the object, B<sn> the short name and B<ln> the
-long name. A new NID is returned for the created object.
-OBJ_cleanup() cleans up OpenSSLs internal object table: this should
-be called before an application exits if any new objects were added
-using OBJ_create().
-=head1 NOTES
-Objects in OpenSSL can have a short name, a long name and a numerical
-identifier (NID) associated with them. A standard set of objects is
-represented in an internal table. The appropriate values are defined
-in the header file B<objects.h>.
-For example the OID for commonName has the following definitions:
- #define SN_commonName                   "CN"
- #define LN_commonName                   "commonName"
- #define NID_commonName                  13
-New objects can be added by calling OBJ_create().
-Table objects have certain advantages over other objects: for example
-their NIDs can be used in a C language switch statement. They are
-also static constant structures which are shared: that is there
-is only a single constant structure for each table object.
-Objects which are not in the table have the NID value NID_undef.
-Objects do not need to be in the internal tables to be processed,
-the functions OBJ_txt2obj() and OBJ_obj2txt() can process the numerical
-form of an OID.
-=head1 EXAMPLES
-Create an object for B<commonName>:
- ASN1_OBJECT *o;
- o = OBJ_nid2obj(NID_commonName);
-Check if an object is B<commonName>
- if (OBJ_obj2nid(obj) == NID_commonName)
-        /* Do something */
-Create a new NID and initialize an object from it:
- int new_nid;
- ASN1_OBJECT *obj;
- new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier");
- obj = OBJ_nid2obj(new_nid);
-Create a new object directly:
- obj = OBJ_txt2obj("1.2.3.4", 1);
-=head1 BUGS
-OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to B<NULL> to determine the amount of data that should be written.
-Instead B<buf> must point to a valid buffer and B<buf_len> should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any OID encountered in practice.
-=head1 RETURN VALUES
-OBJ_nid2obj() returns an B<ASN1_OBJECT> structure or B<NULL> is an
-error occurred.
-OBJ_nid2ln() and OBJ_nid2sn() returns a valid string or B<NULL>
-on error.
-OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
-a NID or B<NID_undef> on error.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
deleted file mode 100644
index 2f63a18a71..0000000000
--- a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
+++ /dev/null
@@ -1,101 +0,0 @@
-=pod
-=head1 NAME
-OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version - get OpenSSL version number
-=head1 SYNOPSIS
- #include <openssl/opensslv.h>
- #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
- #include <openssl/crypto.h>
- long SSLeay(void);
- const char *SSLeay_version(int t);
-=head1 DESCRIPTION
-OPENSSL_VERSION_NUMBER is a numeric release version identifier:
- MMNNFFPPS: major minor fix patch status
-The status nibble has one of the values 0 for development, 1 to e for betas
-1 to 14, and f for release.
-for example
- 0x000906000 == 0.9.6 dev
- 0x000906023 == 0.9.6b beta 3
- 0x00090605f == 0.9.6e release
-Versions prior to 0.9.3 have identifiers E<lt> 0x0930.
-Versions between 0.9.3 and 0.9.5 had a version identifier with this
-interpretation:
- MMNNFFRBB major minor fix final beta/patch
-for example
- 0x000904100 == 0.9.4 release
- 0x000905000 == 0.9.5 dev
-Version 0.9.5a had an interim interpretation that is like the current one,
-except the patch level got the highest bit set, to keep continuity.  The
-number was therefore 0x0090581f.
-For backward compatibility, SSLEAY_VERSION_NUMBER is also defined.
-SSLeay() returns this number. The return value can be compared to the
-macro to make sure that the correct version of the library has been
-loaded, especially when using DLLs on Windows systems.
-SSLeay_version() returns different strings depending on B<t>:
-=over 4
-=item SSLEAY_VERSION
-The text variant of the version number and the release date.  For example,
-"OpenSSL 0.9.5a 1 Apr 2000".
-=item SSLEAY_CFLAGS
-The compiler flags set for the compilation process in the form
-"compiler: ..."  if available or "compiler: information not available"
-otherwise.
-=item SSLEAY_BUILT_ON
-The date of the build process in the form "built on: ..." if available
-or "built on: date not available" otherwise.
-=item SSLEAY_PLATFORM
-The "Configure" target of the library build in the form "platform: ..."
-if available or "platform: information not available" otherwise.
-=item SSLEAY_DIR
-The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "...""
-if available or "OPENSSLDIR: N/A" otherwise.
-=back
-For an unknown B<t>, the text "not available" is returned.
-=head1 RETURN VALUE
-The version number.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>
-=head1 HISTORY
-SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and
-OpenSSL.  OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
-B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/OPENSSL_config.pod b/src/lib/libcrypto/doc/OPENSSL_config.pod
deleted file mode 100644
index 897d2cce59..0000000000
--- a/src/lib/libcrypto/doc/OPENSSL_config.pod
+++ /dev/null
@@ -1,82 +0,0 @@
-=pod
-=head1 NAME
-OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions
-=head1 SYNOPSIS
- #include <openssl/conf.h>
- void OPENSSL_config(const char *config_name);
- void OPENSSL_no_config(void);
-=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf>
-configuration file name using B<config_name>. If B<config_name> is NULL then
-the default name B<openssl_conf> will be used. Any errors are ignored. Further
-calls to OPENSSL_config() will have no effect. The configuration file format
-is documented in the L<conf(5)|conf(5)> manual page.
-OPENSSL_no_config() disables configuration. If called before OPENSSL_config()
-no configuration takes place.
-=head1 NOTES
-It is B<strongly> recommended that B<all> new applications call OPENSSL_config()
-or the more sophisticated functions such as CONF_modules_load() during
-initialization (that is before starting any threads). By doing this
-an application does not need to keep track of all configuration options
-and some new functionality can be supported automatically.
-It is also possible to automatically call OPENSSL_config() when an application
-calls OPENSSL_add_all_algorithms() by compiling an application with the
-preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
-can be added without source changes.
-The environment variable B<OPENSSL_CONF> can be set to specify the location
-of the configuration file.
-Currently ASN1 OBJECTs and ENGINE configuration can be performed future
-versions of OpenSSL will add new configuration options.
-There are several reasons why calling the OpenSSL configuration routines is
-advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7.
-In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be
-used (among other things) to load dynamic ENGINEs from shared libraries (DSOs).
-However very few applications currently support the control interface and so
-very few can load and use dynamic ENGINEs. Equally in future more sophisticated
-ENGINEs will require certain control operations to customize them. If an
-application calls OPENSSL_config() it doesn't need to know or care about
-ENGINE control operations because they can be performed by editing a
-configuration file.
-Applications should free up configuration at application closedown by calling
-CONF_modules_free().
-=head1 RESTRICTIONS
-The OPENSSL_config() function is designed to be a very simple "call it and
-forget it" function. As a result its behaviour is somewhat limited. It ignores
-all errors silently and it can only load from the standard configuration file
-location for example.
-It is however B<much> better than nothing. Applications which need finer
-control over their configuration functionality should use the configuration
-functions such as CONF_load_modules() directly.
-=head1 RETURN VALUES
-Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
-=head1 SEE ALSO
-L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
-L<CONF_modules_free(3)|CONF_modules_free(3)>
-=head1 HISTORY
-OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7
-=cut
diff --git a/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod b/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod
deleted file mode 100644
index 828fec651d..0000000000
--- a/src/lib/libcrypto/doc/OPENSSL_load_builtin_modules.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-=head1 NAME
-OPENSSL_load_builtin_modules, ASN1_add_oid_module, ENGINE_add_conf_module - add standard configuration modules
-=head1 SYNOPSIS
- #include <openssl/conf.h>
- void OPENSSL_load_builtin_modules(void);
- void ASN1_add_oid_module(void);
- ENGINE_add_conf_module();
-=head1 DESCRIPTION
-The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL
-configuration modules to the internal list. They can then be used by the
-OpenSSL configuration code.
-ASN1_add_oid_module() adds just the ASN1 OBJECT module.
-ENGINE_add_conf_module() adds just the ENGINE configuration module.
-=head1 NOTES
-If the simple configuration function OPENSSL_config() is called then
-OPENSSL_load_builtin_modules() is called automatically.
-Applications which use the configuration functions directly will need to
-call OPENSSL_load_builtin_modules() themselves I<before> any other
-configuration code.
-Applications should call OPENSSL_load_builtin_modules() to load all
-configuration modules instead of adding modules selectively: otherwise
-functionality may be missing from the application if an when new
-modules are added.
-=head1 RETURN VALUE
-None of the functions return a value.
-=head1 SEE ALSO
-L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)>
-=head1 HISTORY
-These functions first appeared in OpenSSL 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
deleted file mode 100644
index 1bba4d0212..0000000000
--- a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-=head1 NAME
-OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests, EVP_cleanup -
-add algorithms to internal table
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- void OpenSSL_add_all_algorithms(void);
- void OpenSSL_add_all_ciphers(void);
- void OpenSSL_add_all_digests(void);
- void EVP_cleanup(void);
-=head1 DESCRIPTION
-OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
-this table to lookup ciphers via functions such as EVP_get_cipher_byname().
-OpenSSL_add_all_digests() adds all digest algorithms to the table.
-OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and
-ciphers).
-OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including
-password based encryption algorithms.
-EVP_cleanup() removes all ciphers and digests from the table.
-=head1 RETURN VALUES
-None of the functions return a value.
-=head1 NOTES
-A typical application will call OpenSSL_add_all_algorithms() initially and
-EVP_cleanup() before exiting.
-An application does not need to add algorithms to use them explicitly, for
-example by EVP_sha1(). It just needs to add them if it (or any of the functions
-it calls) needs to lookup algorithms.
-The cipher and digest lookup functions are used in many parts of the library.
-If the table is not initialized several functions will misbehave and complain
-they cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME
-libraries.  This is a common query in the OpenSSL mailing lists.
-Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
-statically linked executable can be quite large. If this is important it is
-possible to just add the required ciphers and digests.
-=head1 BUGS
-Although the functions do not return error codes it is possible for them to
-fail.  This will only happen as a result of a memory allocation failure so this
-is not too much of a problem in practice.
-=head1 SEE ALSO
-L<evp(3)|evp(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod b/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod
deleted file mode 100644
index 6d87079a84..0000000000
--- a/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod
+++ /dev/null
@@ -1,498 +0,0 @@
-=pod
-=head1 NAME
-PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey,
-PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey,
-PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid,
-PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY,
-PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey,
-PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey,
-PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey,
-PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY,
-PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey,
-PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey,
-PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY,
-PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams,
-PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
-PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
-PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
-PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
-PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
-PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
-PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL,
-PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7,
-PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE,
-PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE,
-PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
-=head1 SYNOPSIS
- #include <openssl/pem.h>
- EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
-                                        pem_password_cb *cb, void *u);
- EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                        unsigned char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                        unsigned char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                        char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                        char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
-                                        char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
-                                        char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
-                                        pem_password_cb *cb, void *u);
- EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
- int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
- RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
-                                        pem_password_cb *cb, void *u);
- RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
-                                        unsigned char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
-                                        unsigned char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
-                                        pem_password_cb *cb, void *u);
- RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
- int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
- RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
-                                        pem_password_cb *cb, void *u);
- RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
- int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
- DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
-                                        pem_password_cb *cb, void *u);
- DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
-                                        unsigned char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
-                                        unsigned char *kstr, int klen,
-                                        pem_password_cb *cb, void *u);
- DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
-                                        pem_password_cb *cb, void *u);
- DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
- int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
- DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
- DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
- int PEM_write_DSAparams(FILE *fp, DSA *x);
- DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
- DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_DHparams(BIO *bp, DH *x);
- int PEM_write_DHparams(FILE *fp, DH *x);
- X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
- X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_X509(BIO *bp, X509 *x);
- int PEM_write_X509(FILE *fp, X509 *x);
- X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
- X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
- int PEM_write_X509_AUX(FILE *fp, X509 *x);
- X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
-                                        pem_password_cb *cb, void *u);
- X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
- int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
- int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
- int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
- X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
-                                        pem_password_cb *cb, void *u);
- X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
-                                        pem_password_cb *cb, void *u);
- int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
- int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
- PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
- PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
- int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
- NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,
-                                                NETSCAPE_CERT_SEQUENCE **x,
-                                                pem_password_cb *cb, void *u);
- NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp,
-                                                NETSCAPE_CERT_SEQUENCE **x,
-                                                pem_password_cb *cb, void *u);
- int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x);
- int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x);
-=head1 DESCRIPTION
-The PEM functions read or write structures in PEM format. In
-this sense PEM format is simply base64 encoded data surrounded
-by header lines.
-For more details about the meaning of arguments see the
-B<PEM FUNCTION ARGUMENTS> section.
-Each operation has four functions associated with it. For
-clarity the term "B<foobar> functions" will be used to collectively
-refer to the PEM_read_bio_foobar(), PEM_read_foobar(),
-PEM_write_bio_foobar() and PEM_write_foobar() functions.
-The B<PrivateKey> functions read or write a private key in
-PEM format using an EVP_PKEY structure. The write routines use
-"traditional" private key format and can handle both RSA and DSA
-private keys. The read functions can additionally transparently
-handle PKCS#8 format encrypted and unencrypted keys too.
-PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
-write a private key in an EVP_PKEY structure in PKCS#8
-EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
-algorithms. The B<cipher> argument specifies the encryption algorithm to
-use: unlike all other PEM routines the encryption is applied at the
-PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
-encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
-PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid()
-also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
-it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
-to use is specified in the B<nid> parameter and should be the NID of the
-corresponding OBJECT IDENTIFIER (see NOTES section).
-The B<PUBKEY> functions process a public key using an EVP_PKEY
-structure. The public key is encoded as a SubjectPublicKeyInfo
-structure.
-The B<RSAPrivateKey> functions process an RSA private key using an
-RSA structure. It handles the same formats as the B<PrivateKey>
-functions but an error occurs if the private key is not RSA.
-The B<RSAPublicKey> functions process an RSA public key using an
-RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey
-structure.
-The B<RSA_PUBKEY> functions also process an RSA public key using
-an RSA structure. However the public key is encoded using a
-SubjectPublicKeyInfo structure and an error occurs if the public
-key is not RSA.
-The B<DSAPrivateKey> functions process a DSA private key using a
-DSA structure. It handles the same formats as the B<PrivateKey>
-functions but an error occurs if the private key is not DSA.
-The B<DSA_PUBKEY> functions process a DSA public key using
-a DSA structure. The public key is encoded using a
-SubjectPublicKeyInfo structure and an error occurs if the public
-key is not DSA.
-The B<DSAparams> functions process DSA parameters using a DSA
-structure. The parameters are encoded using a foobar structure.
-The B<DHparams> functions process DH parameters using a DH
-structure. The parameters are encoded using a PKCS#3 DHparameter
-structure.
-The B<X509> functions process an X509 certificate using an X509
-structure. They will also process a trusted X509 certificate but
-any trust settings are discarded.
-The B<X509_AUX> functions process a trusted X509 certificate using
-an X509 structure.
-The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10
-certificate request using an X509_REQ structure. The B<X509_REQ>
-write functions use B<CERTIFICATE REQUEST> in the header whereas
-the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST>
-(as required by some CAs). The B<X509_REQ> read functions will
-handle either form so there are no B<X509_REQ_NEW> read functions.
-The B<X509_CRL> functions process an X509 CRL using an X509_CRL
-structure.
-The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7
-structure.
-The B<NETSCAPE_CERT_SEQUENCE> functions process a Netscape Certificate
-Sequence using a NETSCAPE_CERT_SEQUENCE structure.
-=head1 PEM FUNCTION ARGUMENTS
-The PEM functions have many common arguments.
-The B<bp> BIO parameter (if present) specifies the BIO to read from
-or write to.
-The B<fp> FILE parameter (if present) specifies the FILE pointer to
-read from or write to.
-The PEM read functions all take an argument B<TYPE **x> and return
-a B<TYPE *> pointer. Where B<TYPE> is whatever structure the function
-uses. If B<x> is NULL then the parameter is ignored. If B<x> is not
-NULL but B<*x> is NULL then the structure returned will be written
-to B<*x>. If neither B<x> nor B<*x> is NULL then an attempt is made
-to reuse the structure at B<*x> (but see BUGS and EXAMPLES sections).
-Irrespective of the value of B<x> a pointer to the structure is always
-returned (or NULL if an error occurred).
-The PEM functions which write private keys take an B<enc> parameter
-which specifies the encryption algorithm to use, encryption is done
-at the PEM level. If this parameter is set to NULL then the private
-key is written in unencrypted form.
-The B<cb> argument is the callback to use when querying for the pass
-phrase used for encrypted PEM structures (normally only private keys).
-For the PEM write routines if the B<kstr> parameter is not NULL then
-B<klen> bytes at B<kstr> are used as the passphrase and B<cb> is
-ignored.
-If the B<cb> parameters is set to NULL and the B<u> parameter is not
-NULL then the B<u> parameter is interpreted as a null terminated string
-to use as the passphrase. If both B<cb> and B<u> are NULL then the
-default callback routine is used which will typically prompt for the
-passphrase on the current terminal with echoing turned off.
-The default passphrase callback is sometimes inappropriate (for example
-in a GUI application) so an alternative can be supplied. The callback
-routine has the following form:
- int cb(char *buf, int size, int rwflag, void *u);
-B<buf> is the buffer to write the passphrase to. B<size> is the maximum
-length of the passphrase (i.e. the size of buf). B<rwflag> is a flag
-which is set to 0 when reading and 1 when writing. A typical routine
-will ask the user to verify the passphrase (for example by prompting
-for it twice) if B<rwflag> is 1. The B<u> parameter has the same
-value as the B<u> parameter passed to the PEM routine. It allows
-arbitrary data to be passed to the callback by the application
-(for example a window handle in a GUI application). The callback
-B<must> return the number of characters in the passphrase or 0 if
-an error occurred.
-=head1 EXAMPLES
-Although the PEM routines take several arguments in almost all applications
-most of them are set to 0 or NULL.
-Read a certificate in PEM format from a BIO:
- X509 *x;
- x = PEM_read_bio_X509(bp, NULL, 0, NULL);
- if (x == NULL) {
-        /* Error */
- }
-Alternative method:
- X509 *x = NULL;
- if (!PEM_read_bio_X509(bp, &x, 0, NULL)) {
-        /* Error */
- }
-Write a certificate to a BIO:
- if (!PEM_write_bio_X509(bp, x)) {
-        /* Error */
- }
-Write an unencrypted private key to a FILE pointer:
- if (!PEM_write_PrivateKey(fp, key, NULL, NULL, 0, 0, NULL)) {
-        /* Error */
- }
-Write a private key (using traditional format) to a BIO using
-triple DES encryption, the pass phrase is prompted for:
- if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(),
-     NULL, 0, 0, NULL)) {
-        /* Error */
- }
-Write a private key (using PKCS#8 format) to a BIO using triple
-DES encryption, using the pass phrase "hello":
- if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
-     NULL, 0, 0, "hello")) {
-        /* Error */
- }
-Read a private key from a BIO using the pass phrase "hello":
- key = PEM_read_bio_PrivateKey(bp, NULL, 0, "hello");
- if (key == NULL) {
-        /* Error */
- }
-Read a private key from a BIO using a pass phrase callback:
- key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
- if (key == NULL) {
-        /* Error */
- }
-Skeleton pass phrase callback:
- int
- pass_cb(char *buf, int size, int rwflag, void *u)
- {
-        int len;
-        char *tmp;
-        /* We'd probably do something else if 'rwflag' is 1 */
-        printf("Enter pass phrase for \"%s\"\n", u);
-        /* get pass phrase, length 'len' into 'tmp' */
-        tmp = "hello";
-        len = strlen(tmp);
-        if (len == 0)
-                return 0;
-        /* if too long, truncate */
-        if (len > size)
-                len = size;
-        memcpy(buf, tmp, len);
-        return len;
- }
-=head1 NOTES
-The old B<PrivateKey> write routines are retained for compatibility.
-New applications should write private keys using the
-PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines
-because they are more secure (they use an iteration count of 2048 whereas
-the traditional routines use a count of 1) unless compatibility with older
-versions of OpenSSL is important.
-The B<PrivateKey> read routines can be used in all applications because
-they handle all formats transparently.
-A frequent cause of problems is attempting to use the PEM routines like
-this:
- X509 *x;
- PEM_read_bio_X509(bp, &x, 0, NULL);
-this is a bug because an attempt will be made to reuse the data at B<x>
-which is an uninitialised pointer.
-=head1 PEM ENCRYPTION FORMAT
-This old B<PrivateKey> routines use a non standard technique for encryption.
-The private key (or other data) takes the following form:
- -----BEGIN RSA PRIVATE KEY-----
- Proc-Type: 4,ENCRYPTED
- DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89
- ...base64 encoded data...
- -----END RSA PRIVATE KEY-----
-The line beginning DEK-Info contains two comma separated pieces of information:
-the encryption algorithm name as used by EVP_get_cipherbyname() and an 8
-byte B<salt> encoded as a set of hexadecimal digits.
-After this is the base64 encoded encrypted data.
-The encryption key is determined using EVP_bytestokey(), using B<salt> and an
-iteration count of 1. The IV used is the value of B<salt> and *not* the IV
-returned by EVP_bytestokey().
-=head1 BUGS
-The PEM read routines in some versions of OpenSSL will not correctly reuse
-an existing structure. Therefore the following:
- PEM_read_bio_X509(bp, &x, 0, NULL);
-where B<x> already contains a valid certificate, may not work, whereas:
- X509_free(x);
- x = PEM_read_bio_X509(bp, NULL, 0, NULL);
-is guaranteed to work.
-=head1 RETURN CODES
-The read routines return either a pointer to the structure read or NULL
-if an error occurred.
-The write routines return 1 for success or 0 for failure.
-=cut
diff --git a/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod b/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod
deleted file mode 100644
index f9946adebf..0000000000
--- a/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-=head1 NAME
-PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format.
-=head1 SYNOPSIS
- #include <openssl/cms.h>
- #include <openssl/pem.h>
- int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
-=head1 DESCRIPTION
-PEM_write_bio_CMS_stream() outputs a CMS_ContentInfo structure in PEM format.
-It is otherwise identical to the function SMIME_write_CMS().
-=head1 NOTES
-This function is effectively a version of the PEM_write_bio_CMS() supporting
-streaming.
-=head1 RETURN VALUES
-PEM_write_bio_CMS_stream() returns 1 for success or 0 for failure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<SMIME_write_CMS(3)|SMIME_write_CMS(3)>,
-L<i2d_CMS_bio_stream(3)|i2d_CMS_bio_stream(3)>
-=head1 HISTORY
-PEM_write_bio_CMS_stream() was added to OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/PEM_write_bio_PKCS7_stream.pod b/src/lib/libcrypto/doc/PEM_write_bio_PKCS7_stream.pod
deleted file mode 100644
index 16fc9b6845..0000000000
--- a/src/lib/libcrypto/doc/PEM_write_bio_PKCS7_stream.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-=head1 NAME
-PEM_write_bio_PKCS7_stream - output PKCS7 structure in PEM format.
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- #include <openssl/pem.h>
- int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
-=head1 DESCRIPTION
-PEM_write_bio_PKCS7_stream() outputs a PKCS7 structure in PEM format.
-It is otherwise identical to the function SMIME_write_PKCS7().
-=head1 NOTES
-This function is effectively a version of the PEM_write_bio_PKCS7() supporting
-streaming.
-=head1 RETURN VALUES
-PEM_write_bio_PKCS7_stream() returns 1 for success or 0 for failure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>,
-L<SMIME_write_PKCS7(3)|SMIME_write_PKCS7(3)>,
-L<i2d_PKCS7_bio_stream(3)|i2d_PKCS7_bio_stream(3)>
-=head1 HISTORY
-PEM_write_bio_PKCS7_stream() was added to OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS12_create.pod b/src/lib/libcrypto/doc/PKCS12_create.pod
deleted file mode 100644
index 3b27c11a10..0000000000
--- a/src/lib/libcrypto/doc/PKCS12_create.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-=head1 NAME
-PKCS12_create - create a PKCS#12 structure
-=head1 SYNOPSIS
- #include <openssl/pkcs12.h>
- PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey,
-       X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert,
-       int iter, int mac_iter, int keytype);
-=head1 DESCRIPTION
-PKCS12_create() creates a PKCS#12 structure.
-B<pass> is the passphrase to use. B<name> is the B<friendlyName> to use for
-the supplied certificate and key. B<pkey> is the private key to include in
-the structure and B<cert> its corresponding certificates. B<ca> is an optional
-set of certificates to also include in the structure.
-Either B<pkey>, B<cert> or both can be B<NULL> to indicate that no key or
-certificate is required.
-B<nid_key> and B<nid_cert> are the encryption algorithms that should be used
-for the key and certificate respectively. If either B<nid_key> or B<nid_cert>
-is set to -1, no encryption will be used.
-B<iter> is the encryption algorithm iteration count to use and B<mac_iter> is
-the MAC iteration count to use. If B<mac_iter> is set to -1, the MAC will be
-omitted entirely.
-B<keytype> is the type of key.
-=head1 NOTES
-The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype>
-can all be set to zero and sensible defaults will be used.
-These defaults are: 40 bit RC2 encryption for certificates, triple DES
-encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER
-(currently 2048) and a MAC iteration count of 1.
-The default MAC iteration count is 1 in order to retain compatibility with
-old software which did not interpret MAC iteration counts. If such compatibility
-is not required then B<mac_iter> should be set to PKCS12_DEFAULT_ITER.
-B<keytype> adds a flag to the store private key. This is a non standard
-extension that is only currently interpreted by MSIE. If set to zero the flag
-is omitted, if set to B<KEY_SIG> the key can be used for signing only, if set
-to B<KEY_EX> it can be used for signing and encryption. This option was useful
-for old export grade software which could use signing only keys of arbitrary
-size but had restrictions on the permissible sizes of keys which could be used
-for encryption.
-If a certificate contains an B<alias> or B<keyid> then this will be
-used for the corresponding B<friendlyName> or B<localKeyID> in the
-PKCS12 structure.
-=head1 SEE ALSO
-L<d2i_PKCS12(3)|d2i_PKCS12(3)>
-=head1 HISTORY
-PKCS12_create was added in OpenSSL 0.9.3.
-Before OpenSSL 0.9.8, neither B<pkey> nor B<cert> were allowed to be B<NULL>,
-and a value of B<-1> was not allowed for B<nid_key>, B<nid_cert> and
-B<mac_iter>.
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS12_parse.pod b/src/lib/libcrypto/doc/PKCS12_parse.pod
deleted file mode 100644
index c54cf2ad61..0000000000
--- a/src/lib/libcrypto/doc/PKCS12_parse.pod
+++ /dev/null
@@ -1,57 +0,0 @@
-=pod
-=head1 NAME
-PKCS12_parse - parse a PKCS#12 structure
-=head1 SYNOPSIS
- #include <openssl/pkcs12.h>
-int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
-=head1 DESCRIPTION
-PKCS12_parse() parses a PKCS12 structure.
-B<p12> is the B<PKCS12> structure to parse. B<pass> is the passphrase to use.
-If successful the private key will be written to B<*pkey>, the corresponding
-certificate to B<*cert> and any additional certificates to B<*ca>.
-=head1 NOTES
-The parameters B<pkey> and B<cert> cannot be B<NULL>. B<ca> can be <NULL> in
-which case additional certificates will be discarded. B<*ca> can also be a
-valid STACK in which case additional certificates are appended to B<*ca>. If
-B<*ca> is B<NULL> a new STACK will be allocated.
-The B<friendlyName> and B<localKeyID> attributes (if present) on each
-certificate will be stored in the B<alias> and B<keyid> attributes of the
-B<X509> structure.
-=head1 RETURN VALUES
-PKCS12_parse() returns 1 for success and zero if an error occurred.
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 BUGS
-Only a single private key and corresponding certificate is returned by this
-function. More complex PKCS#12 files with multiple private keys will only
-return the first match.
-Only B<friendlyName> and B<localKeyID> attributes are currently stored in
-certificates. Other attributes are discarded.
-Attributes currently cannot be stored in the private key B<EVP_PKEY> structure.
-=head1 SEE ALSO
-L<d2i_PKCS12(3)|d2i_PKCS12(3)>
-=head1 HISTORY
-PKCS12_parse was added in OpenSSL 0.9.3
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS5_PBKDF2_HMAC.pod b/src/lib/libcrypto/doc/PKCS5_PBKDF2_HMAC.pod
deleted file mode 100644
index 0c164a0ed6..0000000000
--- a/src/lib/libcrypto/doc/PKCS5_PBKDF2_HMAC.pod
+++ /dev/null
@@ -1,64 +0,0 @@
-=pod
-=head1 NAME
-PKCS5_PBKDF2_HMAC, PKCS5_PBKDF2_HMAC_SHA1 - password based derivation routines with salt and iteration count
-=head1 SYNOPSIS
- #include <openssl/evp.h>
- int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
-                       const unsigned char *salt, int saltlen, int iter,
-                       const EVP_MD *digest,
-                       int keylen, unsigned char *out);
-int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
-                           const unsigned char *salt, int saltlen, int iter,
-                           int keylen, unsigned char *out);
-=head1 DESCRIPTION
-PKCS5_PBKDF2_HMAC() derives a key from a password using a salt and iteration count
-as specified in RFC 2898.
-B<pass> is the password used in the derivation of length B<passlen>. B<pass>
-is an optional parameter and can be NULL. If B<passlen> is -1, then the
-function will calculate the length of B<pass> using strlen().
-B<salt> is the salt used in the derivation of length B<saltlen>. If the
-B<salt> is NULL, then B<saltlen> must be 0. The function will not
-attempt to calculate the length of the B<salt> because it is not assumed to
-be NULL terminated.
-B<iter> is the iteration count and its value should be greater than or 
-equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
-B<iter> less than 1 is treated as a single iteration.
-B<digest> is the message digest function used in the derivation. Values include
-any of the EVP_* message digests. PKCS5_PBKDF2_HMAC_SHA1() calls
-PKCS5_PBKDF2_HMAC() with EVP_sha1().
-The derived key will be written to B<out>. The size of the B<out> buffer
-is specified via B<keylen>.
-=head1 NOTES
-A typical application of this function is to derive keying material for an
-encryption algorithm from a password in the B<pass>, a salt in B<salt>,
-and an iteration count.
-Increasing the B<iter> parameter slows down the algorithm which makes it
-harder for an attacker to perform a brute force attack using a large number
-of candidate passwords.
-=head1 RETURN VALUES
-PKCS5_PBKDF2_HMAC() and PBKCS5_PBKDF2_HMAC_SHA1() return 1 on success or 0 on error.
-=head1 SEE ALSO
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_BytesToKey(3)|EVP_BytesToKey(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS7_decrypt.pod b/src/lib/libcrypto/doc/PKCS7_decrypt.pod
deleted file mode 100644
index 78919998ce..0000000000
--- a/src/lib/libcrypto/doc/PKCS7_decrypt.pod
+++ /dev/null
@@ -1,57 +0,0 @@
-=pod
-=head1 NAME
-PKCS7_decrypt - decrypt content from a PKCS#7 envelopedData structure
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
-=head1 DESCRIPTION
-PKCS7_decrypt() extracts and decrypts the content from a PKCS#7 envelopedData
-structure. B<pkey> is the private key of the recipient, B<cert> is the
-recipients certificate, B<data> is a BIO to write the content to and
-B<flags> is an optional set of flags.
-=head1 NOTES
-OpenSSL_add_all_algorithms() (or equivalent) should be called before using this
-function or errors about unknown algorithms will occur.
-Although the recipients certificate is not needed to decrypt the data it is
-needed to locate the appropriate (of possible several) recipients in the PKCS#7
-structure.
-The following flags can be passed in the B<flags> parameter.
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-=head1 RETURN VALUES
-PKCS7_decrypt() returns either 1 for success or 0 for failure.
-The error can be obtained from ERR_get_error(3)
-=head1 BUGS
-PKCS7_decrypt() must be passed the correct recipient key and certificate. It
-would be better if it could look up the correct key and certificate from a
-database.
-The lack of single pass processing and need to hold all data in memory as
-mentioned in PKCS7_sign() also applies to PKCS7_verify().
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-=head1 HISTORY
-PKCS7_decrypt() was added to OpenSSL 0.9.5
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS7_encrypt.pod b/src/lib/libcrypto/doc/PKCS7_encrypt.pod
deleted file mode 100644
index 8bc77407b9..0000000000
--- a/src/lib/libcrypto/doc/PKCS7_encrypt.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-=head1 NAME
-PKCS7_encrypt - create a PKCS#7 envelopedData structure
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
-=head1 DESCRIPTION
-PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs>
-is a list of recipient certificates. B<in> is the content to be encrypted.
-B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
-=head1 NOTES
-Only RSA keys are supported in PKCS#7 and envelopedData so the recipient
-certificates supplied to this function must all contain RSA public keys, though
-they do not have to be signed using the RSA algorithm.
-The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
-its parameters.
-Many browsers implement a "sign and encrypt" option which is simply an S/MIME
-envelopedData containing an S/MIME signed message. This can be readily produced
-by storing the S/MIME signed message in a memory BIO and passing it to
-PKCS7_encrypt().
-The following flags can be passed in the B<flags> parameter.
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are
-prepended to the data.
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then
-B<PKCS7_TEXT> is ignored.
-If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output
-suitable for streaming I/O: no data is read from the BIO B<in>.
-=head1 NOTES
-If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not>
-complete and outputting its contents via a function that does not
-properly finalize the B<PKCS7> structure will give unpredictable
-results.
-Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
-PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_PKCS7().
-=head1 RETURN VALUES
-PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred.
-The error can be obtained from ERR_get_error(3).
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
-=head1 HISTORY
-PKCS7_decrypt() was added to OpenSSL 0.9.5
-The B<PKCS7_STREAM> flag was first supported in OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS7_sign.pod b/src/lib/libcrypto/doc/PKCS7_sign.pod
deleted file mode 100644
index 64a3036c0a..0000000000
--- a/src/lib/libcrypto/doc/PKCS7_sign.pod
+++ /dev/null
@@ -1,116 +0,0 @@
-=pod
-=head1 NAME
-PKCS7_sign - create a PKCS#7 signedData structure
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags);
-=head1 DESCRIPTION
-PKCS7_sign() creates and returns a PKCS#7 signedData structure. B<signcert> is
-the certificate to sign with, B<pkey> is the corresponding private key.
-B<certs> is an optional additional set of certificates to include in the PKCS#7
-structure (for example any intermediate CAs in the chain).
-The data to be signed is read from BIO B<data>.
-B<flags> is an optional set of flags.
-=head1 NOTES
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter.
-Many S/MIME clients expect the signed content to include valid MIME headers. If
-the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended
-to the data.
-If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the
-PKCS7 structure, the signer's certificate must still be supplied in the
-B<signcert> parameter though. This can reduce the size of the signature if the
-signers certificate can be obtained by other means: for example a previously
-signed message.
-The data being signed is included in the PKCS7 structure, unless
-B<PKCS7_DETACHED> is set in which case it is omitted. This is used for PKCS7
-detached signatures which are used in S/MIME plaintext signed messages for
-example.
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it.
-The signedData structure includes several PKCS#7 authenticatedAttributes
-including the signing time, the PKCS#7 content type and the supported list of
-ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no
-authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just
-the SMIMECapabilities are omitted.
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
-these algorithms is disabled then it will not be included.
-If the flags B<PKCS7_STREAM> is set then the returned B<PKCS7> structure is
-just initialized ready to perform the signing operation. The signing is however
-B<not> performed and the data to be signed is not read from the B<data>
-parameter. Signing is deferred until after the data has been written. In this
-way data can be signed in a single pass.
-If the B<PKCS7_PARTIAL> flag is set a partial B<PKCS7> structure is output to
-which additional signers and capabilities can be added before finalization.
-=head1 NOTES
-If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not>
-complete and outputting its contents via a function that does not properly
-finalize the B<PKCS7> structure will give unpredictable results.
-Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
-PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_PKCS7().
-If a signer is specified it will use the default digest for the signing
-algorithm. This is B<SHA1> for both RSA and DSA keys.
-In OpenSSL 1.0.0 the B<certs>, B<signcert> and B<pkey> parameters can all be
-B<NULL> if the B<PKCS7_PARTIAL> flag is set. One or more signers can be added
-using the function B<PKCS7_sign_add_signer()>. B<PKCS7_final()> must also be
-called to finalize the structure if streaming is not enabled. Alternative
-signing digests can also be specified using this method.
-In OpenSSL 1.0.0 if B<signcert> and B<pkey> are NULL then a certificates only
-PKCS#7 structure is output.
-In versions of OpenSSL before 1.0.0 the B<signcert> and B<pkey> parameters must
-B<NOT> be NULL.
-=head1 BUGS
-Some advanced attributes such as counter signatures are not supported.
-=head1 RETURN VALUES
-PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error
-occurred.  The error can be obtained from ERR_get_error(3).
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)>
-=head1 HISTORY
-PKCS7_sign() was added to OpenSSL 0.9.5
-The B<PKCS7_PARTIAL> flag was added in OpenSSL 1.0.0
-The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS7_sign_add_signer.pod b/src/lib/libcrypto/doc/PKCS7_sign_add_signer.pod
deleted file mode 100644
index 280455d476..0000000000
--- a/src/lib/libcrypto/doc/PKCS7_sign_add_signer.pod
+++ /dev/null
@@ -1,87 +0,0 @@
-=pod
-=head1 NAME
-PKCS7_sign_add_signer - add a signer PKCS7 signed data structure.
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags);
-=head1 DESCRIPTION
-PKCS7_sign_add_signer() adds a signer with certificate B<signcert> and private
-key B<pkey> using message digest B<md> to a PKCS7 signed data structure
-B<p7>.
-The PKCS7 structure should be obtained from an initial call to PKCS7_sign()
-with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS7
-signed data structure.
-If the B<md> parameter is B<NULL> then the default digest for the public
-key algorithm will be used.
-Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned PKCS7 structure
-is not complete and must be finalized either by streaming (if applicable) or
-a call to PKCS7_final().
-=head1 NOTES
-The main purpose of this function is to provide finer control over a PKCS#7
-signed data structure where the simpler PKCS7_sign() function defaults are
-not appropriate. For example if multiple signers or non default digest
-algorithms are needed.
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter.
-If B<PKCS7_REUSE_DIGEST> is set then an attempt is made to copy the content
-digest value from the PKCS7 structure: to add a signer to an existing structure.
-An error occurs if a matching digest value cannot be found to copy. The
-returned PKCS7 structure will be valid and finalized when this flag is set.
-If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the
-B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes
-can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is
-needed to finalize it.
-If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the
-PKCS7 structure, the signer's certificate must still be supplied in the
-B<signcert> parameter though. This can reduce the size of the signature if the
-signers certificate can be obtained by other means: for example a previously
-signed message.
-The signedData structure includes several PKCS#7 authenticatedAttributes
-including the signing time, the PKCS#7 content type and the supported list of
-ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no
-authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just
-the SMIMECapabilities are omitted.
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
-these algorithms is disabled then it will not be included.
-PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO
-structure just added, this can be used to set additional attributes
-before it is finalized.
-=head1 RETURN VALUES
-PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO
-structure just added or NULL if an error occurs.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_final(3)|PKCS7_final(3)>,
-=head1 HISTORY
-PPKCS7_sign_add_signer() was added to OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/PKCS7_verify.pod b/src/lib/libcrypto/doc/PKCS7_verify.pod
deleted file mode 100644
index 059fbff8e9..0000000000
--- a/src/lib/libcrypto/doc/PKCS7_verify.pod
+++ /dev/null
@@ -1,118 +0,0 @@
-=pod
-=head1 NAME
-PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
- STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
-=head1 DESCRIPTION
-PKCS7_verify() verifies a PKCS#7 signedData structure. B<p7> is the PKCS7
-structure to verify. B<certs> is a set of certificates in which to search for
-the signer's certificate. B<store> is a trusted certificate store (used for
-chain verification). B<indata> is the signed data if the content is not
-present in B<p7> (that is it is detached). The content is written to B<out>
-if it is not NULL.
-B<flags> is an optional set of flags, which can be used to modify the verify
-operation.
-PKCS7_get0_signers() retrieves the signer's certificates from B<p7>, it does
-B<not> check their validity or whether any signatures are valid. The B<certs>
-and B<flags> parameters have the same meanings as in PKCS7_verify().
-=head1 VERIFY PROCESS
-Normally the verify process proceeds as follows.
-Initially some sanity checks are performed on B<p7>. The type of B<p7> must
-be signedData. There must be at least one signature on the data and if
-the content is detached B<indata> cannot be B<NULL>.
-An attempt is made to locate all the signer's certificates, first looking in
-the B<certs> parameter (if it is not B<NULL>) and then looking in any
-certificates contained in the B<p7> structure itself. If any signer's
-certificates cannot be located the operation fails.
-Each signer's certificate is chain verified using the B<smimesign> purpose and
-the supplied trusted certificate store. Any internal certificates in the message
-are used as untrusted CAs. If any chain verify fails an error code is returned.
-Finally the signed content is read (and written to B<out> is it is not NULL) and
-the signature's checked.
-If all signature's verify correctly then the function is successful.
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter to change the default verify behaviour. Only the flag
-B<PKCS7_NOINTERN> is meaningful to PKCS7_get0_signers().
-If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
-searched when locating the signer's certificate. This means that all the signers
-certificates must be in the B<certs> parameter.
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-If B<PKCS7_NOVERIFY> is set the signer's certificates are not chain verified.
-If B<PKCS7_NOCHAIN> is set then the certificates contained in the message are
-not used as untrusted CAs. This means that the whole verify chain (apart from
-the signer's certificate) must be contained in the trusted store.
-If B<PKCS7_NOSIGS> is set then the signatures on the data are not checked.
-=head1 NOTES
-One application of B<PKCS7_NOINTERN> is to only accept messages signed by
-a small number of certificates. The acceptable certificates would be passed
-in the B<certs> parameter. In this case if the signer is not one of the
-certificates supplied in B<certs> then the verify will fail because the
-signer cannot be found.
-Care should be taken when modifying the default verify behaviour, for example
-setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
-and any signed message will be considered valid. This combination is however
-useful if one merely wishes to write the content to B<out> and its validity
-is not considered important.
-Chain verification should arguably be performed  using the signing time rather
-than the current time. However since the signing time is supplied by the
-signer it cannot be trusted without additional evidence (such as a trusted
-timestamp).
-=head1 RETURN VALUES
-PKCS7_verify() returns 1 for a successful verification and zero or a negative
-value if an error occurs.
-PKCS7_get0_signers() returns all signers or B<NULL> if an error occurred.
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 BUGS
-The trusted certificate store is not searched for the signers certificate,
-this is primarily due to the inadequacies of the current B<X509_STORE>
-functionality.
-The lack of single pass processing and need to hold all data in memory as
-mentioned in PKCS7_sign() also applies to PKCS7_verify().
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>
-=head1 HISTORY
-PKCS7_verify() was added to OpenSSL 0.9.5
-=cut
diff --git a/src/lib/libcrypto/doc/RAND.pod b/src/lib/libcrypto/doc/RAND.pod
deleted file mode 100644
index dd6962fa35..0000000000
--- a/src/lib/libcrypto/doc/RAND.pod
+++ /dev/null
@@ -1,34 +0,0 @@
-=pod
-=head1 NAME
-RAND - pseudo-random number generator
-=head1 SYNOPSIS
- #include <openssl/rand.h>
- int  RAND_bytes(unsigned char *buf, int num);
- int  RAND_pseudo_bytes(unsigned char *buf, int num);
-=head1 DESCRIPTION
-These functions give access to the systems cryptographically secure
-pseudo-random number generator (PRNG). It is used by other library functions
-for example to generate random keys, and applications can use it when they
-need randomness.
-L<RAND_bytes(3)|RAND_bytes(3)> describes how to obtain random data from the
-PRNG.
-=head1 INTERNALS
-The RAND_SSLeay() method implements a PRNG based on the systems'
-L<arc4random_buf(3)> random number generator.
-=head1 SEE ALSO
-L<BN_rand(3)|BN_rand(3)>,
-L<RAND_bytes(3)|RAND_bytes(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/RAND_add.pod b/src/lib/libcrypto/doc/RAND_add.pod
deleted file mode 100644
index 3ffd4910c4..0000000000
--- a/src/lib/libcrypto/doc/RAND_add.pod
+++ /dev/null
@@ -1,30 +0,0 @@
-=pod
-=head1 NAME
-RAND_add, RAND_seed, RAND_status - add entropy to the PRNG (DEPRECATED)
-=head1 SYNOPSIS
- #include <openssl/rand.h>
- void RAND_seed(const void *buf, int num);
- void RAND_add(const void *buf, int num, double entropy);
- int  RAND_status(void);
-=head1 DESCRIPTION
-These functions used to allow for the state of the random number generator
-to be controlled by external sources.
-They are kept for ABI compatibility but are no longer functional, and
-should not be used in new programs.
-=head1 SEE ALSO
-L<rand(3)|rand(3)>,
-L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/RAND_bytes.pod b/src/lib/libcrypto/doc/RAND_bytes.pod
deleted file mode 100644
index c89961ada3..0000000000
--- a/src/lib/libcrypto/doc/RAND_bytes.pod
+++ /dev/null
@@ -1,43 +0,0 @@
-=pod
-=head1 NAME
-RAND_bytes, RAND_pseudo_bytes - generate random data
-=head1 SYNOPSIS
- #include <openssl/rand.h>
- int RAND_bytes(unsigned char *buf, int num);
- int RAND_pseudo_bytes(unsigned char *buf, int num);
-=head1 DESCRIPTION
-RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
-into B<buf>.
-RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
-Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
-unique if they are of sufficient length, but are not necessarily
-unpredictable. They can be used for non-cryptographic purposes and for
-certain purposes in cryptographic protocols, but usually not for key
-generation etc.
-=head1 RETURN VALUES
-RAND_bytes() returns 1.
-RAND_pseudo_bytes() returns 1.
-=head1 SEE ALSO
-L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<RAND_add(3)|RAND_add(3)>
-=head1 HISTORY
-RAND_bytes() is available in all versions of SSLeay and OpenSSL.  It
-has a return value since OpenSSL 0.9.5. RAND_pseudo_bytes() was added
-in OpenSSL 0.9.5.
-=cut
diff --git a/src/lib/libcrypto/doc/RAND_cleanup.pod b/src/lib/libcrypto/doc/RAND_cleanup.pod
deleted file mode 100644
index 10cb39ce7a..0000000000
--- a/src/lib/libcrypto/doc/RAND_cleanup.pod
+++ /dev/null
@@ -1,25 +0,0 @@
-=pod
-=head1 NAME
-RAND_cleanup - erase the PRNG state
-=head1 SYNOPSIS
- #include <openssl/rand.h>
- void RAND_cleanup(void);
-=head1 DESCRIPTION
-RAND_cleanup() erases the memory used by the PRNG.
-=head1 SEE ALSO
-L<rand(3)|rand(3)>
-=head1 HISTORY
-RAND_cleanup() is available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/RAND_load_file.pod b/src/lib/libcrypto/doc/RAND_load_file.pod
deleted file mode 100644
index 5e4c2481d8..0000000000
--- a/src/lib/libcrypto/doc/RAND_load_file.pod
+++ /dev/null
@@ -1,52 +0,0 @@
-=pod
-=head1 NAME
-RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file
-=head1 SYNOPSIS
- #include <openssl/rand.h>
- const char *RAND_file_name(char *buf, size_t num);
- int RAND_load_file(const char *filename, long max_bytes);
- int RAND_write_file(const char *filename);
-=head1 DESCRIPTION
-RAND_file_name() returns a default path for the random seed file.
-B<buf> points to a buffer of size B<num> in which to store the
-filename. If B<num> is too small for the path name, an error occurs.
-RAND_load_file() used to allow for the state of the random number generator
-to be controlled by external sources.
-It is kept for ABI compatibility but is no longer functional, and
-should not used in new programs.
-RAND_write_file() writes a number of random bytes (currently 1024) to
-file B<filename>.
-=head1 RETURN VALUES
-RAND_load_file() always returns 0.
-RAND_write_file() returns the number of bytes written, and -1 if the
-bytes written were generated without appropriate seed.
-RAND_file_name() returns a pointer to B<buf> on success, and NULL on
-error.
-=head1 SEE ALSO
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
-L<RAND_cleanup(3)|RAND_cleanup(3)>
-=head1 HISTORY
-RAND_load_file(), RAND_write_file() and RAND_file_name() are available in
-all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/RAND_set_rand_method.pod b/src/lib/libcrypto/doc/RAND_set_rand_method.pod
deleted file mode 100644
index c02068bf76..0000000000
--- a/src/lib/libcrypto/doc/RAND_set_rand_method.pod
+++ /dev/null
@@ -1,40 +0,0 @@
-=pod
-=head1 NAME
-RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay - select RAND method
-=head1 SYNOPSIS
- #include <openssl/rand.h>
- void RAND_set_rand_method(const RAND_METHOD *meth);
- const RAND_METHOD *RAND_get_rand_method(void);
- RAND_METHOD *RAND_SSLeay(void);
-=head1 DESCRIPTION
-These functions used to allow for the random number generator functions
-to be replaced by arbitrary code.
-They are kept for ABI compatibility but are no longer functional, and
-should not be used in new programs.
-=head1 SEE ALSO
-L<rand(3)|rand(3)>
-=head1 HISTORY
-RAND_set_rand_method(), RAND_get_rand_method() and RAND_SSLeay() are
-available in all versions of OpenSSL.
-In the engine version of version 0.9.6, RAND_set_rand_method() was altered to
-take an ENGINE pointer as its argument. As of version 0.9.7, that has been
-reverted as the ENGINE API transparently overrides RAND defaults if used,
-otherwise RAND API functions work as before. RAND_set_rand_engine() was also
-introduced in version 0.9.7.
-=cut
diff --git a/src/lib/libcrypto/doc/RC4.pod b/src/lib/libcrypto/doc/RC4.pod
deleted file mode 100644
index b6d3a4342c..0000000000
--- a/src/lib/libcrypto/doc/RC4.pod
+++ /dev/null
@@ -1,62 +0,0 @@
-=pod
-=head1 NAME
-RC4_set_key, RC4 - RC4 encryption
-=head1 SYNOPSIS
- #include <openssl/rc4.h>
- void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
- void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
-          unsigned char *outdata);
-=head1 DESCRIPTION
-This library implements the Alleged RC4 cipher, which is described for
-example in I<Applied Cryptography>.  It is believed to be compatible
-with RC4[TM], a proprietary cipher of RSA Security Inc.
-RC4 is a stream cipher with variable key length.  Typically, 128 bit
-(16 byte) keys are used for strong encryption, but shorter insecure
-key sizes have been widely used due to export restrictions.
-RC4 consists of a key setup phase and the actual encryption or
-decryption phase.
-RC4_set_key() sets up the B<RC4_KEY> B<key> using the B<len> bytes long
-key at B<data>.
-RC4() encrypts or decrypts the B<len> bytes of data at B<indata> using
-B<key> and places the result at B<outdata>.  Repeated RC4() calls with
-the same B<key> yield a continuous key stream.
-Since RC4 is a stream cipher (the input is XORed with a pseudo-random
-key stream to produce the output), decryption uses the same function
-calls as encryption.
-Applications should use the higher level functions
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
-etc. instead of calling the RC4 functions directly.
-=head1 RETURN VALUES
-RC4_set_key() and RC4() do not return values.
-=head1 NOTE
-Certain conditions have to be observed to securely use stream ciphers.
-It is not permissible to perform multiple encryptions using the same
-key stream.
-=head1 SEE ALSO
-L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<rc2(3)|rc2(3)>
-=head1 HISTORY
-RC4_set_key() and RC4() are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/RIPEMD160.pod b/src/lib/libcrypto/doc/RIPEMD160.pod
deleted file mode 100644
index f66fb02ed2..0000000000
--- a/src/lib/libcrypto/doc/RIPEMD160.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-=head1 NAME
-RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final -
-RIPEMD-160 hash function
-=head1 SYNOPSIS
- #include <openssl/ripemd.h>
- unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
-                  unsigned char *md);
- int RIPEMD160_Init(RIPEMD160_CTX *c);
- int RIPEMD160_Update(RIPEMD_CTX *c, const void *data,
-                  unsigned long len);
- int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
-=head1 DESCRIPTION
-RIPEMD-160 is a cryptographic hash function with a
-160 bit output.
-RIPEMD160() computes the RIPEMD-160 message digest of the B<n>
-bytes at B<d> and places it in B<md> (which must have space for
-RIPEMD160_DIGEST_LENGTH == 20 bytes of output). If B<md> is NULL, the digest
-is placed in a static array.
-The following functions may be used if the message is not completely
-stored in memory:
-RIPEMD160_Init() initializes a B<RIPEMD160_CTX> structure.
-RIPEMD160_Update() can be called repeatedly with chunks of the message to
-be hashed (B<len> bytes at B<data>).
-RIPEMD160_Final() places the message digest in B<md>, which must have
-space for RIPEMD160_DIGEST_LENGTH == 20 bytes of output, and erases
-the B<RIPEMD160_CTX>.
-Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the
-hash functions directly.
-=head1 RETURN VALUES
-RIPEMD160() returns a pointer to the hash value.
-RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() return 1 for
-success, 0 otherwise.
-=head1 CONFORMING TO
-ISO/IEC 10118-3 (draft) (??)
-=head1 SEE ALSO
-L<sha(3)|sha(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
-=head1 HISTORY
-RIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update() and
-RIPEMD160_Final() are available since SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_blinding_on.pod b/src/lib/libcrypto/doc/RSA_blinding_on.pod
deleted file mode 100644
index f96e3cf7c9..0000000000
--- a/src/lib/libcrypto/doc/RSA_blinding_on.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-=head1 NAME
-RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing
-attacks
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
- void RSA_blinding_off(RSA *rsa);
-=head1 DESCRIPTION
-RSA is vulnerable to timing attacks. In a setup where attackers can
-measure the time of RSA decryption or signature operations, blinding
-must be used to protect the RSA operation from that attack.
-RSA_blinding_on() turns blinding on for key B<rsa> and generates a
-random blinding factor. B<ctx> is B<NULL> or a pre-allocated and
-initialized B<BN_CTX>.
-RSA_blinding_off() turns blinding off and frees the memory used for
-the blinding factor.
-=head1 RETURN VALUES
-RSA_blinding_on() returns 1 on success, and 0 if an error occurred.
-=head1 SEE ALSO
-L<rsa(3)|rsa(3)>, L<rand(3)|rand(3)>
-=head1 HISTORY
-RSA_blinding_on() and RSA_blinding_off() appeared in SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_check_key.pod b/src/lib/libcrypto/doc/RSA_check_key.pod
deleted file mode 100644
index a5198f3db5..0000000000
--- a/src/lib/libcrypto/doc/RSA_check_key.pod
+++ /dev/null
@@ -1,67 +0,0 @@
-=pod
-=head1 NAME
-RSA_check_key - validate private RSA keys
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_check_key(RSA *rsa);
-=head1 DESCRIPTION
-This function validates RSA keys. It checks that B<p> and B<q> are
-in fact prime, and that B<n = p*q>.
-It also checks that B<d*e = 1 mod (p-1*q-1)>,
-and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
-As such, this function can not be used with any arbitrary RSA key object,
-even if it is otherwise fit for regular RSA operation. See B<NOTES> for more
-information.
-=head1 RETURN VALUE
-RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
-1 is returned if an error occurs while checking the key.
-If the key is invalid or an error occurred, the reason code can be
-obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 NOTES
-This function does not work on RSA public keys that have only the modulus
-and public exponent elements populated. It performs integrity checks on all
-the RSA key material, so the RSA key structure must contain all the private
-key data too.
-Unlike most other RSA functions, this function does B<not> work
-transparently with any underlying ENGINE implementation because it uses the
-key data in the RSA structure directly. An ENGINE implementation can
-override the way key data is stored and handled, and can even provide
-support for HSM keys - in which case the RSA structure may contain B<no>
-key data at all! If the ENGINE in question is only being used for
-acceleration or analysis purposes, then in all likelihood the RSA key data
-is complete and untouched, but this can't be assumed in the general case.
-=head1 BUGS
-A method of verifying the RSA key using opaque RSA API functions might need
-to be considered. Right now RSA_check_key() simply uses the RSA structure
-elements directly, bypassing the RSA_METHOD table altogether (and
-completely violating encapsulation and object-orientation in the process).
-The best fix will probably be to introduce a "check_key()" handler to the
-RSA_METHOD function table so that alternative implementations can also
-provide their own verifiers.
-=head1 SEE ALSO
-L<rsa(3)|rsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 HISTORY
-RSA_check_key() appeared in OpenSSL 0.9.4.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_generate_key.pod b/src/lib/libcrypto/doc/RSA_generate_key.pod
deleted file mode 100644
index 00026f04df..0000000000
--- a/src/lib/libcrypto/doc/RSA_generate_key.pod
+++ /dev/null
@@ -1,79 +0,0 @@
-=pod
-=head1 NAME
-RSA_generate_key_ex, RSA_generate_key - generate RSA key pair
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-Deprecated:
- RSA *RSA_generate_key(int num, unsigned long e,
-    void (*callback)(int,int,void *), void *cb_arg);
-=head1 DESCRIPTION
-RSA_generate_key_ex() generates a key pair and stores it in the B<RSA>
-structure provided in B<rsa>.
-The modulus size will be of length B<bits>, and the public exponent will be
-B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
-The exponent is an odd number, typically 3, 17 or 65537.
-A callback function may be used to provide feedback about the
-progress of the key generation. If B<cb> is not B<NULL>, it
-will be called as follows using the BN_GENCB_call() function
-described on the L<BN_generate_prime(3)|BN_generate_prime(3)> page:
-=over 4
-=item *
-While a random prime number is generated, it is called as
-described in L<BN_generate_prime(3)|BN_generate_prime(3)>.
-=item *
-When the n-th randomly generated prime is rejected as not
-suitable for the key, B<BN_GENCB_call(cb, 2, n)> is called.
-=item *
-When a random p has been found with p-1 relatively prime to B<e>,
-it is called as B<BN_GENCB_call(cb, 3, 0)>.
-=back
-The process is then repeated for prime q with B<BN_GENCB_call(cb, 3, 1)>.
-RSA_generate_key is deprecated (new applications should use
-RSA_generate_key_ex instead). RSA_generate_key works in the same was as
-RSA_generate_key_ex except it uses "old style" call backs. See
-L<BN_generate_prime(3)|BN_generate_prime(3)> for further details.
-=head1 RETURN VALUE
-If key generation fails, RSA_generate_key() returns B<NULL>.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 BUGS
-B<BN_GENCB_call(cb, 2, x)> is used with two different meanings.
-RSA_generate_key() goes into an infinite loop for illegal input values.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_free(3)|RSA_free(3)>, L<BN_generate_prime(3)|BN_generate_prime(3)>
-=head1 HISTORY
-The B<cb_arg> argument was added in SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod b/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
deleted file mode 100644
index b1ac1167dd..0000000000
--- a/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
+++ /dev/null
@@ -1,122 +0,0 @@
-=pod
-=head1 NAME
-RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application
-specific data to RSA structures
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_get_ex_new_index(long argl, void *argp,
-                CRYPTO_EX_new *new_func,
-                CRYPTO_EX_dup *dup_func,
-                CRYPTO_EX_free *free_func);
- int RSA_set_ex_data(RSA *r, int idx, void *arg);
- void *RSA_get_ex_data(RSA *r, int idx);
- typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-                           int idx, long argl, void *argp);
- typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-                             int idx, long argl, void *argp);
- typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
-                           int idx, long argl, void *argp);
-=head1 DESCRIPTION
-Several OpenSSL structures can have application specific data attached to them.
-This has several potential uses, it can be used to cache data associated with
-a structure (for example the hash of some part of the structure) or some
-additional data (for example a handle to the data in an external library).
-Since the application data can be anything at all it is passed and retrieved
-as a B<void *> type.
-The B<RSA_get_ex_new_index()> function is initially called to "register" some
-new application specific data. It takes three optional function pointers which
-are called when the parent structure (in this case an RSA structure) is
-initially created, when it is copied and when it is freed up. If any or all of
-these function pointer arguments are not used they should be set to NULL. The
-precise manner in which these function pointers are called is described in more
-detail below. B<RSA_get_ex_new_index()> also takes additional long and pointer
-parameters which will be passed to the supplied functions but which otherwise
-have no special meaning. It returns an B<index> which should be stored
-(typically in a static variable) and passed used in the B<idx> parameter in
-the remaining functions. Each successful call to B<RSA_get_ex_new_index()>
-will return an index greater than any previously returned, this is important
-because the optional functions are called in order of increasing index value.
-B<RSA_set_ex_data()> is used to set application specific data, the data is
-supplied in the B<arg> parameter and its precise meaning is up to the
-application.
-B<RSA_get_ex_data()> is used to retrieve application specific data. The data
-is returned to the application, this will be the same value as supplied to
-a previous B<RSA_set_ex_data()> call.
-B<new_func()> is called when a structure is initially allocated (for example
-with B<RSA_new()>. The parent structure members will not have any meaningful
-values at this point. This function will typically be used to allocate any
-application specific structure.
-B<free_func()> is called when a structure is being freed up. The dynamic parent
-structure members should not be accessed because they will be freed up when
-this function is called.
-B<new_func()> and B<free_func()> take the same parameters. B<parent> is a
-pointer to the parent RSA structure. B<ptr> is a the application specific data
-(this wont be of much use in B<new_func()>. B<ad> is a pointer to the
-B<CRYPTO_EX_DATA> structure from the parent RSA structure: the functions
-B<CRYPTO_get_ex_data()> and B<CRYPTO_set_ex_data()> can be called to manipulate
-it. The B<idx> parameter is the index: this will be the same value returned by
-B<RSA_get_ex_new_index()> when the functions were initially registered. Finally
-the B<argl> and B<argp> parameters are the values originally passed to the same
-corresponding parameters when B<RSA_get_ex_new_index()> was called.
-B<dup_func()> is called when a structure is being copied. Pointers to the
-destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
-B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
-the source application data when the function is called, when the function
-returns the value is copied to the destination: the application can thus modify
-the data pointed to by B<from_d> and have different values in the source and
-destination.  The B<idx>, B<argl> and B<argp> parameters are the same as those
-in B<new_func()> and B<free_func()>.
-=head1 RETURN VALUES
-B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a
-valid index value).
-B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
-B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
-be valid application data but currently it can only fail if given an invalid
-B<idx> parameter.
-B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
-On failure an error code can be obtained from
-L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 BUGS
-B<dup_func()> is currently never called.
-The return value of B<new_func()> is ignored.
-The B<new_func()> function isn't very useful because no meaningful values are
-present in the parent RSA structure when it is called.
-=head1 SEE ALSO
-L<rsa(3)|rsa(3)>, L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
-=head1 HISTORY
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() are
-available since SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_new.pod b/src/lib/libcrypto/doc/RSA_new.pod
deleted file mode 100644
index 0c85dc1d62..0000000000
--- a/src/lib/libcrypto/doc/RSA_new.pod
+++ /dev/null
@@ -1,39 +0,0 @@
-=pod
-=head1 NAME
-RSA_new, RSA_free - allocate and free RSA objects
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- RSA * RSA_new(void);
- void RSA_free(RSA *rsa);
-=head1 DESCRIPTION
-RSA_new() allocates and initializes an B<RSA> structure. It is equivalent to
-calling RSA_new_method(NULL).
-RSA_free() frees the B<RSA> structure and its components. The key is
-erased before the memory is returned to the system.
-=head1 RETURN VALUES
-If the allocation fails, RSA_new() returns B<NULL> and sets an error code that
-can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a
-pointer to the newly allocated structure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_generate_key(3)|RSA_generate_key(3)>,
-L<RSA_new_method(3)|RSA_new_method(3)>
-=head1 HISTORY
-RSA_new() and RSA_free() are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_padding_add_PKCS1_type_1.pod b/src/lib/libcrypto/doc/RSA_padding_add_PKCS1_type_1.pod
deleted file mode 100644
index 1c90b2b44d..0000000000
--- a/src/lib/libcrypto/doc/RSA_padding_add_PKCS1_type_1.pod
+++ /dev/null
@@ -1,121 +0,0 @@
-=pod
-=head1 NAME
-RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
-RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
-RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
-RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
-RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
-padding
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
-    unsigned char *f, int fl);
- int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
-    unsigned char *f, int fl, int rsa_len);
- int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
-    unsigned char *f, int fl);
- int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
-    unsigned char *f, int fl, int rsa_len);
- int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-    unsigned char *f, int fl, unsigned char *p, int pl);
- int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
-    unsigned char *f, int fl, int rsa_len, unsigned char *p, int pl);
- int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
-    unsigned char *f, int fl);
- int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
-    unsigned char *f, int fl, int rsa_len);
- int RSA_padding_add_none(unsigned char *to, int tlen,
-    unsigned char *f, int fl);
- int RSA_padding_check_none(unsigned char *to, int tlen,
-    unsigned char *f, int fl, int rsa_len);
-=head1 DESCRIPTION
-The RSA_padding_xxx_xxx() functions are called from the RSA encrypt,
-decrypt, sign and verify functions. Normally they should not be called
-from application programs.
-However, they can also be called directly to implement padding for other
-asymmetric ciphers. RSA_padding_add_PKCS1_OAEP() and
-RSA_padding_check_PKCS1_OAEP() may be used in an application combined
-with B<RSA_NO_PADDING> in order to implement OAEP with an encoding
-parameter.
-RSA_padding_add_xxx() encodes B<fl> bytes from B<f> so as to fit into
-B<tlen> bytes and stores the result at B<to>. An error occurs if B<fl>
-does not meet the size requirements of the encoding method.
-The following encoding methods are implemented:
-=over 4
-=item PKCS1_type_1
-PKCS #1 v2.0 EMSA-PKCS1-v1_5 (PKCS #1 v1.5 block type 1); used for signatures
-=item PKCS1_type_2
-PKCS #1 v2.0 EME-PKCS1-v1_5 (PKCS #1 v1.5 block type 2)
-=item PKCS1_OAEP
-PKCS #1 v2.0 EME-OAEP
-=item SSLv23
-PKCS #1 EME-PKCS1-v1_5 with SSL-specific modification
-=item none
-simply copy the data
-=back
-RSA_padding_check_xxx() verifies that the B<fl> bytes at B<f> contain
-a valid encoding for a B<rsa_len> byte RSA key in the respective
-encoding method and stores the recovered data of at most B<tlen> bytes
-(for B<RSA_NO_PADDING>: of size B<tlen>)
-at B<to>.
-For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
-of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
-=head1 RETURN VALUES
-The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
-The RSA_padding_check_xxx() functions return the length of the
-recovered data, -1 on error. Error codes can be obtained by calling
-L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 SEE ALSO
-L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
-L<RSA_private_decrypt(3)|RSA_private_decrypt(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
-=head1 HISTORY
-RSA_padding_add_PKCS1_type_1(), RSA_padding_check_PKCS1_type_1(),
-RSA_padding_add_PKCS1_type_2(), RSA_padding_check_PKCS1_type_2(),
-RSA_padding_add_SSLv23(), RSA_padding_check_SSLv23(),
-RSA_padding_add_none() and RSA_padding_check_none() appeared in
-SSLeay 0.9.0.
-RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() were
-added in OpenSSL 0.9.2b.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_print.pod b/src/lib/libcrypto/doc/RSA_print.pod
deleted file mode 100644
index c971e91f4d..0000000000
--- a/src/lib/libcrypto/doc/RSA_print.pod
+++ /dev/null
@@ -1,49 +0,0 @@
-=pod
-=head1 NAME
-RSA_print, RSA_print_fp,
-DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp,
-DHparams_print, DHparams_print_fp - print cryptographic parameters
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_print(BIO *bp, RSA *x, int offset);
- int RSA_print_fp(FILE *fp, RSA *x, int offset);
- #include <openssl/dsa.h>
- int DSAparams_print(BIO *bp, DSA *x);
- int DSAparams_print_fp(FILE *fp, DSA *x);
- int DSA_print(BIO *bp, DSA *x, int offset);
- int DSA_print_fp(FILE *fp, DSA *x, int offset);
- #include <openssl/dh.h>
- int DHparams_print(BIO *bp, DH *x);
- int DHparams_print_fp(FILE *fp, DH *x);
-=head1 DESCRIPTION
-A human-readable hexadecimal output of the components of the RSA
-key, DSA parameters or key or DH parameters is printed to B<bp> or B<fp>.
-The output lines are indented by B<offset> spaces.
-=head1 RETURN VALUES
-These functions return 1 on success, 0 on error.
-=head1 SEE ALSO
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
-=head1 HISTORY
-RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
-DH_print_fp() are available in all versions of SSLeay and OpenSSL.
-DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_private_encrypt.pod b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
deleted file mode 100644
index aa2bc1bd76..0000000000
--- a/src/lib/libcrypto/doc/RSA_private_encrypt.pod
+++ /dev/null
@@ -1,69 +0,0 @@
-=pod
-=head1 NAME
-RSA_private_encrypt, RSA_public_decrypt - low level signature operations
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_private_encrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa, int padding);
- int RSA_public_decrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa, int padding);
-=head1 DESCRIPTION
-These functions handle RSA signatures at a low level.
-RSA_private_encrypt() signs the B<flen> bytes at B<from> (usually a
-message digest with an algorithm identifier) using the private key
-B<rsa> and stores the signature in B<to>. B<to> must point to
-B<RSA_size(rsa)> bytes of memory.
-B<padding> denotes one of the following modes:
-=over 4
-=item RSA_PKCS1_PADDING
-PKCS #1 v1.5 padding. This function does not handle the B<algorithmIdentifier>
-specified in PKCS #1. When generating or verifying PKCS #1 signatures,
-L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be used.
-=item RSA_NO_PADDING
-Raw RSA signature. This mode should I<only> be used to implement
-cryptographically sound padding modes in the application code.
-Signing user data directly with RSA is insecure.
-=back
-RSA_public_decrypt() recovers the message digest from the B<flen>
-bytes long signature at B<from> using the signer's public key
-B<rsa>. B<to> must point to a memory section large enough to hold the
-message digest (which is smaller than B<RSA_size(rsa) -
-11>). B<padding> is the padding mode that was used to sign the data.
-=head1 RETURN VALUES
-RSA_private_encrypt() returns the size of the signature (i.e.,
-RSA_size(rsa)). RSA_public_decrypt() returns the size of the
-recovered message digest.
-On error, -1 is returned; the error codes can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
-=head1 HISTORY
-The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
-available since SSLeay 0.9.0.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_public_encrypt.pod b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
deleted file mode 100644
index 4bbee53f09..0000000000
--- a/src/lib/libcrypto/doc/RSA_public_encrypt.pod
+++ /dev/null
@@ -1,82 +0,0 @@
-=pod
-=head1 NAME
-RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_public_encrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa, int padding);
- int RSA_private_decrypt(int flen, unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding);
-=head1 DESCRIPTION
-RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a
-session key) using the public key B<rsa> and stores the ciphertext in
-B<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory.
-B<padding> denotes one of the following modes:
-=over 4
-=item RSA_PKCS1_PADDING
-PKCS #1 v1.5 padding. This currently is the most widely used mode.
-=item RSA_PKCS1_OAEP_PADDING
-EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty
-encoding parameter. This mode is recommended for all new applications.
-=item RSA_SSLV23_PADDING
-PKCS #1 v1.5 padding with an SSL-specific modification that denotes
-that the server is SSL3 capable.
-=item RSA_NO_PADDING
-Raw RSA encryption. This mode should I<only> be used to implement
-cryptographically sound padding modes in the application code.
-Encrypting user data directly with RSA is insecure.
-=back
-B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, less than RSA_size(B<rsa>) - 41 for
-RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
-RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
-private key B<rsa> and stores the plaintext in B<to>. B<to> must point
-to a memory section large enough to hold the decrypted data (which is
-smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
-was used to encrypt the data.
-=head1 RETURN VALUES
-RSA_public_encrypt() returns the size of the encrypted data (i.e.,
-RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
-recovered plaintext.
-On error, -1 is returned; the error codes can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 CONFORMING TO
-SSL, PKCS #1 v2.0
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_size(3)|RSA_size(3)>
-=head1 HISTORY
-The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
-available since SSLeay 0.9.0, OAEP was added in OpenSSL 0.9.2b.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod
deleted file mode 100644
index 3f50a89e5c..0000000000
--- a/src/lib/libcrypto/doc/RSA_set_method.pod
+++ /dev/null
@@ -1,201 +0,0 @@
-=pod
-=head1 NAME
-RSA_set_default_method, RSA_get_default_method, RSA_set_method,
-RSA_get_method, RSA_PKCS1_SSLeay, RSA_null_method, RSA_flags,
-RSA_new_method, RSA_get_default_openssl_method,
-RSA_set_default_openssl_method - select RSA method
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- void RSA_set_default_method(const RSA_METHOD *meth);
- RSA_METHOD *RSA_get_default_method(void);
- int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
- RSA_METHOD *RSA_get_method(const RSA *rsa);
- RSA_METHOD *RSA_PKCS1_SSLeay(void);
- RSA_METHOD *RSA_null_method(void);
- int RSA_flags(const RSA *rsa);
- RSA *RSA_new_method(RSA_METHOD *method);
-=head1 DESCRIPTION
-An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
-operations. By modifying the method, alternative implementations such as
-hardware accelerators may be used. IMPORTANT: See the NOTES section for
-important information about how these RSA API functions are affected by the
-use of B<ENGINE> API calls.
-Initially, the default RSA_METHOD is the OpenSSL internal implementation,
-as returned by RSA_PKCS1_SSLeay().
-RSA_set_default_method() makes B<meth> the default method for all RSA
-structures created later. B<NB>: This is true only whilst no ENGINE has
-been set as a default for RSA, so this function is no longer recommended.
-RSA_get_default_method() returns a pointer to the current default
-RSA_METHOD. However, the meaningfulness of this result is dependent on
-whether the ENGINE API is being used, so this function is no longer
-recommended.
-RSA_set_method() selects B<meth> to perform all operations using the key
-B<rsa>. This will replace the RSA_METHOD used by the RSA key and if the
-previous method was supplied by an ENGINE, the handle to that ENGINE will
-be released during the change. It is possible to have RSA keys that only
-work with certain RSA_METHOD implementations (eg. from an ENGINE module
-that supports embedded hardware-protected keys), and in such cases
-attempting to change the RSA_METHOD for the key can have unexpected
-results.
-RSA_get_method() returns a pointer to the RSA_METHOD being used by B<rsa>.
-This method may or may not be supplied by an ENGINE implementation, but if
-it is, the return value can only be guaranteed to be valid as long as the
-RSA key itself is valid and does not have its implementation changed by
-RSA_set_method().
-RSA_flags() returns the B<flags> that are set for B<rsa>'s current
-RSA_METHOD. See the BUGS section.
-RSA_new_method() allocates and initializes an RSA structure so that
-B<engine> will be used for the RSA operations. If B<engine> is NULL, the
-default ENGINE for RSA operations is used, and if no default ENGINE is set,
-the RSA_METHOD controlled by RSA_set_default_method() is used.
-RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
-RSA_new_method() allocates and initializes an B<RSA> structure so that
-B<method> will be used for the RSA operations. If B<method> is B<NULL>,
-the default method is used.
-=head1 THE RSA_METHOD STRUCTURE
- typedef struct rsa_meth_st
- {
-     /* name of the implementation */
-        const char *name;
-     /* encrypt */
-        int (*rsa_pub_enc)(int flen, unsigned char *from,
-          unsigned char *to, RSA *rsa, int padding);
-     /* verify arbitrary data */
-        int (*rsa_pub_dec)(int flen, unsigned char *from,
-          unsigned char *to, RSA *rsa, int padding);
-     /* sign arbitrary data */
-        int (*rsa_priv_enc)(int flen, unsigned char *from,
-          unsigned char *to, RSA *rsa, int padding);
-     /* decrypt */
-        int (*rsa_priv_dec)(int flen, unsigned char *from,
-          unsigned char *to, RSA *rsa, int padding);
-     /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some
-                                        implementations) */
-        int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
-     /* compute r = a ^ p mod m (May be NULL for some implementations) */
-        int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-     /* called at RSA_new */
-        int (*init)(RSA *rsa);
-     /* called at RSA_free */
-        int (*finish)(RSA *rsa);
-     /* RSA_FLAG_EXT_PKEY        - rsa_mod_exp is called for private key
-      *                            operations, even if p,q,dmp1,dmq1,iqmp
-      *                            are NULL
-      * RSA_FLAG_SIGN_VER        - enable rsa_sign and rsa_verify
-      * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
-      */
-        int flags;
-        char *app_data; /* ?? */
-     /* sign. For backward compatibility, this is used only
-      * if (flags & RSA_FLAG_SIGN_VER)
-      */
-        int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-     /* verify. For backward compatibility, this is used only
-      * if (flags & RSA_FLAG_SIGN_VER)
-      */
-        int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
- } RSA_METHOD;
-=head1 RETURN VALUES
-RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_method()
-and RSA_get_method() return pointers to the respective RSA_METHODs.
-RSA_set_method() returns a pointer to the old RSA_METHOD implementation
-that was replaced. However, this return value should probably be ignored
-because if it was supplied by an ENGINE, the pointer could be invalidated
-at any time if the ENGINE is unloaded (in fact it could be unloaded as a
-result of the RSA_set_method() function releasing its handle to the
-ENGINE). For this reason, the return type may be replaced with a B<void>
-declaration in a future release.
-RSA_new_method() returns NULL and sets an error code that can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
-it returns a pointer to the newly allocated structure.
-=head1 NOTES
-As of version 0.9.7, RSA_METHOD implementations are grouped together with
-other algorithmic APIs (eg. DSA_METHOD, EVP_CIPHER, etc) into B<ENGINE>
-modules. If a default ENGINE is specified for RSA functionality using an
-ENGINE API function, that will override any RSA defaults set using the RSA
-API (ie.  RSA_set_default_method()). For this reason, the ENGINE API is the
-recommended way to control default implementations for use in RSA and other
-cryptographic algorithms.
-=head1 BUGS
-The behaviour of RSA_flags() is a mis-feature that is left as-is for now
-to avoid creating compatibility problems. RSA functionality, such as the
-encryption functions, are controlled by the B<flags> value in the RSA key
-itself, not by the B<flags> value in the RSA_METHOD attached to the RSA key
-(which is what this function returns). If the flags element of an RSA key
-is changed, the changes will be honoured by RSA functionality but will not
-be reflected in the return value of the RSA_flags() function - in effect
-RSA_flags() behaves more like an RSA_default_flags() function (which does
-not currently exist).
-=head1 SEE ALSO
-L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
-=head1 HISTORY
-RSA_new_method() and RSA_set_default_method() appeared in SSLeay 0.8.
-RSA_get_default_method(), RSA_set_method() and RSA_get_method() as
-well as the rsa_sign and rsa_verify components of RSA_METHOD were
-added in OpenSSL 0.9.4.
-RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
-replaced RSA_set_default_method() and RSA_get_default_method()
-respectively, and RSA_set_method() and RSA_new_method() were altered to use
-B<ENGINE>s rather than B<RSA_METHOD>s during development of the engine
-version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the ENGINE
-API was restructured so that this change was reversed, and behaviour of the
-other functions resembled more closely the previous behaviour. The
-behaviour of defaults in the ENGINE API now transparently overrides the
-behaviour of defaults in the RSA API without requiring changing these
-function prototypes.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_sign.pod b/src/lib/libcrypto/doc/RSA_sign.pod
deleted file mode 100644
index 51587bdc41..0000000000
--- a/src/lib/libcrypto/doc/RSA_sign.pod
+++ /dev/null
@@ -1,61 +0,0 @@
-=pod
-=head1 NAME
-RSA_sign, RSA_verify - RSA signatures
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
- int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
-    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
-=head1 DESCRIPTION
-RSA_sign() signs the message digest B<m> of size B<m_len> using the
-private key B<rsa> as specified in PKCS #1 v2.0. It stores the
-signature in B<sigret> and the signature size in B<siglen>. B<sigret>
-must point to RSA_size(B<rsa>) bytes of memory.
-Note that PKCS #1 adds meta-data, placing limits on the size of the
-key that can be used.
-See L<RSA_private_encrypt(3)|RSA_private_encrypt(3)> for lower-level
-operations.
-B<type> denotes the message digest algorithm that was used to generate
-B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
-see L<objects(3)|objects(3)> for details. If B<type> is B<NID_md5_sha1>,
-an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
-and no algorithm identifier) is created.
-RSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
-matches a given message digest B<m> of size B<m_len>. B<type> denotes
-the message digest algorithm that was used to generate the signature.
-B<rsa> is the signer's public key.
-=head1 RETURN VALUES
-RSA_sign() returns 1 on success, 0 otherwise.  RSA_verify() returns 1
-on successful verification, 0 otherwise.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 CONFORMING TO
-SSL, PKCS #1 v2.0
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_public_decrypt(3)|RSA_public_decrypt(3)>
-=head1 HISTORY
-RSA_sign() and RSA_verify() are available in all versions of SSLeay
-and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
deleted file mode 100644
index 664b46174b..0000000000
--- a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
+++ /dev/null
@@ -1,57 +0,0 @@
-=pod
-=head1 NAME
-RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING - RSA signatures
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
-    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
-    RSA *rsa);
- int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
-    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
-    RSA *rsa);
-=head1 DESCRIPTION
-RSA_sign_ASN1_OCTET_STRING() signs the octet string B<m> of size
-B<m_len> using the private key B<rsa> represented in DER using PKCS #1
-padding. It stores the signature in B<sigret> and the signature size
-in B<siglen>. B<sigret> must point to B<RSA_size(rsa)> bytes of
-memory.
-B<dummy> is ignored.
-RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
-of size B<siglen> is the DER representation of a given octet string
-B<m> of size B<m_len>. B<dummy> is ignored. B<rsa> is the signer's
-public key.
-=head1 RETURN VALUES
-RSA_sign_ASN1_OCTET_STRING() returns 1 on success, 0 otherwise.
-RSA_verify_ASN1_OCTET_STRING() returns 1 on successful verification, 0
-otherwise.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 BUGS
-These functions serve no recognizable purpose.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
-L<RSA_verify(3)|RSA_verify(3)>
-=head1 HISTORY
-RSA_sign_ASN1_OCTET_STRING() and RSA_verify_ASN1_OCTET_STRING() were
-added in SSLeay 0.8.
-=cut
diff --git a/src/lib/libcrypto/doc/RSA_size.pod b/src/lib/libcrypto/doc/RSA_size.pod
deleted file mode 100644
index 5b7f835f95..0000000000
--- a/src/lib/libcrypto/doc/RSA_size.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-=head1 NAME
-RSA_size - get RSA modulus size
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- int RSA_size(const RSA *rsa);
-=head1 DESCRIPTION
-This function returns the RSA modulus size in bytes. It can be used to
-determine how much memory must be allocated for an RSA encrypted
-value.
-B<rsa-E<gt>n> must not be B<NULL>.
-=head1 RETURN VALUE
-The size in bytes.
-=head1 SEE ALSO
-L<rsa(3)|rsa(3)>
-=head1 HISTORY
-RSA_size() is available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/SHA1.pod b/src/lib/libcrypto/doc/SHA1.pod
deleted file mode 100644
index 9fffdf59e7..0000000000
--- a/src/lib/libcrypto/doc/SHA1.pod
+++ /dev/null
@@ -1,71 +0,0 @@
-=pod
-=head1 NAME
-SHA1, SHA1_Init, SHA1_Update, SHA1_Final - Secure Hash Algorithm
-=head1 SYNOPSIS
- #include <openssl/sha.h>
- unsigned char *SHA1(const unsigned char *d, unsigned long n,
-                  unsigned char *md);
- int SHA1_Init(SHA_CTX *c);
- int SHA1_Update(SHA_CTX *c, const void *data,
-                  unsigned long len);
- int SHA1_Final(unsigned char *md, SHA_CTX *c);
-=head1 DESCRIPTION
-SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
-160 bit output.
-SHA1() computes the SHA-1 message digest of the B<n>
-bytes at B<d> and places it in B<md> (which must have space for
-SHA_DIGEST_LENGTH == 20 bytes of output). If B<md> is NULL, the digest
-is placed in a static array.
-The following functions may be used if the message is not completely
-stored in memory:
-SHA1_Init() initializes a B<SHA_CTX> structure.
-SHA1_Update() can be called repeatedly with chunks of the message to
-be hashed (B<len> bytes at B<data>).
-SHA1_Final() places the message digest in B<md>, which must have space
-for SHA_DIGEST_LENGTH == 20 bytes of output, and erases the B<SHA_CTX>.
-Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
-etc. instead of calling the hash functions directly.
-The predecessor of SHA-1, SHA, is also implemented, but it should be
-used only when backward compatibility is required.
-=head1 RETURN VALUES
-SHA1() returns a pointer to the hash value.
-SHA1_Init(), SHA1_Update() and SHA1_Final() return 1 for success, 0 otherwise.
-=head1 CONFORMING TO
-SHA: US Federal Information Processing Standard FIPS PUB 180 (Secure Hash
-Standard),
-SHA-1: US Federal Information Processing Standard FIPS PUB 180-1 (Secure Hash
-Standard),
-ANSI X9.30
-=head1 SEE ALSO
-L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
-=head1 HISTORY
-SHA1(), SHA1_Init(), SHA1_Update() and SHA1_Final() are available in all
-versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/SMIME_read_CMS.pod b/src/lib/libcrypto/doc/SMIME_read_CMS.pod
deleted file mode 100644
index acc5524c14..0000000000
--- a/src/lib/libcrypto/doc/SMIME_read_CMS.pod
+++ /dev/null
@@ -1,70 +0,0 @@
-=pod
-=head1 NAME
- SMIME_read_CMS - parse S/MIME message.
-=head1 SYNOPSIS
- #include <openssl/cms.h>
- CMS_ContentInfo *SMIME_read_CMS(BIO *in, BIO **bcont);
-=head1 DESCRIPTION
-SMIME_read_CMS() parses a message in S/MIME format.
-B<in> is a BIO to read the message from.
-If cleartext signing is used then the content is saved in a memory bio which is
-written to B<*bcont>, otherwise B<*bcont> is set to NULL.
-The parsed CMS_ContentInfo structure is returned or NULL if an
-error occurred.
-=head1 NOTES
-If B<*bcont> is not NULL then the message is clear text signed. B<*bcont> can
-then be passed to CMS_verify() with the B<CMS_DETACHED> flag set.
-Otherwise the type of the returned structure can be determined
-using CMS_get0_type().
-To support future functionality if B<bcont> is not NULL B<*bcont> should be
-initialized to NULL. For example:
- BIO *cont = NULL;
- CMS_ContentInfo *cms;
- cms = SMIME_read_CMS(in, &cont);
-=head1 BUGS
-The MIME parser used by SMIME_read_CMS() is somewhat primitive.  While it will
-handle most S/MIME messages more complex compound formats may not work.
-The parser assumes that the CMS_ContentInfo structure is always base64 encoded
-and will not handle the case where it is in binary format or uses quoted
-printable format.
-The use of a memory BIO to hold the signed content limits the size of message
-which can be processed due to memory restraints: a streaming single pass option
-should be available.
-=head1 RETURN VALUES
-SMIME_read_CMS() returns a valid B<CMS_ContentInfo> structure or B<NULL>
-if an error occurred. The error can be obtained from ERR_get_error(3).
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_type(3)|CMS_type(3)>
-L<SMIME_read_CMS(3)|SMIME_read_CMS(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>
-=head1 HISTORY
-SMIME_read_CMS() was added to OpenSSL 0.9.8
-=cut
diff --git a/src/lib/libcrypto/doc/SMIME_read_PKCS7.pod b/src/lib/libcrypto/doc/SMIME_read_PKCS7.pod
deleted file mode 100644
index 9d46715941..0000000000
--- a/src/lib/libcrypto/doc/SMIME_read_PKCS7.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-=head1 NAME
-SMIME_read_PKCS7 - parse S/MIME message.
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont);
-=head1 DESCRIPTION
-SMIME_read_PKCS7() parses a message in S/MIME format.
-B<in> is a BIO to read the message from.
-If cleartext signing is used then the content is saved in
-a memory bio which is written to B<*bcont>, otherwise
-B<*bcont> is set to B<NULL>.
-The parsed PKCS#7 structure is returned or B<NULL> if an
-error occurred.
-=head1 NOTES
-If B<*bcont> is not B<NULL> then the message is clear text
-signed. B<*bcont> can then be passed to PKCS7_verify() with
-the B<PKCS7_DETACHED> flag set.
-Otherwise the type of the returned structure can be determined
-using PKCS7_type().
-To support future functionality if B<bcont> is not B<NULL>
-B<*bcont> should be initialized to B<NULL>. For example:
- BIO *cont = NULL;
- PKCS7 *p7;
- p7 = SMIME_read_PKCS7(in, &cont);
-=head1 BUGS
-The MIME parser used by SMIME_read_PKCS7() is somewhat primitive.
-While it will handle most S/MIME messages more complex compound
-formats may not work.
-The parser assumes that the PKCS7 structure is always base64
-encoded and will not handle the case where it is in binary format
-or uses quoted printable format.
-The use of a memory BIO to hold the signed content limits the size
-of message which can be processed due to memory restraints: a
-streaming single pass option should be available.
-=head1 RETURN VALUES
-SMIME_read_PKCS7() returns a valid B<PKCS7> structure or B<NULL>
-is an error occurred. The error can be obtained from ERR_get_error(3).
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_type(3)|PKCS7_type(3)>
-L<SMIME_read_PKCS7(3)|SMIME_read_PKCS7(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
-=head1 HISTORY
-SMIME_read_PKCS7() was added to OpenSSL 0.9.5
-=cut
diff --git a/src/lib/libcrypto/doc/SMIME_write_CMS.pod b/src/lib/libcrypto/doc/SMIME_write_CMS.pod
deleted file mode 100644
index 04bedfb429..0000000000
--- a/src/lib/libcrypto/doc/SMIME_write_CMS.pod
+++ /dev/null
@@ -1,64 +0,0 @@
-=pod
-=head1 NAME
- SMIME_write_CMS - convert CMS structure to S/MIME format.
-=head1 SYNOPSIS
- #include <openssl/cms.h>
- int SMIME_write_CMS(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
-=head1 DESCRIPTION
-SMIME_write_CMS() adds the appropriate MIME headers to a CMS
-structure to produce an S/MIME message.
-B<out> is the BIO to write the data to. B<cms> is the appropriate
-B<CMS_ContentInfo> structure. If streaming is enabled then the content must be
-supplied in the B<data> argument. B<flags> is an optional set of flags.
-=head1 NOTES
-The following flags can be passed in the B<flags> parameter.
-If B<CMS_DETACHED> is set then cleartext signing will be used, this option only
-makes sense for SignedData where B<CMS_DETACHED> is also set when CMS_sign() is
-called.
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are added to
-the content, this only makes sense if B<CMS_DETACHED> is also set.
-If the B<CMS_STREAM> flag is set streaming is performed. This flag should only
-be set if B<CMS_STREAM> was also set in the previous call to a CMS_ContentInfo
-creation function.
-If cleartext signing is being used and B<CMS_STREAM> not set then the data must
-be read twice: once to compute the signature in CMS_sign() and once to output
-the S/MIME message.
-If streaming is performed the content is output in BER format using indefinite
-length constructed encoding except in the case of signed data with detached
-content where the content is absent and DER format is used.
-=head1 BUGS
-SMIME_write_CMS() always base64 encodes CMS structures, there should be an
-option to disable this.
-=head1 RETURN VALUES
-SMIME_write_CMS() returns 1 for success or 0 for failure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>
-=head1 HISTORY
-SMIME_write_CMS() was added to OpenSSL 0.9.8
-=cut
diff --git a/src/lib/libcrypto/doc/SMIME_write_PKCS7.pod b/src/lib/libcrypto/doc/SMIME_write_PKCS7.pod
deleted file mode 100644
index 4a7cd08c42..0000000000
--- a/src/lib/libcrypto/doc/SMIME_write_PKCS7.pod
+++ /dev/null
@@ -1,65 +0,0 @@
-=pod
-=head1 NAME
-SMIME_write_PKCS7 - convert PKCS#7 structure to S/MIME format.
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- int SMIME_write_PKCS7(BIO *out, PKCS7 *p7, BIO *data, int flags);
-=head1 DESCRIPTION
-SMIME_write_PKCS7() adds the appropriate MIME headers to a PKCS#7
-structure to produce an S/MIME message.
-B<out> is the BIO to write the data to. B<p7> is the appropriate B<PKCS7>
-structure. If streaming is enabled then the content must be supplied in the
-B<data> argument. B<flags> is an optional set of flags.
-=head1 NOTES
-The following flags can be passed in the B<flags> parameter.
-If B<PKCS7_DETACHED> is set then cleartext signing will be used,
-this option only makes sense for signedData where B<PKCS7_DETACHED>
-is also set when PKCS7_sign() is also called.
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain>
-are added to the content, this only makes sense if B<PKCS7_DETACHED>
-is also set.
-If the B<PKCS7_STREAM> flag is set streaming is performed. This flag should
-only be set if B<PKCS7_STREAM> was also set in the previous call to
-PKCS7_sign() or B<PKCS7_encrypt()>.
-If cleartext signing is being used and B<PKCS7_STREAM> not set then
-the data must be read twice: once to compute the signature in PKCS7_sign()
-and once to output the S/MIME message.
-If streaming is performed the content is output in BER format using indefinite
-length constructed encoding except in the case of signed data with detached
-content where the content is absent and DER format is used.
-=head1 BUGS
-SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there
-should be an option to disable this.
-=head1 RETURN VALUES
-SMIME_write_PKCS7() returns 1 for success or 0 for failure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
-=head1 HISTORY
-SMIME_write_PKCS7() was added to OpenSSL 0.9.5
-=cut
diff --git a/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod b/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod
deleted file mode 100644
index 4603202db8..0000000000
--- a/src/lib/libcrypto/doc/X509_NAME_ENTRY_get_object.pod
+++ /dev/null
@@ -1,70 +0,0 @@
-=pod
-=head1 NAME
-X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data,
-X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data,
-X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID,
-X509_NAME_ENTRY_create_by_OBJ - X509_NAME_ENTRY utility functions
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
- ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
- int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj);
- int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len);
- X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len);
- X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len);
- X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len);
-=head1 DESCRIPTION
-X509_NAME_ENTRY_get_object() retrieves the field name of B<ne> in
-and B<ASN1_OBJECT> structure.
-X509_NAME_ENTRY_get_data() retrieves the field value of B<ne> in
-and B<ASN1_STRING> structure.
-X509_NAME_ENTRY_set_object() sets the field name of B<ne> to B<obj>.
-X509_NAME_ENTRY_set_data() sets the field value of B<ne> to string type
-B<type> and value determined by B<bytes> and B<len>.
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID()
-and X509_NAME_ENTRY_create_by_OBJ() create and return an
-B<X509_NAME_ENTRY> structure.
-=head1 NOTES
-X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be
-used to examine an B<X509_NAME_ENTRY> function as returned by
-X509_NAME_get_entry() for example.
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(),
-and X509_NAME_ENTRY_create_by_OBJ() create and return an
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(),
-X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data()
-are seldom used in practice because B<X509_NAME_ENTRY> structures
-are almost always part of B<X509_NAME> structures and the
-corresponding B<X509_NAME> functions are typically used to
-create and add new entries in a single operation.
-The arguments of these functions support similar options to the similarly
-named ones of the corresponding B<X509_NAME> functions such as
-X509_NAME_add_entry_by_txt(). So for example B<type> can be set to
-B<MBSTRING_ASC> but in the case of X509_set_data() the field name must be
-set first so the relevant field information can be looked up internally.
-=head1 RETURN VALUES
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod b/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
deleted file mode 100644
index f97e05e683..0000000000
--- a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
+++ /dev/null
@@ -1,117 +0,0 @@
-=pod
-=head1 NAME
-X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ,
-X509_NAME_add_entry_by_NID, X509_NAME_add_entry, X509_NAME_delete_entry -
-X509_NAME modification functions
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set);
- int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set);
- int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set);
- int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set);
- X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
-=head1 DESCRIPTION
-X509_NAME_add_entry_by_txt(), X509_NAME_add_entry_by_OBJ() and
-X509_NAME_add_entry_by_NID() add a field whose name is defined
-by a string B<field>, an object B<obj> or a NID B<nid> respectively.
-The field value to be added is in B<bytes> of length B<len>. If
-B<len> is -1 then the field length is calculated internally using
-strlen(bytes).
-The type of field is determined by B<type> which can either be a
-definition of the type of B<bytes> (such as B<MBSTRING_ASC>) or a
-standard ASN1 type (such as B<V_ASN1_IA5STRING>). The new entry is
-added to a position determined by B<loc> and B<set>.
-X509_NAME_add_entry() adds a copy of B<X509_NAME_ENTRY> structure B<ne>
-to B<name>. The new entry is added to a position determined by B<loc>
-and B<set>. Since a copy of B<ne> is added B<ne> must be freed up after
-the call.
-X509_NAME_delete_entry() deletes an entry from B<name> at position
-B<loc>. The deleted entry is returned and must be freed up.
-=head1 NOTES
-The use of string types such as B<MBSTRING_ASC> or B<MBSTRING_UTF8>
-is strongly recommended for the B<type> parameter. This allows the
-internal code to correctly determine the type of the field and to
-apply length checks according to the relevant standards. This is
-done using ASN1_STRING_set_by_NID().
-If instead an ASN1 type is used no checks are performed and the
-supplied data in B<bytes> is used directly.
-In X509_NAME_add_entry_by_txt() the B<field> string represents
-the field name using OBJ_txt2obj(field, 0).
-The B<loc> and B<set> parameters determine where a new entry should
-be added. For almost all applications B<loc> can be set to -1 and B<set>
-to 0. This adds a new entry to the end of B<name> as a single valued
-RelativeDistinguishedName (RDN).
-B<loc> actually determines the index where the new entry is inserted:
-if it is -1 it is appended.
-B<set> determines how the new type is added. If it is zero a
-new RDN is created.
-If B<set> is -1 or 1 it is added to the previous or next RDN
-structure respectively. This will then be a multivalued RDN:
-since multivalues RDNs are very seldom used B<set> is almost
-always set to zero.
-=head1 EXAMPLES
-Create an B<X509_NAME> structure:
-"C=UK, O=Disorganized Organization, CN=Joe Bloggs"
- X509_NAME *nm;
- nm = X509_NAME_new();
- if (nm == NULL)
-        /* Some error */
- if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-                        "C", "UK", -1, -1, 0))
-        /* Error */
- if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-                        "O", "Disorganized Organization", -1, -1, 0))
-        /* Error */
- if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-                        "CN", "Joe Bloggs", -1, -1, 0))
-        /* Error */
-=head1 RETURN VALUES
-X509_NAME_add_entry_by_txt(), X509_NAME_add_entry_by_OBJ(),
-X509_NAME_add_entry_by_NID() and X509_NAME_add_entry() return 1 for
-success of 0 if an error occurred.
-X509_NAME_delete_entry() returns either the deleted B<X509_NAME_ENTRY>
-structure of B<NULL> if an error occurred.
-=head1 BUGS
-B<type> can still be set to B<V_ASN1_APP_CHOOSE> to use a
-different algorithm to determine field types. Since this form does
-not understand multicharacter types, performs no length checks and
-can result in invalid field types its use is strongly discouraged.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>
-=head1 HISTORY
-=cut
diff --git a/src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod b/src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod
deleted file mode 100644
index 48510890e8..0000000000
--- a/src/lib/libcrypto/doc/X509_NAME_get_index_by_NID.pod
+++ /dev/null
@@ -1,102 +0,0 @@
-=pod
-=head1 NAME
-X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry,
-X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ -
-X509_NAME lookup and enumeration functions
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
- int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos);
- int X509_NAME_entry_count(X509_NAME *name);
- X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
- int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len);
- int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len);
-=head1 DESCRIPTION
-These functions allow an B<X509_NAME> structure to be examined. The
-B<X509_NAME> structure is the same as the B<Name> type defined in
-RFC2459 (and elsewhere) and used for example in certificate subject
-and issuer names.
-X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve
-the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos>
-should initially be set to -1. If there are no more entries -1 is returned.
-X509_NAME_entry_count() returns the total number of entries in B<name>.
-X509_NAME_get_entry() retrieves the B<X509_NAME_ENTRY> from B<name>
-corresponding to index B<loc>. Acceptable values for B<loc> run from
-0 to (X509_NAME_entry_count(name) - 1). The value returned is an
-internal pointer which must not be freed.
-X509_NAME_get_text_by_NID(), X509_NAME_get_text_by_OBJ() retrieve
-the "text" from the first entry in B<name> which matches B<nid> or
-B<obj>, if no such entry exists -1 is returned. At most B<len> bytes
-will be written and the text written to B<buf> will be null
-terminated. The length of the output string written is returned
-excluding the terminating null. If B<buf> is <NULL> then the amount
-of space needed in B<buf> (excluding the final null) is returned.
-=head1 NOTES
-X509_NAME_get_text_by_NID() and X509_NAME_get_text_by_OBJ() are
-legacy functions which have various limitations which make them
-of minimal use in practice. They can only find the first matching
-entry and will copy the contents of the field verbatim: this can
-be highly confusing if the target is a multicharacter string type
-like a BMPString or a UTF8String.
-For a more general solution X509_NAME_get_index_by_NID() or
-X509_NAME_get_index_by_OBJ() should be used followed by
-X509_NAME_get_entry() on any matching indices and then the
-various B<X509_NAME_ENTRY> utility functions on the result.
-=head1 EXAMPLES
-Process all entries:
- int i;
- X509_NAME_ENTRY *e;
- for (i = 0; i < X509_NAME_entry_count(nm); i++) {
-        e = X509_NAME_get_entry(nm, i);
-        /* Do something with e */
- }
-Process all commonName entries:
- int loc;
- X509_NAME_ENTRY *e;
- loc = -1;
- for (;;) {
-        lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
-        if (lastpos == -1)
-                break;
-        e = X509_NAME_get_entry(nm, lastpos);
-        /* Do something with e */
- }
-=head1 RETURN VALUES
-X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ()
-return the index of the next matching entry or -1 if not found.
-X509_NAME_entry_count() returns the total number of entries.
-X509_NAME_get_entry() returns an B<X509_NAME> pointer to the
-requested entry or B<NULL> if the index is invalid.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod b/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
deleted file mode 100644
index 5cdf636c16..0000000000
--- a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
+++ /dev/null
@@ -1,103 +0,0 @@
-=pod
-=head1 NAME
-X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print,
-X509_NAME_oneline - X509_NAME printing routines.
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
- int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
- char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
- int X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
-=head1 DESCRIPTION
-X509_NAME_print_ex() prints a human readable version of B<nm> to BIO B<out>.
-Each line (for multiline formats) is indented by B<indent> spaces. The output
-format can be extensively customised by use of the B<flags> parameter.
-X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output
-is written to FILE pointer B<fp>.
-X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>. At most B<size>
-bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically
-allocated and returned, otherwise B<buf> is returned.
-X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
-characters. Multiple lines are used if the output (including indent) exceeds
-80 characters.
-=head1 NOTES
-The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions
-which produce a non standard output form, they don't handle multi character
-fields and have various quirks and inconsistencies. Their use is strongly
-discouraged in new applications.
-Although there are a large number of possible flags for most purposes
-B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
-As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page
-for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example
-B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used.
-The complete set of the flags supported by X509_NAME_print_ex() is listed below.
-Several options can be ored together.
-The options B<XN_FLAG_SEP_COMMA_PLUS>, B<XN_FLAG_SEP_CPLUS_SPC>,
-B<XN_FLAG_SEP_SPLUS_SPC> and B<XN_FLAG_SEP_MULTILINE> determine the field
-separators to use. Two distinct separators are used between distinct
-RelativeDistinguishedName components and separate values in the same RDN for a
-multi-valued RDN. Multi-valued RDNs are currently very rare so the second
-separator will hardly ever be used.
-B<XN_FLAG_SEP_COMMA_PLUS> uses comma and plus as separators.
-B<XN_FLAG_SEP_CPLUS_SPC> uses comma and plus with spaces: this is more readable
-that plain comma and plus.  B<XN_FLAG_SEP_SPLUS_SPC> uses spaced semicolon and
-plus. B<XN_FLAG_SEP_MULTILINE> uses spaced newline and plus respectively.
-If B<XN_FLAG_DN_REV> is set the whole DN is printed in reversed order.
-The fields B<XN_FLAG_FN_SN>, B<XN_FLAG_FN_LN>, B<XN_FLAG_FN_OID>,
-B<XN_FLAG_FN_NONE> determine how a field name is displayed. It will
-use the short name (e.g. CN) the long name (e.g. commonName) always
-use OID numerical form (normally OIDs are only used if the field name is not
-recognised) and no field name respectively.
-If B<XN_FLAG_SPC_EQ> is set then spaces will be placed around the '=' character
-separating field names and values.
-If B<XN_FLAG_DUMP_UNKNOWN_FIELDS> is set then the encoding of unknown fields is
-printed instead of the values.
-If B<XN_FLAG_FN_ALIGN> is set then field names are padded to 20 characters: this
-is only of use for multiline format.
-Additionally all the options supported by ASN1_STRING_print_ex() can be used to
-control how each field value is displayed.
-In addition a number options can be set for commonly used formats.
-B<XN_FLAG_RFC2253> sets options which produce an output compatible with RFC2253 it
-is equivalent to:
- B<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS>
-B<XN_FLAG_ONELINE> is a more readable one line format which is the same as:
- B<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN>
-B<XN_FLAG_MULTILINE> is a multiline format which is the same as:
- B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
-B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it
-calls X509_NAME_print() internally.
-=head1 SEE ALSO
-L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
deleted file mode 100644
index 270b265ce5..0000000000
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
+++ /dev/null
@@ -1,323 +0,0 @@
-=pod
-=head1 NAME
-X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
-X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
-X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
-certificate verification status information
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- #include <openssl/x509_vfy.h>
- int    X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
- void   X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
- int    X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
- X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
- STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
- const char *X509_verify_cert_error_string(long n);
-=head1 DESCRIPTION
-These functions are typically called after X509_verify_cert() has indicated
-an error or in a verification callback to determine the nature of an error.
-X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
-the B<ERROR CODES> section for a full description of all error codes.
-X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example
-it might be used in a verification callback to set an error based on additional
-checks.
-X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
-non-negative integer representing where in the certificate chain the error
-occurred. If it is zero it occurred in the end entity certificate, one if
-it is the certificate which signed the end entity certificate and so on.
-X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
-caused the error or B<NULL> if no certificate is relevant.
-X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
-call to X509_verify_cert() is successful. If the call to X509_verify_cert()
-is B<not> successful the returned chain may be incomplete or invalid. The
-returned chain persists after the B<ctx> structure is freed, when it is
-no longer needed it should be free up using:
-  sk_X509_pop_free(chain, X509_free);
-X509_verify_cert_error_string() returns a human readable error string for
-verification error B<n>.
-=head1 RETURN VALUES
-X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
-X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
-X509_STORE_CTX_get_current_cert() returns the certificate which caused the
-error or B<NULL> if no certificate is relevant to the error.
-X509_verify_cert_error_string() returns a human readable error string for
-verification error B<n>.
-=head1 ERROR CODES
-A list of error codes and messages is shown below.  Some of the
-error codes are defined but currently never returned: these are described as
-"unused".
-=over 4
-=item B<X509_V_OK: ok>
-the operation was successful.
-=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
-=item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
-the CRL of a certificate could not be found.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
-certificate's signature>
-the certificate signature could not be decrypted. This means that the actual
-signature value could not be determined rather than it not matching the
-expected value, this is only meaningful for RSA keys.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
-signature>
-the CRL signature could not be decrypted: this means that the actual signature
-value could not be determined rather than it not matching the expected value.
-Unused.
-=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
-public key>
-the public key in the certificate SubjectPublicKeyInfo could not be read.
-=item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
-the signature of the certificate is invalid.
-=item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
-the signature of the certificate is invalid.
-=item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
-the certificate is not yet valid: the notBefore date is after the current time.
-=item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
-the certificate has expired: that is the notAfter date is before the current
-time.
-=item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
-the CRL is not yet valid.
-=item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
-the CRL has expired.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
-certificate's notBefore field>
-the certificate notBefore field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
-notAfter field>
-the certificate notAfter field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
-lastUpdate field>
-the CRL lastUpdate field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
-nextUpdate field>
-the CRL nextUpdate field contains an invalid time.
-=item B<X509_V_ERR_OUT_OF_MEM: out of memory>
-an error occurred trying to allocate memory. This should never happen.
-=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
-the passed certificate is self signed and the same certificate cannot be found
-in the list of trusted certificates.
-=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
-certificate chain>
-the certificate chain could be built up using the untrusted certificates but
-the root could not be found locally.
-=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
-issuer certificate>
-the issuer certificate of a locally looked up certificate could not be found.
-This normally means the list of trusted certificates is not complete.
-=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
-certificate>
-no signatures could be verified because the chain contains only one certificate
-and it is not self signed.
-=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
-the certificate chain length is greater than the supplied maximum depth. Unused.
-=item B<X509_V_ERR_CERT_REVOKED: certificate revoked>
-the certificate has been revoked.
-=item B<X509_V_ERR_INVALID_CA: invalid CA certificate>
-a CA certificate is invalid. Either it is not a CA or its extensions are not
-consistent with the supplied purpose.
-=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
-the basicConstraints pathlength parameter has been exceeded.
-=item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
-the supplied certificate cannot be used for the specified purpose.
-=item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
-the root CA is not marked as trusted for the specified purpose.
-=item B<X509_V_ERR_CERT_REJECTED: certificate rejected>
-the root CA is marked to reject the specified purpose.
-=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
-the current candidate issuer certificate was rejected because its subject name
-did not match the issuer name of the current certificate. This is only set
-if issuer check debugging is enabled it is used for status notification and
-is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
-mismatch>
-the current candidate issuer certificate was rejected because its subject key
-identifier was present and did not match the authority key identifier current
-certificate. This is only set if issuer check debugging is enabled it is used
-for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
-number mismatch>
-the current candidate issuer certificate was rejected because its issuer name
-and serial number was present and did not match the authority key identifier of
-the current certificate. This is only set if issuer check debugging is enabled
-it is used for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
-signing>
-the current candidate issuer certificate was rejected because its keyUsage
-extension does not permit certificate signing. This is only set if issuer check
-debugging is enabled it is used for status notification and is B<not> in itself
-an error.
-=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
-extension>
-A certificate extension had an invalid value (for example an incorrect
-encoding) or some value inconsistent with other extensions.
-=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
-certificate policy extension>
-A certificate policies extension had an invalid value (for example an incorrect
-encoding) or some value inconsistent with other extensions. This error only
-occurs if policy processing is enabled.
-=item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
-The verification flags were set to require and explicit policy but none was
-present.
-=item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
-The only CRLs that could be found did not match the scope of the certificate.
-=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
-Some feature of a certificate extension is not supported. Unused.
-=item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
-A name constraint violation occurred in the permitted subtrees.
-=item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
-A name constraint violation occurred in the excluded subtrees.
-=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
-supported>
-A certificate name constraints extension included a minimum or maximum field:
-this is not supported.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
-type>
-An unsupported name constraint type was encountered. OpenSSL currently only
-supports directory name, DNS name, email and URI types.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
-constraint syntax>
-The format of the name constraint is not recognised: for example an email
-address format of a form not mentioned in RFC3280. This could be caused by
-a garbage extension or some new feature not currently supported.
-=item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
-An error occurred when attempting to verify the CRL path. This error can only
-happen if extended CRL checking is enabled.
-=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
-an application specific error. This will never be returned unless explicitly
-set by an application.
-=back
-=head1 NOTES
-The above functions should be used instead of directly referencing the fields
-in the B<X509_VERIFY_CTX> structure.
-In versions of OpenSSL before 1.0 the current certificate returned by
-X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should
-check the return value before printing out any debugging information relating
-to the current certificate.
-If an unrecognised error code is passed to X509_verify_cert_error_string() the
-numerical value of the unknown code is returned in a static buffer. This is not
-thread safe but will never happen unless an invalid code is passed.
-=head1 SEE ALSO
-L<X509_verify_cert(3)|X509_verify_cert(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod
deleted file mode 100644
index 25224cef1b..0000000000
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod
+++ /dev/null
@@ -1,43 +0,0 @@
-=pod
-=head1 NAME
-X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data,
-X509_STORE_CTX_get_ex_data - add application specific data to X509_STORE_CTX
-structures
-=head1 SYNOPSIS
- #include <openssl/x509_vfy.h>
- int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,
-                CRYPTO_EX_new *new_func,
-                CRYPTO_EX_dup *dup_func,
-                CRYPTO_EX_free *free_func);
- int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg);
- void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
-=head1 DESCRIPTION
-These functions handle application specific data in X509_STORE_CTX structures.
-Their usage is identical to that of RSA_get_ex_new_index(), RSA_set_ex_data()
-and RSA_get_ex_data() as described in L<RSA_get_ex_new_index(3)>.
-=head1 NOTES
-This mechanism is used internally by the B<ssl> library to store the B<SSL>
-structure associated with a verification operation in an B<X509_STORE_CTX>
-structure.
-=head1 SEE ALSO
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>
-=head1 HISTORY
-X509_STORE_CTX_get_ex_new_index(), X509_STORE_CTX_set_ex_data() and
-X509_STORE_CTX_get_ex_data() are available since OpenSSL 0.9.5.
-=cut
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod
deleted file mode 100644
index 66c0da04d2..0000000000
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod
+++ /dev/null
@@ -1,126 +0,0 @@
-=pod
-=head1 NAME
-X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
-X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert,
-X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param,
-X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX
-initialisation
-=head1 SYNOPSIS
- #include <openssl/x509_vfy.h>
- X509_STORE_CTX *X509_STORE_CTX_new(void);
- void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
- void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
- int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
-                         X509 *x509, STACK_OF(X509) *chain);
- void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
- void   X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x);
- void   X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,STACK_OF(X509) *sk);
- void   X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
- void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
- int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
-=head1 DESCRIPTION
-These functions initialise an B<X509_STORE_CTX> structure for subsequent use
-by X509_verify_cert().
-X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.
-X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
-The context can then be reused with an new call to X509_STORE_CTX_init().
-X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
-is no longer valid.
-X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
-The trusted certificate store is set to B<store>, the end entity certificate
-to be verified is set to B<x509> and a set of additional certificates (which
-will be untrusted but may be used to build the chain) in B<chain>. Any or
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
-X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
-to B<sk>. This is an alternative way of specifying trusted certificates
-instead of using an B<X509_STORE>.
-X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
-B<x>.
-X509_STORE_CTX_set_chain() sets the additional certificate chain used by B<ctx>
-to B<sk>.
-X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
-verification to B<sk>. These CRLs will only be used if CRL verification is
-enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
-used where additional "useful" CRLs are supplied as part of a protocol,
-for example in a PKCS#7 structure.
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param() retrieves an internal pointer
-to the verification parameters associated with B<ctx>.
-X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
-to B<param>. After this call B<param> should not be used.
-X509_STORE_CTX_set_default() looks up and sets the default verification
-method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
-find an appropriate set of parameters from B<name>.
-=head1 NOTES
-The certificates and CRLs in a store are used internally and should B<not>
-be freed up until after the associated B<X509_STORE_CTX> is freed. Legacy
-applications might implicitly use an B<X509_STORE_CTX> like this:
-  X509_STORE_CTX ctx;
-  X509_STORE_CTX_init(&ctx, store, cert, chain);
-this is B<not> recommended in new applications they should instead do:
-  X509_STORE_CTX *ctx;
-  ctx = X509_STORE_CTX_new();
-  if (ctx == NULL)
-        /* Bad error */
-  X509_STORE_CTX_init(ctx, store, cert, chain);
-=head1 BUGS
-The certificates and CRLs in a context are used internally and should B<not>
-be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
-should be made or reference counts increased instead.
-=head1 RETURN VALUES
-X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
-error occurred.
-X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.
-X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
-structure or B<NULL> if an error occurred.
-X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(), X509_STORE_CTX_trusted_stack(),
-X509_STORE_CTX_set_cert(), X509_STORE_CTX_set_chain(),
-X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
-values.
-X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.
-=head1 SEE ALSO
-L<X509_verify_cert(3)|X509_verify_cert(3)>
-L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>
-=head1 HISTORY
-X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod
deleted file mode 100644
index 7dfe430c4c..0000000000
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_set_verify_cb.pod
+++ /dev/null
@@ -1,165 +0,0 @@
-=pod
-=head1 NAME
-X509_STORE_CTX_set_verify_cb - set verification callback
-=head1 SYNOPSIS
- #include <openssl/x509_vfy.h>
- void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
-                                int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
-=head1 DESCRIPTION
-X509_STORE_CTX_set_verify_cb() sets the verification callback of B<ctx> to
-B<verify_cb> overwriting any existing callback.
-The verification callback can be used to customise the operation of certificate
-verification, either by overriding error conditions or logging errors for
-debugging purposes.
-However a verification callback is B<not> essential and the default operation
-is often sufficient.
-The B<ok> parameter to the callback indicates the value the callback should
-return to retain the default behaviour. If it is zero then and error condition
-is indicated. If it is 1 then no error occurred. If the flag
-B<X509_V_FLAG_NOTIFY_POLICY> is set then B<ok> is set to 2 to indicate the
-policy checking is complete.
-The B<ctx> parameter to the callback is the B<X509_STORE_CTX> structure that
-is performing the verification operation. A callback can examine this
-structure and receive additional information about the error, for example
-by calling X509_STORE_CTX_get_current_cert(). Additional application data can
-be passed to the callback via the B<ex_data> mechanism.
-=head1 WARNING
-In general a verification callback should B<NOT> unconditionally return 1 in
-all circumstances because this will allow verification to succeed no matter
-what the error. This effectively removes all security from the application
-because B<any> certificate (including untrusted generated ones) will be
-accepted.
-=head1 NOTES
-The verification callback can be set and inherited from the parent structure
-performing the operation. In some cases (such as S/MIME verification) the
-B<X509_STORE_CTX> structure is created and destroyed internally and the
-only way to set a custom verification callback is by inheriting it from the
-associated B<X509_STORE>.
-=head1 RETURN VALUES
-X509_STORE_CTX_set_verify_cb() does not return a value.
-=head1 EXAMPLES
-Default callback operation:
- int
- verify_callback(int ok, X509_STORE_CTX *ctx)
- {
-        return ok;
- }
-Simple example, suppose a certificate in the chain is expired and we wish
-to continue after this error:
- int
- verify_callback(int ok, X509_STORE_CTX *ctx)
- {
-        /* Tolerate certificate expiration */
-        if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
-                return 1;
-        /* Otherwise don't override */
-        return ok;
- }
-More complex example, we don't wish to continue after B<any> certificate has
-expired just one specific case:
- int
- verify_callback(int ok, X509_STORE_CTX *ctx)
- {
-        int err = X509_STORE_CTX_get_error(ctx);
-        X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
-        if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
-                if (check_is_acceptable_expired_cert(err_cert)
-                        return 1;
-        }
-        return ok;
- }
-Full featured logging callback. In this case the B<bio_err> is assumed to be
-a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using
-B<ex_data>.
- int
- verify_callback(int ok, X509_STORE_CTX *ctx)
- {
-        X509 *err_cert;
-        int err,depth;
-        err_cert = X509_STORE_CTX_get_current_cert(ctx);
-        err =   X509_STORE_CTX_get_error(ctx);
-        depth = X509_STORE_CTX_get_error_depth(ctx);
-        BIO_printf(bio_err,"depth=%d ",depth);
-        if (err_cert) {
-                X509_NAME_print_ex(bio_err,
-                    X509_get_subject_name(err_cert), 0,
-                    XN_FLAG_ONELINE);
-                BIO_puts(bio_err, "\n");
-        } else
-                BIO_puts(bio_err, "<no cert>\n");
-        if (!ok)
-                BIO_printf(bio_err, "verify error:num=%d:%s\n",
-                    err, X509_verify_cert_error_string(err));
-        switch (err) {
-        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-                BIO_puts(bio_err, "issuer= ");
-                X509_NAME_print_ex(bio_err,
-                    X509_get_issuer_name(err_cert), 0,
-                    XN_FLAG_ONELINE);
-                BIO_puts(bio_err, "\n");
-                break;
-        case X509_V_ERR_CERT_NOT_YET_VALID:
-        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-                BIO_printf(bio_err, "notBefore=");
-                ASN1_TIME_print(bio_err,
-                    X509_get_notBefore(err_cert));
-                BIO_printf(bio_err, "\n");
-                break;
-        case X509_V_ERR_CERT_HAS_EXPIRED:
-        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-                BIO_printf(bio_err, "notAfter=");
-                ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
-                BIO_printf(bio_err, "\n");
-                break;
-        case X509_V_ERR_NO_EXPLICIT_POLICY:
-                policies_print(bio_err, ctx);
-                break;
-        }
-        if (err == X509_V_OK && ok == 2)
-                /* print out policies */
-        BIO_printf(bio_err,"verify return:%d\n",ok);
-        return(ok);
- }
-=head1 SEE ALSO
-L<X509_STORE_CTX_get_error(3)|X509_STORE_CTX_get_error(3)>
-L<X509_STORE_set_verify_cb_func(3)|X509_STORE_set_verify_cb_func(3)>
-L<X509_STORE_CTX_get_ex_new_index(3)|X509_STORE_CTX_get_ex_new_index(3)>
-=head1 HISTORY
-X509_STORE_CTX_set_verify_cb() is available in all versions of SSLeay and
-OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod b/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod
deleted file mode 100644
index f9602b3e77..0000000000
--- a/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod
+++ /dev/null
@@ -1,55 +0,0 @@
-=pod
-=head1 NAME
-X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb - set verification
-callback
-=head1 SYNOPSIS
- #include <openssl/x509_vfy.h>
- void X509_STORE_set_verify_cb(X509_STORE *st,
-                                int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
- void X509_STORE_set_verify_cb_func(X509_STORE *st,
-                                int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
-=head1 DESCRIPTION
-X509_STORE_set_verify_cb() sets the verification callback of B<ctx> to
-B<verify_cb> overwriting any existing callback.
-X509_STORE_set_verify_cb_func() also sets the verification callback but it
-is implemented as a macro.
-=head1 NOTES
-The verification callback from an B<X509_STORE> is inherited by
-the corresponding B<X509_STORE_CTX> structure when it is initialized. This can
-be used to set the verification callback when the B<X509_STORE_CTX> is
-otherwise inaccessible (for example during S/MIME verification).
-=head1 BUGS
-The macro version of this function was the only one available before
-OpenSSL 1.0.0.
-=head1 RETURN VALUES
-X509_STORE_set_verify_cb() and X509_STORE_set_verify_cb_func() do not return
-a value.
-=head1 SEE ALSO
-L<X509_STORE_CTX_set_verify_cb(3)|X509_STORE_CTX_set_verify_cb(3)>
-L<CMS_verify(3)|CMS_verify(3)>
-=head1 HISTORY
-X509_STORE_set_verify_cb_func() is available in all versions of SSLeay and
-OpenSSL.
-X509_STORE_set_verify_cb() was added to OpenSSL 1.0.0.
-=cut
diff --git a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
deleted file mode 100644
index 6c88aec49e..0000000000
--- a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
+++ /dev/null
@@ -1,172 +0,0 @@
-=pod
-=head1 NAME
-X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
-X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
-X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
-X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time,
-X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509
-verification parameters
-=head1 SYNOPSIS
- #include <openssl/x509_vfy.h>
- int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);
- int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
-                                                        unsigned long flags);
- unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
- int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
- int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
- void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
- int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
-                                                ASN1_OBJECT *policy);
- int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
-                                        STACK_OF(ASN1_OBJECT) *policies);
- void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
- int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
-=head1 DESCRIPTION
-These functions manipulate the B<X509_VERIFY_PARAM> structure associated with
-a certificate verification operation.
-The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring
-it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete
-description of values the B<flags> parameter can take.
-X509_VERIFY_PARAM_get_flags() returns the flags in B<param>.
-X509_VERIFY_PARAM_clear_flags() clears the flags B<flags> in B<param>.
-X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param>
-to B<purpose>. This determines the acceptable purpose of the certificate
-chain, for example SSL client or SSL server.
-X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to
-B<trust>.
-X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
-B<t>. Normally the current time is used.
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
-X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
-by default) and sets the acceptable policy set to B<policies>. Any existing
-policy set is cleared. The B<policies> parameter can be B<NULL> to clear
-an existing policy set.
-X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>.
-That is the maximum number of untrusted CA certificates that can appear in a
-chain.
-=head1 RETURN VALUES
-X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(),
-X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(),
-X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies() return 1
-for success and 0 for failure.
-X509_VERIFY_PARAM_get_flags() returns the current verification flags.
-X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return
-values.
-X509_VERIFY_PARAM_get_depth() returns the current verification depth.
-=head1 VERIFICATION FLAGS
-The verification flags consists of zero or more of the following flags
-ored together.
-B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf
-certificate. An error occurs if a suitable CRL cannot be found.
-B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate
-chain.
-B<X509_V_FLAG_IGNORE_CRITICAL> disabled critical extension checking. By default
-any unhandled critical extensions in certificates or (if checked) CRLs results
-in a fatal error. If this flag is set unhandled critical extensions are
-ignored. B<WARNING> setting this option for anything other than debugging
-purposes can be a security risk. Finer control over which extensions are
-supported can be performed in the verification callback.
-THe B<X509_V_FLAG_X509_STRICT> flag disables workarounds for some broken
-certificates and makes the verification strictly apply B<X509> rules.
-B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification.
-B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default
-no policy checking is performed. Additional information is sent to the
-verification callback relating to policy checking.
-B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and
-B<X509_V_FLAG_INHIBIT_MAP> set the B<require explicit policy>, B<inhibit any
-policy> and B<inhibit policy mapping> flags respectively as defined in
-B<RFC3280>. Policy checking is automatically enabled if any of these flags
-are set.
-If B<X509_V_FLAG_NOTIFY_POLICY> is set and the policy checking is successful
-a special status code is set to the verification callback. This permits it
-to examine the valid policy tree and perform additional checks or simply
-log it for debugging purposes.
-By default some additional features such as indirect CRLs and CRLs signed by
-different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
-they are enabled.
-If B<X509_V_FLAG_USE_DELTAS> ise set delta CRLs (if present) are used to
-determine certificate status. If not set deltas are ignored.
-B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed
-certificate signature. By default this check is disabled because it doesn't
-add any additional security but in some cases applications might want to
-check the signature anyway. A side effect of not checking the root CA
-signature is that disabled or unsupported message digests on the root CA
-are not treated as fatal errors.
-The B<X509_V_FLAG_CB_ISSUER_CHECK> flag enables debugging of certificate
-issuer checks. It is B<not> needed unless you are logging certificate
-verification. If this flag is set then additional status codes will be sent
-to the verification callback and it B<must> be prepared to handle such cases
-without assuming they are hard errors.
-=head1 NOTES
-The above functions should be used to manipulate verification parameters
-instead of legacy functions which work in specific structures such as
-X509_STORE_CTX_set_flags().
-=head1 BUGS
-Delta CRL checking is currently primitive. Only a single delta can be used and
-(partly due to limitations of B<X509_STORE>) constructed CRLs are not
-maintained.
-If CRLs checking is enable CRLs are expected to be available in the
-corresponding B<X509_STORE> structure. No attempt is made to download
-CRLs from the CRL distribution points extension.
-=head1 EXAMPLE
-Enable CRL checking when performing certificate verification during SSL
-connections associated with an B<SSL_CTX> structure B<ctx>:
-  X509_VERIFY_PARAM *param;
-  param = X509_VERIFY_PARAM_new();
-  X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-  SSL_CTX_set1_param(ctx, param);
-  X509_VERIFY_PARAM_free(param);
-=head1 SEE ALSO
-L<X509_verify_cert(3)|X509_verify_cert(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/X509_new.pod b/src/lib/libcrypto/doc/X509_new.pod
deleted file mode 100644
index a36808b825..0000000000
--- a/src/lib/libcrypto/doc/X509_new.pod
+++ /dev/null
@@ -1,38 +0,0 @@
-=pod
-=head1 NAME
-X509_new, X509_free - X509 certificate ASN1 allocation functions
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509 *X509_new(void);
- void X509_free(X509 *a);
-=head1 DESCRIPTION
-The X509 ASN1 allocation routines, allocate and free an
-X509 structure, which represents an X509 certificate.
-X509_new() allocates and initializes a X509 structure.
-X509_free() frees up the B<X509> structure B<a>.
-If B<a> is a B<NULL> pointer, no action occurs.
-=head1 RETURN VALUES
-If the allocation fails, X509_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-Otherwise it returns a pointer to the newly allocated structure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509(3)|d2i_X509(3)>
-=head1 HISTORY
-X509_new() and X509_free() are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/X509_verify_cert.pod b/src/lib/libcrypto/doc/X509_verify_cert.pod
deleted file mode 100644
index f05edd8333..0000000000
--- a/src/lib/libcrypto/doc/X509_verify_cert.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-=head1 NAME
-X509_verify_cert - discover and verify X509 certificate chain
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- int X509_verify_cert(X509_STORE_CTX *ctx);
-=head1 DESCRIPTION
-The X509_verify_cert() function attempts to discover and validate a
-certificate chain based on parameters in B<ctx>. A complete description of
-the process is contained in the L<verify(1)|verify(1)> manual page.
-=head1 RETURN VALUES
-If a complete chain can be built and validated this function returns 1,
-otherwise it return zero, in exceptional circumstances it can also
-return a negative code.
-If the function fails additional error information can be obtained by
-examining B<ctx> using, for example X509_STORE_CTX_get_error().
-=head1 NOTES
-Applications rarely call this function directly but it is used by
-OpenSSL internally for certificate validation, in both the S/MIME and
-SSL/TLS code.
-The negative return value from X509_verify_cert() can only occur if no
-certificate is set in B<ctx> (due to a programming error) or if a retry
-operation is requested during internal lookups (which never happens with
-standard lookup methods). It is however recommended that application check
-for <= 0 return value on error.
-=head1 BUGS
-This function uses the header B<x509.h> as opposed to most chain verification
-functions which use B<x509_vfy.h>.
-=head1 SEE ALSO
-L<X509_STORE_CTX_get_error(3)|X509_STORE_CTX_get_error(3)>
-=head1 HISTORY
-X509_verify_cert() is available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/bn.pod b/src/lib/libcrypto/doc/bn.pod
deleted file mode 100644
index b3ad63320a..0000000000
--- a/src/lib/libcrypto/doc/bn.pod
+++ /dev/null
@@ -1,181 +0,0 @@
-=pod
-=head1 NAME
-bn - multiprecision integer arithmetics
-=head1 SYNOPSIS
- #include <openssl/bn.h>
- BIGNUM *BN_new(void);
- void BN_free(BIGNUM *a);
- void BN_init(BIGNUM *);
- void BN_clear(BIGNUM *a);
- void BN_clear_free(BIGNUM *a);
- BN_CTX *BN_CTX_new(void);
- void BN_CTX_init(BN_CTX *c);
- void BN_CTX_free(BN_CTX *c);
- BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
- BIGNUM *BN_dup(const BIGNUM *a);
- BIGNUM *BN_swap(BIGNUM *a, BIGNUM *b);
- int BN_num_bytes(const BIGNUM *a);
- int BN_num_bits(const BIGNUM *a);
- int BN_num_bits_word(BN_ULONG w);
- void BN_set_negative(BIGNUM *a, int n);
- int  BN_is_negative(const BIGNUM *a);
- int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
- int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
- int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
- int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
-         BN_CTX *ctx);
- int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- int BN_nnmod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- int BN_mod_add(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
-         BN_CTX *ctx);
- int BN_mod_sub(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
-         BN_CTX *ctx);
- int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
-         BN_CTX *ctx);
- int BN_mod_sqr(BIGNUM *ret, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
- int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-         const BIGNUM *m, BN_CTX *ctx);
- int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int BN_add_word(BIGNUM *a, BN_ULONG w);
- int BN_sub_word(BIGNUM *a, BN_ULONG w);
- int BN_mul_word(BIGNUM *a, BN_ULONG w);
- BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
- BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
- int BN_cmp(BIGNUM *a, BIGNUM *b);
- int BN_ucmp(BIGNUM *a, BIGNUM *b);
- int BN_is_zero(BIGNUM *a);
- int BN_is_one(BIGNUM *a);
- int BN_is_word(BIGNUM *a, BN_ULONG w);
- int BN_is_odd(BIGNUM *a);
- int BN_zero(BIGNUM *a);
- int BN_one(BIGNUM *a);
- const BIGNUM *BN_value_one(void);
- int BN_set_word(BIGNUM *a, unsigned long w);
- unsigned long BN_get_word(BIGNUM *a);
- int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
- int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
- int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
- int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
- BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
-         BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
- int BN_is_prime(const BIGNUM *p, int nchecks,
-         void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);
- int BN_set_bit(BIGNUM *a, int n);
- int BN_clear_bit(BIGNUM *a, int n);
- int BN_is_bit_set(const BIGNUM *a, int n);
- int BN_mask_bits(BIGNUM *a, int n);
- int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
- int BN_lshift1(BIGNUM *r, BIGNUM *a);
- int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
- int BN_rshift1(BIGNUM *r, BIGNUM *a);
- int BN_bn2bin(const BIGNUM *a, unsigned char *to);
- BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
- char *BN_bn2hex(const BIGNUM *a);
- char *BN_bn2dec(const BIGNUM *a);
- int BN_hex2bn(BIGNUM **a, const char *str);
- int BN_dec2bn(BIGNUM **a, const char *str);
- int BN_print(BIO *fp, const BIGNUM *a);
- int BN_print_fp(FILE *fp, const BIGNUM *a);
- int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
- BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
- BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
-     BN_CTX *ctx);
- BN_RECP_CTX *BN_RECP_CTX_new(void);
- void BN_RECP_CTX_init(BN_RECP_CTX *recp);
- void BN_RECP_CTX_free(BN_RECP_CTX *recp);
- int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
- int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
-        BN_RECP_CTX *recp, BN_CTX *ctx);
- BN_MONT_CTX *BN_MONT_CTX_new(void);
- void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
- void BN_MONT_CTX_free(BN_MONT_CTX *mont);
- int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
- BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
- int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
-         BN_MONT_CTX *mont, BN_CTX *ctx);
- int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
-         BN_CTX *ctx);
- int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
-         BN_CTX *ctx);
- BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
-        BIGNUM *mod);
- void BN_BLINDING_free(BN_BLINDING *b);
- int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
- int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
- int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
- int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
-        BN_CTX *ctx);
- int BN_BLINDING_invert_ex(BIGNUM *n,const BIGNUM *r,BN_BLINDING *b,
-        BN_CTX *ctx);
- unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
- void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
- unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
- void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
- BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
-        const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
-        int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
-        BN_MONT_CTX *m_ctx);
-=head1 DESCRIPTION
-This library performs arithmetic operations on integers of arbitrary
-size. It was written for use in public key cryptography, such as RSA
-and Diffie-Hellman.
-It uses dynamic memory allocation for storing its data structures.
-That means that there is no limit on the size of the numbers
-manipulated by these functions, but return values must always be
-checked in case a memory allocation error has occurred.
-The basic object in this library is a B<BIGNUM>. It is used to hold a
-single large integer. This type should be considered opaque and fields
-should not be modified or accessed directly.
-The creation of B<BIGNUM> objects is described in L<BN_new(3)|BN_new(3)>;
-L<BN_add(3)|BN_add(3)> describes most of the arithmetic operations.
-Comparison is described in L<BN_cmp(3)|BN_cmp(3)>; L<BN_zero(3)|BN_zero(3)>
-describes certain assignments, L<BN_rand(3)|BN_rand(3)> the generation of
-random numbers, L<BN_generate_prime(3)|BN_generate_prime(3)> deals with prime
-numbers and L<BN_set_bit(3)|BN_set_bit(3)> with bit operations. The conversion
-of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
-=head1 SEE ALSO
-L<bn_dump(3)|bn_dump(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<BN_new(3)|BN_new(3)>,
-L<BN_CTX_new(3)|BN_CTX_new(3)>, L<BN_copy(3)|BN_copy(3)>,
-L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
-L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
-L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
-L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
-L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
-L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>,
-L<BN_BLINDING_new(3)|BN_BLINDING_new(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_ASN1_OBJECT.pod b/src/lib/libcrypto/doc/d2i_ASN1_OBJECT.pod
deleted file mode 100644
index b2712dc55c..0000000000
--- a/src/lib/libcrypto/doc/d2i_ASN1_OBJECT.pod
+++ /dev/null
@@ -1,25 +0,0 @@
-=pod
-=head1 NAME
-d2i_ASN1_OBJECT, i2d_ASN1_OBJECT - ASN1 OBJECT IDENTIFIER functions
-=head1 SYNOPSIS
- #include <openssl/objects.h>
- ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, long length);
- int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp);
-=head1 DESCRIPTION
-These functions decode and encode an ASN1 OBJECT IDENTIFIER.
-Othewise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_DHparams.pod b/src/lib/libcrypto/doc/d2i_DHparams.pod
deleted file mode 100644
index 9f1aac9137..0000000000
--- a/src/lib/libcrypto/doc/d2i_DHparams.pod
+++ /dev/null
@@ -1,26 +0,0 @@
-=pod
-=head1 NAME
-d2i_DHparams, i2d_DHparams - PKCS#3 DH parameter functions.
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- DH *d2i_DHparams(DH **a, unsigned char **pp, long length);
- int i2d_DHparams(DH *a, unsigned char **pp);
-=head1 DESCRIPTION
-These functions decode and encode PKCS#3 DH parameters using the
-DHparameter structure described in PKCS#3.
-Othewise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod
deleted file mode 100644
index 10c49e3ad2..0000000000
--- a/src/lib/libcrypto/doc/d2i_DSAPublicKey.pod
+++ /dev/null
@@ -1,79 +0,0 @@
-=pod
-=head1 NAME
-d2i_DSAPublicKey, i2d_DSAPublicKey, d2i_DSAPrivateKey, i2d_DSAPrivateKey,
-d2i_DSA_PUBKEY, i2d_DSA_PUBKEY, d2i_DSAparams, i2d_DSAparams, d2i_DSA_SIG, i2d_DSA_SIG - DSA key encoding
-and parsing functions.
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- #include <openssl/x509.h>
- DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
- int i2d_DSAPublicKey(const DSA *a, unsigned char **pp);
- DSA * d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length);
- int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp);
- DSA * d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length);
- int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);
- DSA * d2i_DSAparams(DSA **a, const unsigned char **pp, long length);
- int i2d_DSAparams(const DSA *a, unsigned char **pp);
- DSA * d2i_DSA_SIG(DSA_SIG **a, const unsigned char **pp, long length);
- int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp);
-=head1 DESCRIPTION
-d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key
-components structure.
-d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using
-a SubjectPublicKeyInfo (certificate public key) structure.
-d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key
-components.
-d2i_DSAparams(), i2d_DSAparams() decode and encode the DSA parameters using
-a B<Dss-Parms> structure as defined in RFC2459.
-d2i_DSA_SIG(), i2d_DSA_SIG() decode and encode a DSA signature using a
-B<Dss-Sig-Value> structure as defined in RFC2459.
-The usage of all of these functions is similar to the d2i_X509() and
-i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 NOTES
-The B<DSA> structure passed to the private key encoding functions should have
-all the private key components present.
-The data encoded by the private key functions is unencrypted and therefore
-offers no private key security.
-The B<DSA_PUBKEY> functions should be used in preference to the B<DSAPublicKey>
-functions when encoding public keys because they use a standard format.
-The B<DSAPublicKey> functions use an non standard format the actual data encoded
-depends on the value of the B<write_params> field of the B<a> key parameter.
-If B<write_params> is zero then only the B<pub_key> field is encoded as an
-B<INTEGER>. If B<write_params> is 1 then a B<SEQUENCE> consisting of the
-B<p>, B<q>, B<g> and B<pub_key> respectively fields are encoded.
-The B<DSAPrivateKey> functions also use a non standard structure consisting
-consisting of a SEQUENCE containing the B<p>, B<q>, B<g> and B<pub_key> and
-B<priv_key> fields respectively.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_ECPKParameters.pod b/src/lib/libcrypto/doc/d2i_ECPKParameters.pod
deleted file mode 100644
index 704b4ab352..0000000000
--- a/src/lib/libcrypto/doc/d2i_ECPKParameters.pod
+++ /dev/null
@@ -1,84 +0,0 @@
-=pod
-=head1 NAME
-d2i_ECPKParameters, i2d_ECPKParameters, d2i_ECPKParameters_bio, i2d_ECPKParameters_bio, d2i_ECPKParameters_fp, i2d_ECPKParameters_fp, ECPKParameters_print, ECPKParameters_print_fp - Functions for decoding and encoding ASN1 representations of elliptic curve entities
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- EC_GROUP *d2i_ECPKParameters(EC_GROUP **px, const unsigned char **in, long len);
- int i2d_ECPKParameters(const EC_GROUP *x, unsigned char **out);
- #define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x)
- #define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x)
- #define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \
-                (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x))
- #define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \
-                (unsigned char *)(x))
- int     ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
- int     ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
-=head1 DESCRIPTION
-The ECPKParameters encode and decode routines encode and parse the public parameters for an
-B<EC_GROUP> structure, which represents a curve.
-d2i_ECPKParameters() attempts to decode B<len> bytes at B<*in>. If 
-successful a pointer to the B<EC_GROUP> structure is returned. If an error
-occurred then B<NULL> is returned. If B<px> is not B<NULL> then the
-returned structure is written to B<*px>. If B<*px> is not B<NULL>
-then it is assumed that B<*px> contains a valid B<EC_GROUP>
-structure and an attempt is made to reuse it. If the call is
-successful B<*in> is incremented to the byte following the
-parsed data.
-i2d_ECPKParameters() encodes the structure pointed to by B<x> into DER format.
-If B<out> is not B<NULL> is writes the DER encoded data to the buffer
-at B<*out>, and increments it to point after the data just written.
-If the return value is negative an error occurred, otherwise it
-returns the length of the encoded data. 
-If B<*out> is B<NULL> memory will be allocated for a buffer and the encoded
-data written to it. In this case B<*out> is not incremented and it points to
-the start of the data just written.
-d2i_ECPKParameters_bio() is similar to d2i_ECPKParameters() except it attempts
-to parse data from BIO B<bp>.
-d2i_ECPKParameters_fp() is similar to d2i_ECPKParameters() except it attempts
-to parse data from FILE pointer B<fp>.
-i2d_ECPKParameters_bio() is similar to i2d_ECPKParameters() except it writes
-the encoding of the structure B<x> to BIO B<bp> and it
-returns 1 for success and 0 for failure.
-i2d_ECPKParameters_fp() is similar to i2d_ECPKParameters() except it writes
-the encoding of the structure B<x> to BIO B<bp> and it
-returns 1 for success and 0 for failure.
-These functions are very similar to the X509 functions described in L<d2i_X509(3)|d2i_X509(3)>,
-where further notes and examples are available.
-The ECPKParameters_print and ECPKParameters_print_fp functions print a human-readable output
-of the public parameters of the EC_GROUP to B<bp> or B<fp>. The output lines are indented by B<off> spaces.
-=head1 RETURN VALUES
-d2i_ECPKParameters(), d2i_ECPKParameters_bio() and d2i_ECPKParameters_fp() return a valid B<EC_GROUP> structure
-or B<NULL> if an error occurs.
-i2d_ECPKParameters() returns the number of bytes successfully encoded or a negative
-value if an error occurs.
-i2d_ECPKParameters_bio(), i2d_ECPKParameters_fp(), ECPKParameters_print and ECPKParameters_print_fp
-return 1 for success and 0 if an error occurs. 
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
deleted file mode 100644
index 11515d0ace..0000000000
--- a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-=head1 NAME
-d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey,
-d2i_RSA_PUBKEY, i2d_RSA_PUBKEY, i2d_Netscape_RSA,
-d2i_Netscape_RSA - RSA public and private key encoding functions.
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- #include <openssl/x509.h>
- RSA * d2i_RSAPublicKey(RSA **a, const unsigned char **pp, long length);
- int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
- RSA * d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length);
- int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp);
- RSA * d2i_RSAPrivateKey(RSA **a, const unsigned char **pp, long length);
- int i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
- int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
- RSA * d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)());
-=head1 DESCRIPTION
-d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1
-RSAPublicKey structure.
-d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using
-a SubjectPublicKeyInfo (certificate public key) structure.
-d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1
-RSAPrivateKey structure.
-d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in
-NET format.
-The usage of all of these functions is similar to the d2i_X509() and
-i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 NOTES
-The B<RSA> structure passed to the private key encoding functions should have
-all the PKCS#1 private key components present.
-The data encoded by the private key functions is unencrypted and therefore
-offers no private key security.
-The NET format functions are present to provide compatibility with certain very
-old software. This format has some severe security weaknesses and should be
-avoided if possible.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_X509.pod b/src/lib/libcrypto/doc/d2i_X509.pod
deleted file mode 100644
index fad4e8c35b..0000000000
--- a/src/lib/libcrypto/doc/d2i_X509.pod
+++ /dev/null
@@ -1,231 +0,0 @@
-=pod
-=head1 NAME
-d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio,
-i2d_X509_fp - X509 encode and decode functions
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509 *d2i_X509(X509 **px, const unsigned char **in, int len);
- int i2d_X509(X509 *x, unsigned char **out);
- X509 *d2i_X509_bio(BIO *bp, X509 **x);
- X509 *d2i_X509_fp(FILE *fp, X509 **x);
- int i2d_X509_bio(BIO *bp, X509 *x);
- int i2d_X509_fp(FILE *fp, X509 *x);
-=head1 DESCRIPTION
-The X509 encode and decode routines encode and parse an
-B<X509> structure, which represents an X509 certificate.
-d2i_X509() attempts to decode B<len> bytes at B<*in>. If
-successful a pointer to the B<X509> structure is returned. If an error
-occurred then B<NULL> is returned. If B<px> is not B<NULL> then the
-returned structure is written to B<*px>. If B<*px> is not B<NULL>
-then it is assumed that B<*px> contains a valid B<X509>
-structure and an attempt is made to reuse it. If the call is
-successful B<*in> is incremented to the byte following the
-parsed data.
-i2d_X509() encodes the structure pointed to by B<x> into DER format.
-If B<out> is not B<NULL> is writes the DER encoded data to the buffer
-at B<*out>, and increments it to point after the data just written.
-If the return value is negative an error occurred, otherwise it
-returns the length of the encoded data.
-For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
-allocated for a buffer and the encoded data written to it. In this
-case B<*out> is not incremented and it points to the start of the
-data just written.
-d2i_X509_bio() is similar to d2i_X509() except it attempts
-to parse data from BIO B<bp>.
-d2i_X509_fp() is similar to d2i_X509() except it attempts
-to parse data from FILE pointer B<fp>.
-i2d_X509_bio() is similar to i2d_X509() except it writes
-the encoding of the structure B<x> to BIO B<bp> and it
-returns 1 for success and 0 for failure.
-i2d_X509_fp() is similar to i2d_X509() except it writes
-the encoding of the structure B<x> to BIO B<bp> and it
-returns 1 for success and 0 for failure.
-=head1 NOTES
-The letters B<i> and B<d> in for example B<i2d_X509> stand for
-"internal" (that is an internal C structure) and "DER". So that
-B<i2d_X509> converts from internal to DER.
-The functions can also understand B<BER> forms.
-The actual X509 structure passed to i2d_X509() must be a valid
-populated B<X509> structure it can B<not> simply be fed with an
-empty structure such as that returned by X509_new().
-The encoded data is in binary form and may contain embedded zeroes.
-Therefore any FILE pointers or BIOs should be opened in binary mode.
-Functions such as B<strlen()> will B<not> return the correct length
-of the encoded structure.
-The ways that B<*in> and B<*out> are incremented after the operation
-can trap the unwary. See the B<WARNINGS> section for some common
-errors.
-The reason for the auto increment behaviour is to reflect a typical
-usage of ASN1 functions: after one structure is encoded or decoded
-another will processed after it.
-=head1 EXAMPLES
-Allocate and encode the DER encoding of an X509 structure:
- int len;
- unsigned char *buf, *p;
- len = i2d_X509(x, NULL);
- buf = malloc(len);
- if (buf == NULL)
-        /* error */
- p = buf;
- i2d_X509(x, &p);
-If you are using OpenSSL 0.9.7 or later then this can be
-simplified to:
- int len;
- unsigned char *buf;
- buf = NULL;
- len = i2d_X509(x, &buf);
- if (len < 0)
-        /* error */
-Attempt to decode a buffer:
- X509 *x;
- unsigned char *buf, *p;
- int len;
- /* Something to setup buf and len */
- p = buf;
- x = d2i_X509(NULL, &p, len);
- if (x == NULL)
-    /* Some error */
-Alternative technique:
- X509 *x;
- unsigned char *buf, *p;
- int len;
- /* Something to setup buf and len */
- p = buf;
- x = NULL;
- if(!d2i_X509(&x, &p, len))
-    /* Some error */
-=head1 WARNINGS
-The use of temporary variable is mandatory. A common
-mistake is to attempt to use a buffer directly as follows:
- int len;
- unsigned char *buf;
- len = i2d_X509(x, NULL);
- buf = malloc(len);
- if (buf == NULL)
-        /* error */
- i2d_X509(x, &buf);
- /* Other stuff ... */
- free(buf);
-This code will result in B<buf> apparently containing garbage because
-it was incremented after the call to point after the data just written.
-Also B<buf> will no longer contain the pointer allocated by B<malloc()>
-and the subsequent call to B<free()> may well crash.
-The auto allocation feature (setting buf to NULL) only works on OpenSSL
-0.9.7 and later. Attempts to use it on earlier versions will typically
-cause a segmentation violation.
-Another trap to avoid is misuse of the B<xp> argument to B<d2i_X509()>:
- X509 *x;
- if (!d2i_X509(&x, &p, len))
-        /* Some error */
-This will probably crash somewhere in B<d2i_X509()>. The reason for this
-is that the variable B<x> is uninitialized and an attempt will be made to
-interpret its (invalid) value as an B<X509> structure, typically causing
-a segmentation violation. If B<x> is set to NULL first then this will not
-happen.
-=head1 BUGS
-In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when
-B<*px> is valid is broken and some parts of the reused structure may
-persist if they are not present in the new one. As a result the use
-of this "reuse" behaviour is strongly discouraged.
-i2d_X509() will not return an error in many versions of OpenSSL,
-if mandatory fields are not initialized due to a programming error
-then the encoded structure may contain invalid data or omit the
-fields entirely and will not be parsed by d2i_X509(). This may be
-fixed in future so code should not assume that i2d_X509() will
-always succeed.
-=head1 RETURN VALUES
-d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
-or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-i2d_X509() returns the number of bytes successfully encoded or a negative
-value if an error occurs. The error code can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-i2d_X509_bio() and i2d_X509_fp() return 1 for success and 0 if an error
-occurs The error code can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>
-=head1 HISTORY
-d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio and i2d_X509_fp
-are available in all versions of SSLeay and OpenSSL.
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_X509_ALGOR.pod b/src/lib/libcrypto/doc/d2i_X509_ALGOR.pod
deleted file mode 100644
index 68011679fd..0000000000
--- a/src/lib/libcrypto/doc/d2i_X509_ALGOR.pod
+++ /dev/null
@@ -1,26 +0,0 @@
-=pod
-=head1 NAME
-d2i_X509_ALGOR, i2d_X509_ALGOR - AlgorithmIdentifier functions.
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length);
- int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp);
-=head1 DESCRIPTION
-These functions decode and encode an B<X509_ALGOR> structure which is
-equivalent to the B<AlgorithmIdentifier> structure.
-Othewise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_X509_CRL.pod b/src/lib/libcrypto/doc/d2i_X509_CRL.pod
deleted file mode 100644
index 563e4de8e0..0000000000
--- a/src/lib/libcrypto/doc/d2i_X509_CRL.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-=head1 NAME
-d2i_X509_CRL, i2d_X509_CRL, d2i_X509_CRL_bio, d2i_X509_CRL_fp,
-i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions.
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509_CRL *d2i_X509_CRL(X509_CRL **a, const unsigned char **pp, long length);
- int i2d_X509_CRL(X509_CRL *a, unsigned char **pp);
- X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x);
- X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **x);
- int i2d_X509_CRL_bio(BIO *bp, X509_CRL *x);
- int i2d_X509_CRL_fp(FILE *fp, X509_CRL *x);
-=head1 DESCRIPTION
-These functions decode and encode an X509 CRL (certificate revocation
-list).
-Othewise the functions behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_X509_NAME.pod b/src/lib/libcrypto/doc/d2i_X509_NAME.pod
deleted file mode 100644
index 2219885338..0000000000
--- a/src/lib/libcrypto/doc/d2i_X509_NAME.pod
+++ /dev/null
@@ -1,27 +0,0 @@
-=pod
-=head1 NAME
-d2i_X509_NAME, i2d_X509_NAME - X509_NAME encoding functions
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509_NAME *d2i_X509_NAME(X509_NAME **a, unsigned char **pp, long length);
- int i2d_X509_NAME(X509_NAME *a, unsigned char **pp);
-=head1 DESCRIPTION
-These functions decode and encode an B<X509_NAME> structure which is the
-same as the B<Name> type defined in RFC2459 (and elsewhere) and used
-for example in certificate subject and issuer names.
-Othewise the functions behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_X509_REQ.pod b/src/lib/libcrypto/doc/d2i_X509_REQ.pod
deleted file mode 100644
index baa8ae391e..0000000000
--- a/src/lib/libcrypto/doc/d2i_X509_REQ.pod
+++ /dev/null
@@ -1,32 +0,0 @@
-=pod
-=head1 NAME
-d2i_X509_REQ, i2d_X509_REQ, d2i_X509_REQ_bio, d2i_X509_REQ_fp,
-i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions.
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509_REQ *d2i_X509_REQ(X509_REQ **a, const unsigned char **pp, long length);
- int i2d_X509_REQ(X509_REQ *a, unsigned char **pp);
- X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x);
- X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **x);
- int i2d_X509_REQ_bio(BIO *bp, X509_REQ *x);
- int i2d_X509_REQ_fp(FILE *fp, X509_REQ *x);
-=head1 DESCRIPTION
-These functions decode and encode a PKCS#10 certificate request.
-Othewise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/d2i_X509_SIG.pod b/src/lib/libcrypto/doc/d2i_X509_SIG.pod
deleted file mode 100644
index 00d03f5ba1..0000000000
--- a/src/lib/libcrypto/doc/d2i_X509_SIG.pod
+++ /dev/null
@@ -1,26 +0,0 @@
-=pod
-=head1 NAME
-d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions.
-=head1 SYNOPSIS
- #include <openssl/x509.h>
- X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length);
- int i2d_X509_SIG(X509_SIG *a, unsigned char **pp);
-=head1 DESCRIPTION
-These functions decode and encode an X509_SIG structure which is
-equivalent to the B<DigestInfo> structure defined in PKCS#1 and PKCS#7.
-Othewise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
-=head1 SEE ALSO
-L<d2i_X509(3)|d2i_X509(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/dh.pod b/src/lib/libcrypto/doc/dh.pod
deleted file mode 100644
index 5fb9890a77..0000000000
--- a/src/lib/libcrypto/doc/dh.pod
+++ /dev/null
@@ -1,79 +0,0 @@
-=pod
-=head1 NAME
-dh - Diffie-Hellman key agreement
-=head1 SYNOPSIS
- #include <openssl/dh.h>
- #include <openssl/engine.h>
- DH *   DH_new(void);
- void   DH_free(DH *dh);
- int    DH_size(const DH *dh);
- DH *   DH_generate_parameters(int prime_len, int generator,
-                void (*callback)(int, int, void *), void *cb_arg);
- int    DH_check(const DH *dh, int *codes);
- int    DH_generate_key(DH *dh);
- int    DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
- void DH_set_default_method(const DH_METHOD *meth);
- const DH_METHOD *DH_get_default_method(void);
- int DH_set_method(DH *dh, const DH_METHOD *meth);
- DH *DH_new_method(ENGINE *engine);
- const DH_METHOD *DH_OpenSSL(void);
- int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-             int (*dup_func)(), void (*free_func)());
- int DH_set_ex_data(DH *d, int idx, char *arg);
- char *DH_get_ex_data(DH *d, int idx);
- DH *   d2i_DHparams(DH **a, unsigned char **pp, long length);
- int    i2d_DHparams(const DH *a, unsigned char **pp);
- int    DHparams_print_fp(FILE *fp, const DH *x);
- int    DHparams_print(BIO *bp, const DH *x);
-=head1 DESCRIPTION
-These functions implement the Diffie-Hellman key agreement protocol.  The
-generation of shared DH parameters is described in
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>;
-L<DH_generate_key(3)|DH_generate_key(3)> describes how to perform a key
-agreement.
-The B<DH> structure consists of several BIGNUM components.
- struct
-        {
-        BIGNUM *p;              // prime number (shared)
-        BIGNUM *g;              // generator of Z_p (shared)
-        BIGNUM *priv_key;       // private DH value x
-        BIGNUM *pub_key;        // public DH value g^x
-        // ...
-        };
- DH
-Note that DH keys may use non-standard B<DH_METHOD> implementations,
-either directly or by the use of B<ENGINE> modules. In some cases (eg. an
-ENGINE providing support for hardware-embedded keys), these BIGNUM values
-will not be used by the implementation or may be used for alternative data
-storage. For this reason, applications should generally avoid using DH
-structure elements directly and instead use API functions to query or
-modify keys.
-=head1 SEE ALSO
-L<dhparam(1)|dhparam(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<engine(3)|engine(3)>,
-L<DH_set_method(3)|DH_set_method(3)>, L<DH_new(3)|DH_new(3)>,
-L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
-L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>,
-L<RSA_print(3)|RSA_print(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/dsa.pod b/src/lib/libcrypto/doc/dsa.pod
deleted file mode 100644
index da07d2b930..0000000000
--- a/src/lib/libcrypto/doc/dsa.pod
+++ /dev/null
@@ -1,114 +0,0 @@
-=pod
-=head1 NAME
-dsa - Digital Signature Algorithm
-=head1 SYNOPSIS
- #include <openssl/dsa.h>
- #include <openssl/engine.h>
- DSA *  DSA_new(void);
- void   DSA_free(DSA *dsa);
- int    DSA_size(const DSA *dsa);
- DSA *  DSA_generate_parameters(int bits, unsigned char *seed,
-                int seed_len, int *counter_ret, unsigned long *h_ret,
-                void (*callback)(int, int, void *), void *cb_arg);
- DH *   DSA_dup_DH(const DSA *r);
- int    DSA_generate_key(DSA *dsa);
- int    DSA_sign(int dummy, const unsigned char *dgst, int len,
-                unsigned char *sigret, unsigned int *siglen, DSA *dsa);
- int    DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
-                BIGNUM **rp);
- int    DSA_verify(int dummy, const unsigned char *dgst, int len,
-                const unsigned char *sigbuf, int siglen, DSA *dsa);
- void DSA_set_default_method(const DSA_METHOD *meth);
- const DSA_METHOD *DSA_get_default_method(void);
- int DSA_set_method(DSA *dsa, const DSA_METHOD *meth);
- DSA *DSA_new_method(ENGINE *engine);
- const DSA_METHOD *DSA_OpenSSL(void);
- int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-             int (*dup_func)(), void (*free_func)());
- int DSA_set_ex_data(DSA *d, int idx, char *arg);
- char *DSA_get_ex_data(DSA *d, int idx);
- DSA_SIG *DSA_SIG_new(void);
- void   DSA_SIG_free(DSA_SIG *a);
- int    i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp);
- DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
- DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
- int    DSA_do_verify(const unsigned char *dgst, int dgst_len,
-             DSA_SIG *sig, DSA *dsa);
- DSA *  d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
- DSA *  d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
- DSA *  d2i_DSAparams(DSA **a, unsigned char **pp, long length);
- int    i2d_DSAPublicKey(const DSA *a, unsigned char **pp);
- int    i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);
- int    i2d_DSAparams(const DSA *a,unsigned char **pp);
- int    DSAparams_print(BIO *bp, const DSA *x);
- int    DSAparams_print_fp(FILE *fp, const DSA *x);
- int    DSA_print(BIO *bp, const DSA *x, int off);
- int    DSA_print_fp(FILE *bp, const DSA *x, int off);
-=head1 DESCRIPTION
-These functions implement the Digital Signature Algorithm (DSA).  The
-generation of shared DSA parameters is described in
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>;
-L<DSA_generate_key(3)|DSA_generate_key(3)> describes how to
-generate a signature key. Signature generation and verification are
-described in L<DSA_sign(3)|DSA_sign(3)>.
-The B<DSA> structure consists of several BIGNUM components.
- struct
-        {
-        BIGNUM *p;              // prime number (public)
-        BIGNUM *q;              // 160-bit subprime, q | p-1 (public)
-        BIGNUM *g;              // generator of subgroup (public)
-        BIGNUM *priv_key;       // private key x
-        BIGNUM *pub_key;        // public key y = g^x
-        // ...
-        }
- DSA;
-In public keys, B<priv_key> is NULL.
-Note that DSA keys may use non-standard B<DSA_METHOD> implementations,
-either directly or by the use of B<ENGINE> modules. In some cases (eg. an
-ENGINE providing support for hardware-embedded keys), these BIGNUM values
-will not be used by the implementation or may be used for alternative data
-storage. For this reason, applications should generally avoid using DSA
-structure elements directly and instead use API functions to query or
-modify keys.
-=head1 CONFORMING TO
-US Federal Information Processing Standard FIPS 186 (Digital Signature
-Standard, DSS), ANSI X9.30
-=head1 SEE ALSO
-L<bn(3)|bn(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
-L<rsa(3)|rsa(3)>, L<sha(3)|sha(3)>, L<engine(3)|engine(3)>,
-L<DSA_new(3)|DSA_new(3)>,
-L<DSA_size(3)|DSA_size(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
-L<DSA_dup_DH(3)|DSA_dup_DH(3)>,
-L<DSA_generate_key(3)|DSA_generate_key(3)>,
-L<DSA_sign(3)|DSA_sign(3)>, L<DSA_set_method(3)|DSA_set_method(3)>,
-L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
-L<RSA_print(3)|RSA_print(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/ec.pod b/src/lib/libcrypto/doc/ec.pod
deleted file mode 100644
index 891948e4f6..0000000000
--- a/src/lib/libcrypto/doc/ec.pod
+++ /dev/null
@@ -1,201 +0,0 @@
-=pod
-=head1 NAME
-ec - Elliptic Curve functions
-=head1 SYNOPSIS
- #include <openssl/ec.h>
- #include <openssl/bn.h>
- const EC_METHOD *EC_GFp_simple_method(void);
- const EC_METHOD *EC_GFp_mont_method(void);
- const EC_METHOD *EC_GFp_nist_method(void);
- const EC_METHOD *EC_GFp_nistp224_method(void);
- const EC_METHOD *EC_GFp_nistp256_method(void);
- const EC_METHOD *EC_GFp_nistp521_method(void);
- const EC_METHOD *EC_GF2m_simple_method(void);
- EC_GROUP *EC_GROUP_new(const EC_METHOD *meth);
- void EC_GROUP_free(EC_GROUP *group);
- void EC_GROUP_clear_free(EC_GROUP *group);
- int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src);
- EC_GROUP *EC_GROUP_dup(const EC_GROUP *src);
- const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
- int EC_METHOD_get_field_type(const EC_METHOD *meth);
- int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
- const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);
- int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx);
- int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx);
- void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
- int EC_GROUP_get_curve_name(const EC_GROUP *group);
- void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
- int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
- void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
- point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
- unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
- size_t EC_GROUP_get_seed_len(const EC_GROUP *);
- size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
- int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_degree(const EC_GROUP *group);
- int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
- size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems);
- EC_POINT *EC_POINT_new(const EC_GROUP *group);
- void EC_POINT_free(EC_POINT *point);
- void EC_POINT_clear_free(EC_POINT *point);
- int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src);
- EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group);
- const EC_METHOD *EC_POINT_method_of(const EC_POINT *point);
- int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
- int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx);
- int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
-        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx);
- int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
-        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, int y_bit, BN_CTX *ctx);
- int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
-        const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
-        const BIGNUM *x, int y_bit, BN_CTX *ctx);
- size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
-        point_conversion_form_t form,
-        unsigned char *buf, size_t len, BN_CTX *ctx);
- int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p,
-        const unsigned char *buf, size_t len, BN_CTX *ctx);
- BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
-        point_conversion_form_t form, BIGNUM *, BN_CTX *);
- EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *,
-        EC_POINT *, BN_CTX *);
- char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *,
-        point_conversion_form_t form, BN_CTX *);
- EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *,
-        EC_POINT *, BN_CTX *);
- int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
- int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx);
- int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx);
- int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p);
- int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx);
- int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
- int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
- int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
- int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx);
- int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
- int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
- int EC_GROUP_get_basis_type(const EC_GROUP *);
- int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
- int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, 
-        unsigned int *k2, unsigned int *k3);
- EC_GROUP *d2i_ECPKParameters(EC_GROUP **, const unsigned char **in, long len);
- int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out);
- #define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x)
- #define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x)
- #define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \
-                (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x))
- #define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \
-                (unsigned char *)(x))
- int     ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
- int     ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
- EC_KEY *EC_KEY_new(void);
- int EC_KEY_get_flags(const EC_KEY *key);
- void EC_KEY_set_flags(EC_KEY *key, int flags);
- void EC_KEY_clear_flags(EC_KEY *key, int flags);
- EC_KEY *EC_KEY_new_by_curve_name(int nid);
- void EC_KEY_free(EC_KEY *key);
- EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
- EC_KEY *EC_KEY_dup(const EC_KEY *src);
- int EC_KEY_up_ref(EC_KEY *key);
- const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
- int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
- const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
- int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
- const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
- int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
- unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
- void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
- point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
- void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
- void *EC_KEY_get_key_method_data(EC_KEY *key, 
-        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
- void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
-        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
- void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
- int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
- int EC_KEY_generate_key(EC_KEY *key);
- int EC_KEY_check_key(const EC_KEY *key);
- int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
- EC_KEY *d2i_ECPrivateKey(EC_KEY **key, const unsigned char **in, long len);
- int i2d_ECPrivateKey(EC_KEY *key, unsigned char **out);
- EC_KEY *d2i_ECParameters(EC_KEY **key, const unsigned char **in, long len);
- int i2d_ECParameters(EC_KEY *key, unsigned char **out);
- EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len);
- int i2o_ECPublicKey(EC_KEY *key, unsigned char **out);
- int    ECParameters_print(BIO *bp, const EC_KEY *key);
- int    EC_KEY_print(BIO *bp, const EC_KEY *key, int off);
- int    ECParameters_print_fp(FILE *fp, const EC_KEY *key);
- int    EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off);
- EC_KEY *ECParameters_dup(EC_KEY *key);
- #define EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid) \
-        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \
-                                EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL)
-=head1 DESCRIPTION
-This library provides an extensive set of functions for performing operations on elliptic curves over finite fields.
-In general an elliptic curve is one with an equation of the form:
-y^2 = x^3 + ax + b
-An B<EC_GROUP> structure is used to represent the definition of an elliptic curve. Points on a curve are stored using an
-B<EC_POINT> structure. An B<EC_KEY> is used to hold a private/public key pair, where a private key is simply a BIGNUM and a
-public key is a point on a curve (represented by an B<EC_POINT>).
-The library contains a number of alternative implementations of the different functions. Each implementation is optimised
-for different scenarios. No matter which implementation is being used, the interface remains the same. The library
-handles calling the correct implementation when an interface function is invoked. An implementation is represented by
-an B<EC_METHOD> structure.
-The creation and destruction of B<EC_GROUP> objects is described in L<EC_GROUP_new(3)|EC_GROUP_new(3)>. Functions for
-manipulating B<EC_GROUP> objects are described in L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>.
-Functions for creating, destroying and manipulating B<EC_POINT> objects are explained in L<EC_POINT_new(3)|EC_POINT_new(3)>,
-whilst functions for performing mathematical operations and tests on B<EC_POINTs> are coverd in L<EC_POINT_add(3)|EC_POINT_add(3)>.
-For working with private and public keys refer to L<EC_KEY_new(3)|EC_KEY_new(3)>. Implementations are covered in
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>.
-For information on encoding and decoding curve parameters to and from ASN1 see L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>.
-=head1 SEE ALSO
-L<crypto(3)|crypto(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/engine.pod b/src/lib/libcrypto/doc/engine.pod
deleted file mode 100644
index 31035af398..0000000000
--- a/src/lib/libcrypto/doc/engine.pod
+++ /dev/null
@@ -1,599 +0,0 @@
-=pod
-=head1 NAME
-ENGINE_add, ENGINE_by_id, ENGINE_finish, ENGINE_get_first,
-ENGINE_get_last, ENGINE_get_next, ENGINE_get_prev,
-ENGINE_init, ENGINE_load_builtin_engines, ENGINE_remove
- ENGINE cryptographic module support
-=head1 SYNOPSIS
- #include <openssl/engine.h>
- ENGINE *ENGINE_get_first(void);
- ENGINE *ENGINE_get_last(void);
- ENGINE *ENGINE_get_next(ENGINE *e);
- ENGINE *ENGINE_get_prev(ENGINE *e);
- int ENGINE_add(ENGINE *e);
- int ENGINE_remove(ENGINE *e);
- ENGINE *ENGINE_by_id(const char *id);
- int ENGINE_init(ENGINE *e);
- int ENGINE_finish(ENGINE *e);
- void ENGINE_load_openssl(void);
- void ENGINE_load_dynamic(void);
- void ENGINE_load_cryptodev(void);
- void ENGINE_load_builtin_engines(void);
- void ENGINE_cleanup(void);
- ENGINE *ENGINE_get_default_RSA(void);
- ENGINE *ENGINE_get_default_DSA(void);
- ENGINE *ENGINE_get_default_ECDH(void);
- ENGINE *ENGINE_get_default_ECDSA(void);
- ENGINE *ENGINE_get_default_DH(void);
- ENGINE *ENGINE_get_default_RAND(void);
- ENGINE *ENGINE_get_cipher_engine(int nid);
- ENGINE *ENGINE_get_digest_engine(int nid);
- int ENGINE_set_default_RSA(ENGINE *e);
- int ENGINE_set_default_DSA(ENGINE *e);
- int ENGINE_set_default_ECDH(ENGINE *e);
- int ENGINE_set_default_ECDSA(ENGINE *e);
- int ENGINE_set_default_DH(ENGINE *e);
- int ENGINE_set_default_RAND(ENGINE *e);
- int ENGINE_set_default_ciphers(ENGINE *e);
- int ENGINE_set_default_digests(ENGINE *e);
- int ENGINE_set_default_string(ENGINE *e, const char *list);
- int ENGINE_set_default(ENGINE *e, unsigned int flags);
- unsigned int ENGINE_get_table_flags(void);
- void ENGINE_set_table_flags(unsigned int flags);
- int ENGINE_register_RSA(ENGINE *e);
- void ENGINE_unregister_RSA(ENGINE *e);
- void ENGINE_register_all_RSA(void);
- int ENGINE_register_DSA(ENGINE *e);
- void ENGINE_unregister_DSA(ENGINE *e);
- void ENGINE_register_all_DSA(void);
- int ENGINE_register_ECDH(ENGINE *e);
- void ENGINE_unregister_ECDH(ENGINE *e);
- void ENGINE_register_all_ECDH(void);
- int ENGINE_register_ECDSA(ENGINE *e);
- void ENGINE_unregister_ECDSA(ENGINE *e);
- void ENGINE_register_all_ECDSA(void);
- int ENGINE_register_DH(ENGINE *e);
- void ENGINE_unregister_DH(ENGINE *e);
- void ENGINE_register_all_DH(void);
- int ENGINE_register_RAND(ENGINE *e);
- void ENGINE_unregister_RAND(ENGINE *e);
- void ENGINE_register_all_RAND(void);
- int ENGINE_register_STORE(ENGINE *e);
- void ENGINE_unregister_STORE(ENGINE *e);
- void ENGINE_register_all_STORE(void);
- int ENGINE_register_ciphers(ENGINE *e);
- void ENGINE_unregister_ciphers(ENGINE *e);
- void ENGINE_register_all_ciphers(void);
- int ENGINE_register_digests(ENGINE *e);
- void ENGINE_unregister_digests(ENGINE *e);
- void ENGINE_register_all_digests(void);
- int ENGINE_register_complete(ENGINE *e);
- int ENGINE_register_all_complete(void);
- int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
- int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
- int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
-         long i, void *p, void (*f)(void), int cmd_optional);
- int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
-         int cmd_optional);
- int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
- void *ENGINE_get_ex_data(const ENGINE *e, int idx);
- int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
- ENGINE *ENGINE_new(void);
- int ENGINE_free(ENGINE *e);
- int ENGINE_up_ref(ENGINE *e);
- int ENGINE_set_id(ENGINE *e, const char *id);
- int ENGINE_set_name(ENGINE *e, const char *name);
- int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
- int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
- int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *dh_meth);
- int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *dh_meth);
- int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
- int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
- int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *rand_meth);
- int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
- int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
- int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
- int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
- int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
- int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
- int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
- int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
- int ENGINE_set_flags(ENGINE *e, int flags);
- int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns);
- const char *ENGINE_get_id(const ENGINE *e);
- const char *ENGINE_get_name(const ENGINE *e);
- const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
- const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
- const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e);
- const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e);
- const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
- const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
- const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e);
- ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
- ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
- ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
- ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
- ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
- ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
- ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
- ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
- const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
- const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid);
- int ENGINE_get_flags(const ENGINE *e);
- const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e);
- EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
-     UI_METHOD *ui_method, void *callback_data);
- EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
-     UI_METHOD *ui_method, void *callback_data);
- void ENGINE_add_conf_module(void);
-=head1 DESCRIPTION
-These functions create, manipulate, and use cryptographic modules in the
-form of B<ENGINE> objects. These objects act as containers for
-implementations of cryptographic algorithms, and support a
-reference-counted mechanism to allow them to be dynamically loaded in and
-out of the running application.
-The cryptographic functionality that can be provided by an B<ENGINE>
-implementation includes the following abstractions;
- RSA_METHOD - for providing alternative RSA implementations
- DSA_METHOD, DH_METHOD, RAND_METHOD, ECDH_METHOD, ECDSA_METHOD,
-       STORE_METHOD - similarly for other OpenSSL APIs
- EVP_CIPHER - potentially multiple cipher algorithms (indexed by 'nid')
- EVP_DIGEST - potentially multiple hash algorithms (indexed by 'nid')
- key-loading - loading public and/or private EVP_PKEY keys
-=head2 Reference counting and handles
-Due to the modular nature of the ENGINE API, pointers to ENGINEs need to be
-treated as handles - ie. not only as pointers, but also as references to
-the underlying ENGINE object. Ie. one should obtain a new reference when
-making copies of an ENGINE pointer if the copies will be used (and
-released) independently.
-ENGINE objects have two levels of reference-counting to match the way in
-which the objects are used. At the most basic level, each ENGINE pointer is
-inherently a B<structural> reference - a structural reference is required
-to use the pointer value at all, as this kind of reference is a guarantee
-that the structure can not be deallocated until the reference is released.
-However, a structural reference provides no guarantee that the ENGINE is
-initialised and able to use any of its cryptographic
-implementations. Indeed it's quite possible that most ENGINEs will not
-initialise at all in typical environments, as ENGINEs are typically used to
-support specialised hardware. To use an ENGINE's functionality, you need a
-B<functional> reference. This kind of reference can be considered a
-specialised form of structural reference, because each functional reference
-implicitly contains a structural reference as well - however to avoid
-difficult-to-find programming bugs, it is recommended to treat the two
-kinds of reference independently. If you have a functional reference to an
-ENGINE, you have a guarantee that the ENGINE has been initialised ready to
-perform cryptographic operations and will remain uninitialised
-until after you have released your reference.
-I<Structural references>
-This basic type of reference is used for instantiating new ENGINEs,
-iterating across OpenSSL's internal linked-list of loaded
-ENGINEs, reading information about an ENGINE, etc. Essentially a structural
-reference is sufficient if you only need to query or manipulate the data of
-an ENGINE implementation rather than use its functionality.
-The ENGINE_new() function returns a structural reference to a new (empty)
-ENGINE object. There are other ENGINE API functions that return structural
-references such as; ENGINE_by_id(), ENGINE_get_first(), ENGINE_get_last(),
-ENGINE_get_next(), ENGINE_get_prev(). All structural references should be
-released by a corresponding to call to the ENGINE_free() function - the
-ENGINE object itself will only actually be cleaned up and deallocated when
-the last structural reference is released.
-It should also be noted that many ENGINE API function calls that accept a
-structural reference will internally obtain another reference - typically
-this happens whenever the supplied ENGINE will be needed by OpenSSL after
-the function has returned. Eg. the function to add a new ENGINE to
-OpenSSL's internal list is ENGINE_add() - if this function returns success,
-then OpenSSL will have stored a new structural reference internally so the
-caller is still responsible for freeing their own reference with
-ENGINE_free() when they are finished with it. In a similar way, some
-functions will automatically release the structural reference passed to it
-if part of the function's job is to do so. Eg. the ENGINE_get_next() and
-ENGINE_get_prev() functions are used for iterating across the internal
-ENGINE list - they will return a new structural reference to the next (or
-previous) ENGINE in the list or NULL if at the end (or beginning) of the
-list, but in either case the structural reference passed to the function is
-released on behalf of the caller.
-To clarify a particular function's handling of references, one should
-always consult that function's documentation "man" page, or failing that
-the openssl/engine.h header file includes some hints.
-I<Functional references>
-As mentioned, functional references exist when the cryptographic
-functionality of an ENGINE is required to be available. A functional
-reference can be obtained in one of two ways; from an existing structural
-reference to the required ENGINE, or by asking OpenSSL for the default
-operational ENGINE for a given cryptographic purpose.
-To obtain a functional reference from an existing structural reference,
-call the ENGINE_init() function. This returns zero if the ENGINE was not
-already operational and couldn't be successfully initialised (eg. lack of
-system drivers, no special hardware attached, etc), otherwise it will
-return non-zero to indicate that the ENGINE is now operational and will
-have allocated a new B<functional> reference to the ENGINE. All functional
-references are released by calling ENGINE_finish() (which removes the
-implicit structural reference as well).
-The second way to get a functional reference is by asking OpenSSL for a
-default implementation for a given task, eg. by ENGINE_get_default_RSA(),
-ENGINE_get_default_cipher_engine(), etc. These are discussed in the next
-section, though they are not usually required by application programmers as
-they are used automatically when creating and using the relevant
-algorithm-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc.
-=head2 Default implementations
-For each supported abstraction, the ENGINE code maintains an internal table
-of state to control which implementations are available for a given
-abstraction and which should be used by default. These implementations are
-registered in the tables and indexed by an 'nid' value, because
-abstractions like EVP_CIPHER and EVP_DIGEST support many distinct
-algorithms and modes, and ENGINEs can support arbitrarily many of them.
-In the case of other abstractions like RSA, DSA, etc, there is only one
-"algorithm" so all implementations implicitly register using the same 'nid'
-index.
-When a default ENGINE is requested for a given abstraction/algorithm/mode, (eg.
-when calling RSA_new_method(NULL)), a "get_default" call will be made to the
-ENGINE subsystem to process the corresponding state table and return a
-functional reference to an initialised ENGINE whose implementation should be
-used. If no ENGINE should (or can) be used, it will return NULL and the caller
-will operate with a NULL ENGINE handle - this usually equates to using the
-conventional software implementation. In the latter case, OpenSSL will from
-then on behave the way it used to before the ENGINE API existed.
-Each state table has a flag to note whether it has processed this
-"get_default" query since the table was last modified, because to process
-this question it must iterate across all the registered ENGINEs in the
-table trying to initialise each of them in turn, in case one of them is
-operational. If it returns a functional reference to an ENGINE, it will
-also cache another reference to speed up processing future queries (without
-needing to iterate across the table). Likewise, it will cache a NULL
-response if no ENGINE was available so that future queries won't repeat the
-same iteration unless the state table changes. This behaviour can also be
-changed; if the ENGINE_TABLE_FLAG_NOINIT flag is set (using
-ENGINE_set_table_flags()), no attempted initialisations will take place,
-instead the only way for the state table to return a non-NULL ENGINE to the
-"get_default" query will be if one is expressly set in the table. Eg.
-ENGINE_set_default_RSA() does the same job as ENGINE_register_RSA() except
-that it also sets the state table's cached response for the "get_default"
-query. In the case of abstractions like EVP_CIPHER, where implementations are
-indexed by 'nid', these flags and cached-responses are distinct for each 'nid'
-value.
-=head2 Application requirements
-This section will explain the basic things an application programmer should
-support to make the most useful elements of the ENGINE functionality
-available to the user. The first thing to consider is whether the
-programmer wishes to make alternative ENGINE modules available to the
-application and user. OpenSSL maintains an internal linked list of
-"visible" ENGINEs from which it has to operate - at start-up, this list is
-empty and in fact if an application does not call any ENGINE API calls and
-it uses static linking against openssl, then the resulting application
-binary will not contain any alternative ENGINE code at all. So the first
-consideration is whether any/all available ENGINE implementations should be
-made visible to OpenSSL - this is controlled by calling the various "load"
-functions, eg.
- /* Make ALL ENGINE implementations bundled with OpenSSL available */
- ENGINE_load_builtin_engines();
-Note that ENGINE_load_dynamic(void) is a placeholder and does not enable
-dynamic engine loading support.
-Having called any of these functions, ENGINE objects would have been
-dynamically allocated and populated with these implementations and linked
-into OpenSSL's internal linked list. At this point it is important to
-mention an important API function;
- void ENGINE_cleanup(void);
-If no ENGINE API functions are called at all in an application, then there
-are no inherent memory leaks to worry about from the ENGINE functionality,
-however if any ENGINEs are loaded, even if they are never registered or
-used, it is necessary to use the ENGINE_cleanup() function to
-correspondingly cleanup before program exit, if the caller wishes to avoid
-memory leaks. This mechanism uses an internal callback registration table
-so that any ENGINE API functionality that knows it requires cleanup can
-register its cleanup details to be called during ENGINE_cleanup(). This
-approach allows ENGINE_cleanup() to clean up after any ENGINE functionality
-at all that your program uses, yet doesn't automatically create linker
-dependencies to all possible ENGINE functionality - only the cleanup
-callbacks required by the functionality you do use will be required by the
-linker.
-The fact that ENGINEs are made visible to OpenSSL (and thus are linked into
-the program and loaded into memory at run-time) does not mean they are
-"registered" or called into use by OpenSSL automatically - that behaviour
-is something for the application to control. Some applications
-will want to allow the user to specify exactly which ENGINE they want used
-if any is to be used at all. Others may prefer to load all support and have
-OpenSSL automatically use at run-time any ENGINE that is able to
-successfully initialise - ie. to assume that this corresponds to
-acceleration hardware attached to the machine or some such thing. There are
-probably numerous other ways in which applications may prefer to handle
-things, so we will simply illustrate the consequences as they apply to a
-couple of simple cases and leave developers to consider these and the
-source code to openssl's builtin utilities as guides.
-I<Using a specific ENGINE implementation>
-Here we'll assume an application has been configured by its user or admin
-to want to use the "ACME" ENGINE if it is available in the version of
-OpenSSL the application was compiled with. If it is available, it should be
-used by default for all RSA, DSA, and symmetric cipher operation, otherwise
-OpenSSL should use its builtin software as per usual. The following code
-illustrates how to approach this;
- ENGINE *e;
- const char *engine_id = "ACME";
- ENGINE_load_builtin_engines();
- e = ENGINE_by_id(engine_id);
- if (!e)
-     /* the engine isn't available */
-     return;
- if (!ENGINE_init(e)) {
-     /* the engine couldn't initialise, release 'e' */
-     ENGINE_free(e);
-     return;
- }
- if (!ENGINE_set_default_RSA(e))
-     /* This should only happen when 'e' can't initialise, but the previous
-      * statement suggests it did. */
-     abort();
- ENGINE_set_default_DSA(e);
- ENGINE_set_default_ciphers(e);
- /* Release the functional reference from ENGINE_init() */
- ENGINE_finish(e);
- /* Release the structural reference from ENGINE_by_id() */
- ENGINE_free(e);
-I<Automatically using builtin ENGINE implementations>
-Here we'll assume we want to load and register all ENGINE implementations
-bundled with OpenSSL, such that for any cryptographic algorithm required by
-OpenSSL - if there is an ENGINE that implements it and can be initialise,
-it should be used. The following code illustrates how this can work;
- /* Load all bundled ENGINEs into memory and make them visible */
- ENGINE_load_builtin_engines();
- /* Register all of them for every algorithm they collectively implement */
- ENGINE_register_all_complete();
-That's all that's required. Eg. the next time OpenSSL tries to set up an
-RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to
-ENGINE_init() and if any of those succeed, that ENGINE will be set as the
-default for RSA use from then on.
-=head2 Advanced configuration support
-There is a mechanism supported by the ENGINE framework that allows each
-ENGINE implementation to define an arbitrary set of configuration
-"commands" and expose them to OpenSSL and any applications based on
-OpenSSL. This mechanism is entirely based on the use of name-value pairs
-and assumes ASCII input (no unicode or UTF for now!), so it is ideal if
-applications want to provide a transparent way for users to provide
-arbitrary configuration "directives" directly to such ENGINEs. It is also
-possible for the application to dynamically interrogate the loaded ENGINE
-implementations for the names, descriptions, and input flags of their
-available "control commands", providing a more flexible configuration
-scheme. However, if the user is expected to know which ENGINE device he/she
-is using (in the case of specialised hardware, this goes without saying)
-then applications may not need to concern themselves with discovering the
-supported control commands and simply prefer to pass settings into ENGINEs
-exactly as they are provided by the user.
-Before illustrating how control commands work, it is worth mentioning what
-they are typically used for. Broadly speaking there are two uses for
-control commands; the first is to provide the necessary details to the
-implementation (which may know nothing at all specific to the host system)
-so that it can be initialised for use. This could include the path to any
-driver or config files it needs to load, required network addresses,
-smart-card identifiers, passwords to initialise protected devices,
-logging information, etc etc. This class of commands typically needs to be
-passed to an ENGINE B<before> attempting to initialise it, ie. before
-calling ENGINE_init(). The other class of commands consist of settings or
-operations that tweak certain behaviour or cause certain operations to take
-place, and these commands may work either before or after ENGINE_init(), or
-in some cases both. ENGINE implementations should provide indications of
-this in the descriptions attached to builtin control commands and/or in
-external product documentation.
-I<Issuing control commands to an ENGINE>
-Let's illustrate by example; a function for which the caller supplies the
-name of the ENGINE it wishes to use, a table of string-pairs for use before
-initialisation, and another table for use after initialisation. Note that
-the string-pairs used for control commands consist of a command "name"
-followed by the command "parameter" - the parameter could be NULL in some
-cases but the name can not. This function should initialise the ENGINE
-(issuing the "pre" commands beforehand and the "post" commands afterwards)
-and set it as the default for everything except RAND and then return a
-boolean success or failure.
- int
- generic_load_engine_fn(const char *engine_id,
-     const char **pre_cmds, int pre_num,
-     const char **post_cmds, int post_num)
- {
-        ENGINE *e = ENGINE_by_id(engine_id);
-        if (!e)
-                return 0;
-        while (pre_num--) {
-                if (!ENGINE_ctrl_cmd_string(e,
-                    pre_cmds[0], pre_cmds[1], 0)) {
-                        fprintf(stderr,
-                            "Failed command (%s - %s:%s)\n",
-                            engine_id, pre_cmds[0],
-                            pre_cmds[1] ? pre_cmds[1] : "(NULL)");
-                        ENGINE_free(e);
-                        return 0;
-                }
-                pre_cmds += 2;
-        }
-        if (!ENGINE_init(e)) {
-                fprintf(stderr, "Failed initialisation\n");
-                ENGINE_free(e);
-                return 0;
-        }
-        /*
-         * ENGINE_init() returned a functional reference,
-         * so free the structural reference from
-         * ENGINE_by_id().
-         */
-        ENGINE_free(e);
-        while (post_num--) {
-                if (!ENGINE_ctrl_cmd_string(e,
-                    post_cmds[0], post_cmds[1], 0)) {
-                        fprintf(stderr,
-                            "Failed command (%s - %s:%s)\n",
-                            engine_id, post_cmds[0],
-                            post_cmds[1] ? post_cmds[1] : "(NULL)");
-                        ENGINE_finish(e);
-                        return 0;
-                }
-                post_cmds += 2;
-        }
-        ENGINE_set_default(e, ENGINE_METHOD_ALL & ~ENGINE_METHOD_RAND);
-        /* Success */
-        return 1;
-}
-Note that ENGINE_ctrl_cmd_string() accepts a boolean argument that can
-relax the semantics of the function - if set non-zero it will only return
-failure if the ENGINE supported the given command name but failed while
-executing it, if the ENGINE doesn't support the command name it will simply
-return success without doing anything. In this case we assume the user is
-only supplying commands specific to the given ENGINE so we set this to
-FALSE.
-I<Discovering supported control commands>
-It is possible to discover at run-time the names, numerical-ids, descriptions
-and input parameters of the control commands supported by an ENGINE using a
-structural reference. Note that some control commands are defined by OpenSSL
-itself and it will intercept and handle these control commands on behalf of the
-ENGINE, ie. the ENGINE's ctrl() handler is not used for the control command.
-openssl/engine.h defines an index, ENGINE_CMD_BASE, that all control commands
-implemented by ENGINEs should be numbered from. Any command value lower than
-this symbol is considered a "generic" command is handled directly by the
-OpenSSL core routines.
-It is using these "core" control commands that one can discover the control
-commands implemented by a given ENGINE, specifically the commands;
- #define ENGINE_HAS_CTRL_FUNCTION               10
- #define ENGINE_CTRL_GET_FIRST_CMD_TYPE         11
- #define ENGINE_CTRL_GET_NEXT_CMD_TYPE          12
- #define ENGINE_CTRL_GET_CMD_FROM_NAME          13
- #define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD      14
- #define ENGINE_CTRL_GET_NAME_FROM_CMD          15
- #define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD      16
- #define ENGINE_CTRL_GET_DESC_FROM_CMD          17
- #define ENGINE_CTRL_GET_CMD_FLAGS              18
-Whilst these commands are automatically processed by the OpenSSL framework code,
-they use various properties exposed by each ENGINE to process these
-queries. An ENGINE has 3 properties it exposes that can affect how this behaves;
-it can supply a ctrl() handler, it can specify ENGINE_FLAGS_MANUAL_CMD_CTRL in
-the ENGINE's flags, and it can expose an array of control command descriptions.
-If an ENGINE specifies the ENGINE_FLAGS_MANUAL_CMD_CTRL flag, then it will
-simply pass all these "core" control commands directly to the ENGINE's ctrl()
-handler (and thus, it must have supplied one), so it is up to the ENGINE to
-reply to these "discovery" commands itself. If that flag is not set, then the
-OpenSSL framework code will work with the following rules;
- if no ctrl() handler supplied;
-     ENGINE_HAS_CTRL_FUNCTION returns FALSE (zero),
-     all other commands fail.
- if a ctrl() handler was supplied but no array of control commands;
-     ENGINE_HAS_CTRL_FUNCTION returns TRUE,
-     all other commands fail.
- if a ctrl() handler and array of control commands was supplied;
-     ENGINE_HAS_CTRL_FUNCTION returns TRUE,
-     all other commands proceed processing ...
-If the ENGINE's array of control commands is empty then all other commands will
-fail, otherwise; ENGINE_CTRL_GET_FIRST_CMD_TYPE returns the identifier of
-the first command supported by the ENGINE, ENGINE_GET_NEXT_CMD_TYPE takes the
-identifier of a command supported by the ENGINE and returns the next command
-identifier or fails if there are no more, ENGINE_CMD_FROM_NAME takes a string
-name for a command and returns the corresponding identifier or fails if no such
-command name exists, and the remaining commands take a command identifier and
-return properties of the corresponding commands. All except
-ENGINE_CTRL_GET_FLAGS return the string length of a command name or description,
-or populate a supplied character buffer with a copy of the command name or
-description. ENGINE_CTRL_GET_FLAGS returns a bitwise-OR'd mask of the following
-possible values;
- #define ENGINE_CMD_FLAG_NUMERIC                (unsigned int)0x0001
- #define ENGINE_CMD_FLAG_STRING                 (unsigned int)0x0002
- #define ENGINE_CMD_FLAG_NO_INPUT               (unsigned int)0x0004
- #define ENGINE_CMD_FLAG_INTERNAL               (unsigned int)0x0008
-If the ENGINE_CMD_FLAG_INTERNAL flag is set, then any other flags are purely
-informational to the caller - this flag will prevent the command being usable
-for any higher-level ENGINE functions such as ENGINE_ctrl_cmd_string().
-"INTERNAL" commands are not intended to be exposed to text-based configuration
-by applications, administrations, users, etc. These can support arbitrary
-operations via ENGINE_ctrl(), including passing to and/or from the control
-commands data of any arbitrary type. These commands are supported in the
-discovery mechanisms simply allow applications to determine if an ENGINE
-supports certain specific commands it might want to use (eg. application "foo"
-might query various ENGINEs to see if they implement "FOO_GET_VENDOR_LOGO_GIF" -
-and ENGINE could therefore decide whether or not to support this "foo"-specific
-extension).
-=head2 Future developments
-The ENGINE API and internal architecture is currently being reviewed. Slated for
-possible release in 0.9.8 is support for transparent loading of "dynamic"
-ENGINEs (built as self-contained shared-libraries). This would allow ENGINE
-implementations to be provided independently of OpenSSL libraries and/or
-OpenSSL-based applications, and would also remove any requirement for
-applications to explicitly use the "dynamic" ENGINE to bind to shared-library
-implementations.
-=head1 SEE ALSO
-L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rand(3)|rand(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/evp.pod b/src/lib/libcrypto/doc/evp.pod
deleted file mode 100644
index dfd96d3b98..0000000000
--- a/src/lib/libcrypto/doc/evp.pod
+++ /dev/null
@@ -1,107 +0,0 @@
-=pod
-=head1 NAME
-evp - high-level cryptographic functions
-=head1 SYNOPSIS
- #include <openssl/evp.h>
-=head1 DESCRIPTION
-The EVP library provides a high-level interface to cryptographic
-functions.
-L<B<EVP_Seal>I<...>|EVP_SealInit(3)> and L<B<EVP_Open>I<...>|EVP_OpenInit(3)>
-provide public key encryption and decryption to implement digital "envelopes".
-The L<B<EVP_DigestSign>I<...>|EVP_DigestSignInit(3)> and
-L<B<EVP_DigestVerify>I<...>|EVP_DigestVerifyInit(3)> functions implement
-digital signatures and Message Authentication Codes (MACs). Also see the older
-L<B<EVP_Sign>I<...>|EVP_SignInit(3)> and L<B<EVP_Verify>I<...>|EVP_VerifyInit(3)>
-functions.
-Symmetric encryption is available with the L<B<EVP_Encrypt>I<...>|EVP_EncryptInit(3)>
-functions.  The L<B<EVP_Digest>I<...>|EVP_DigestInit(3)> functions provide message digests.
-Authenticated encryption with additional data (AEAD) is available with
-the L<B<EVP_AEAD>I<...>|EVP_AEAD_CTX_init(3)> functions.
-The B<EVP_PKEY>I<...> functions provide a high level interface to
-asymmetric algorithms. To create a new EVP_PKEY see
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>. EVP_PKEYs can be associated
-with a private key of a particular algorithm by using the functions
-described on the L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)> page, or
-new keys can be generated using L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>.
-EVP_PKEYs can be compared using L<EVP_PKEY_cmp(3)|EVP_PKEY_cmp(3)>, or printed using
-L<EVP_PKEY_print_private(3)|EVP_PKEY_print_private(3)>.
-The EVP_PKEY functions support the full range of asymmetric algorithm operations:
-=over
-=item For key agreement see L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-=item For signing and verifying see L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)> and L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>.
-However, note that
-these functions do not perform a digest of the data to be signed. Therefore
-normally you would use the L<B<EVP_DigestSign>I<...>|EVP_DigestSignInit(3)>
-functions for this purpose.
-=item For encryption and decryption see L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>
-and L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)> respectively. However, note that
-these functions perform encryption and decryption only. As public key
-encryption is an expensive operation, normally you would wrap
-an encrypted message in a "digital envelope" using the L<B<EVP_Seal>I<...>|EVP_SealInit(3)> and
-L<B<EVP_Open>I<...>|EVP_OpenInit(3)> functions.
-=back
-The L<EVP_BytesToKey(3)|EVP_BytesToKey(3)> function provides some limited support for password
-based encryption. Careful selection of the parameters will provide a PKCS#5 PBKDF1 compatible
-implementation. However, new applications should not typically use this (preferring, for example,
-PBKDF2 from PCKS#5).
-Algorithms are loaded with L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>.
-All the symmetric algorithms (ciphers), digests and asymmetric algorithms
-(public key algorithms) can be replaced by L<ENGINE|engine(3)> modules providing alternative
-implementations. If ENGINE implementations of ciphers or digests are registered
-as defaults, then the various EVP functions will automatically use those
-implementations automatically in preference to built in software
-implementations. For more information, consult the engine(3) man page.
-Although low level algorithm specific functions exist for many algorithms
-their use is discouraged. They cannot be used with an ENGINE and ENGINE
-versions of new algorithms cannot be accessed using the low level functions.
-Also makes code harder to adapt to new algorithms and some options are not
-cleanly supported at the low level and some operations are more efficient
-using the high level interface.
-=head1 SEE ALSO
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_AEAD_CTX_init(3)|EVP_AEAD_CTX_init(3)>,
-L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
-L<EVP_SealInit(3)|EVP_SealInit(3)>,
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
-L<EVP_SignInit(3)|EVP_SignInit(3)>,
-L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>,
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>,
-L<EVP_PKEY_print_private(3)|EVP_PKEY_print_private(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>,
-L<EVP_BytesToKey(3)|EVP_BytesToKey(3)>,
-L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>,
-L<engine(3)|engine(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/i2d_CMS_bio_stream.pod b/src/lib/libcrypto/doc/i2d_CMS_bio_stream.pod
deleted file mode 100644
index 558bdd0812..0000000000
--- a/src/lib/libcrypto/doc/i2d_CMS_bio_stream.pod
+++ /dev/null
@@ -1,44 +0,0 @@
-=pod
-=head1 NAME
- i2d_CMS_bio_stream - output CMS_ContentInfo structure in BER format.
-=head1 SYNOPSIS
- #include <openssl/cms.h>
- int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
-=head1 DESCRIPTION
-i2d_CMS_bio_stream() outputs a CMS_ContentInfo structure in BER format.
-It is otherwise identical to the function SMIME_write_CMS().
-=head1 NOTES
-This function is effectively a version of the i2d_CMS_bio() supporting
-streaming.
-=head1 BUGS
-The prefix "i2d" is arguably wrong because the function outputs BER format.
-=head1 RETURN VALUES
-i2d_CMS_bio_stream() returns 1 for success or 0 for failure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<SMIME_write_CMS(3)|SMIME_write_CMS(3)>,
-L<PEM_write_bio_CMS_stream(3)|PEM_write_bio_CMS_stream(3)>
-=head1 HISTORY
-i2d_CMS_bio_stream() was added to OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/i2d_PKCS7_bio_stream.pod b/src/lib/libcrypto/doc/i2d_PKCS7_bio_stream.pod
deleted file mode 100644
index a37231e267..0000000000
--- a/src/lib/libcrypto/doc/i2d_PKCS7_bio_stream.pod
+++ /dev/null
@@ -1,44 +0,0 @@
-=pod
-=head1 NAME
-i2d_PKCS7_bio_stream - output PKCS7 structure in BER format.
-=head1 SYNOPSIS
- #include <openssl/pkcs7.h>
- int i2d_PKCS7_bio_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
-=head1 DESCRIPTION
-i2d_PKCS7_bio_stream() outputs a PKCS7 structure in BER format.
-It is otherwise identical to the function SMIME_write_PKCS7().
-=head1 NOTES
-This function is effectively a version of the d2i_PKCS7_bio() supporting
-streaming.
-=head1 BUGS
-The prefix "i2d" is arguably wrong because the function outputs BER format.
-=head1 RETURN VALUES
-i2d_PKCS7_bio_stream() returns 1 for success or 0 for failure.
-=head1 SEE ALSO
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>,
-L<SMIME_write_PKCS7(3)|SMIME_write_PKCS7(3)>,
-L<PEM_write_bio_PKCS7_stream(3)|PEM_write_bio_PKCS7_stream(3)>
-=head1 HISTORY
-i2d_PKCS7_bio_stream() was added to OpenSSL 1.0.0
-=cut
diff --git a/src/lib/libcrypto/doc/lh_stats.pod b/src/lib/libcrypto/doc/lh_stats.pod
deleted file mode 100644
index 15f97b5545..0000000000
--- a/src/lib/libcrypto/doc/lh_stats.pod
+++ /dev/null
@@ -1,60 +0,0 @@
-=pod
-=head1 NAME
-lh_stats, lh_node_stats, lh_node_usage_stats, lh_stats_bio,
-lh_node_stats_bio, lh_node_usage_stats_bio - LHASH statistics
-=head1 SYNOPSIS
- #include <openssl/lhash.h>
- void lh_stats(LHASH *table, FILE *out);
- void lh_node_stats(LHASH *table, FILE *out);
- void lh_node_usage_stats(LHASH *table, FILE *out);
- void lh_stats_bio(LHASH *table, BIO *out);
- void lh_node_stats_bio(LHASH *table, BIO *out);
- void lh_node_usage_stats_bio(LHASH *table, BIO *out);
-=head1 DESCRIPTION
-The B<LHASH> structure records statistics about most aspects of
-accessing the hash table.  This is mostly a legacy of Eric Young
-writing this library for the reasons of implementing what looked like
-a nice algorithm rather than for a particular software product.
-lh_stats() prints out statistics on the size of the hash table, how
-many entries are in it, and the number and result of calls to the
-routines in this library.
-lh_node_stats() prints the number of entries for each 'bucket' in the
-hash table.
-lh_node_usage_stats() prints out a short summary of the state of the
-hash table.  It prints the 'load' and the 'actual load'.  The load is
-the average number of data items per 'bucket' in the hash table.  The
-'actual load' is the average number of items per 'bucket', but only
-for buckets which contain entries.  So the 'actual load' is the
-average number of searches that will need to find an item in the hash
-table, while the 'load' is the average number that will be done to
-record a miss.
-lh_stats_bio(), lh_node_stats_bio() and lh_node_usage_stats_bio()
-are the same as the above, except that the output goes to a B<BIO>.
-=head1 RETURN VALUES
-These functions do not return values.
-=head1 SEE ALSO
-L<bio(3)|bio(3)>, L<lh_new(3)|lh_new(3)>
-=head1 HISTORY
-These functions are available in all versions of SSLeay and OpenSSL.
-This manpage is derived from the SSLeay documentation.
-=cut
diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod
deleted file mode 100644
index 829ce24701..0000000000
--- a/src/lib/libcrypto/doc/rsa.pod
+++ /dev/null
@@ -1,123 +0,0 @@
-=pod
-=head1 NAME
-rsa - RSA public key cryptosystem
-=head1 SYNOPSIS
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
- RSA * RSA_new(void);
- void RSA_free(RSA *rsa);
- int RSA_public_encrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa, int padding);
- int RSA_private_decrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa, int padding);
- int RSA_private_encrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa,int padding);
- int RSA_public_decrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa,int padding);
- int RSA_sign(int type, unsigned char *m, unsigned int m_len,
-    unsigned char *sigret, unsigned int *siglen, RSA *rsa);
- int RSA_verify(int type, unsigned char *m, unsigned int m_len,
-    unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
- int RSA_size(const RSA *rsa);
- RSA *RSA_generate_key(int num, unsigned long e,
-    void (*callback)(int,int,void *), void *cb_arg);
- int RSA_check_key(RSA *rsa);
- int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
- void RSA_blinding_off(RSA *rsa);
- void RSA_set_default_method(const RSA_METHOD *meth);
- const RSA_METHOD *RSA_get_default_method(void);
- int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
- const RSA_METHOD *RSA_get_method(const RSA *rsa);
- RSA_METHOD *RSA_PKCS1_SSLeay(void);
- RSA_METHOD *RSA_null_method(void);
- int RSA_flags(const RSA *rsa);
- RSA *RSA_new_method(ENGINE *engine);
- int RSA_print(BIO *bp, RSA *x, int offset);
- int RSA_print_fp(FILE *fp, RSA *x, int offset);
- int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
-    int (*dup_func)(), void (*free_func)());
- int RSA_set_ex_data(RSA *r,int idx,char *arg);
- char *RSA_get_ex_data(RSA *r, int idx);
- int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
-    unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
-    RSA *rsa);
- int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
-    unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
-    RSA *rsa);
-=head1 DESCRIPTION
-These functions implement RSA public key encryption and signatures
-as defined in PKCS #1 v2.0 [RFC 2437].
-The B<RSA> structure consists of several BIGNUM components. It can
-contain public as well as private RSA keys:
- struct
-        {
-        BIGNUM *n;              // public modulus
-        BIGNUM *e;              // public exponent
-        BIGNUM *d;              // private exponent
-        BIGNUM *p;              // secret prime factor
-        BIGNUM *q;              // secret prime factor
-        BIGNUM *dmp1;           // d mod (p-1)
-        BIGNUM *dmq1;           // d mod (q-1)
-        BIGNUM *iqmp;           // q^-1 mod p
-        // ...
-        };
- RSA
-In public keys, the private exponent and the related secret values are
-B<NULL>.
-B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp> may be B<NULL> in private
-keys, but the RSA operations are much faster when these values are
-available.
-Note that RSA keys may use non-standard B<RSA_METHOD> implementations,
-either directly or by the use of B<ENGINE> modules. In some cases (eg. an
-ENGINE providing support for hardware-embedded keys), these BIGNUM values
-will not be used by the implementation or may be used for alternative data
-storage. For this reason, applications should generally avoid using RSA
-structure elements directly and instead use API functions to query or
-modify keys.
-=head1 CONFORMING TO
-SSL, PKCS #1 v2.0
-=head1 PATENTS
-RSA was covered by a US patent which expired in September 2000.
-=head1 SEE ALSO
-L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
-L<rand(3)|rand(3)>, L<engine(3)|engine(3)>, L<RSA_new(3)|RSA_new(3)>,
-L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
-L<RSA_generate_key(3)|RSA_generate_key(3)>,
-L<RSA_check_key(3)|RSA_check_key(3)>,
-L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
-L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_sign_ASN1_OCTET_STRING(3)|RSA_sign_ASN1_OCTET_STRING(3)>,
-L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)>
-=cut
diff --git a/src/lib/libcrypto/doc/x509.pod b/src/lib/libcrypto/doc/x509.pod
deleted file mode 100644
index f9e58e0e41..0000000000
--- a/src/lib/libcrypto/doc/x509.pod
+++ /dev/null
@@ -1,64 +0,0 @@
-=pod
-=head1 NAME
-x509 - X.509 certificate handling
-=head1 SYNOPSIS
- #include <openssl/x509.h>
-=head1 DESCRIPTION
-A X.509 certificate is a structured grouping of information about
-an individual, a device, or anything one can imagine.  A X.509 CRL
-(certificate revocation list) is a tool to help determine if a
-certificate is still valid.  The exact definition of those can be
-found in the X.509 document from ITU-T, or in RFC3280 from PKIX.
-In OpenSSL, the type X509 is used to express such a certificate, and
-the type X509_CRL is used to express a CRL.
-A related structure is a certificate request, defined in PKCS#10 from
-RSA Security, Inc, also reflected in RFC2896.  In OpenSSL, the type
-X509_REQ is used to express such a certificate request.
-To handle some complex parts of a certificate, there are the types
-X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
-a certificate attributes), X509_EXTENSION (to express a certificate
-extension) and a few more.
-Finally, there's the supertype X509_INFO, which can contain a CRL, a
-certificate and a corresponding private key.
-B<X509_>I<...>, B<d2i_X509_>I<...> and B<i2d_X509_>I<...> handle X.509
-certificates, with some exceptions, shown below.
-B<X509_CRL_>I<...>, B<d2i_X509_CRL_>I<...> and B<i2d_X509_CRL_>I<...>
-handle X.509 CRLs.
-B<X509_REQ_>I<...>, B<d2i_X509_REQ_>I<...> and B<i2d_X509_REQ_>I<...>
-handle PKCS#10 certificate requests.
-B<X509_NAME_>I<...> handle certificate names.
-B<X509_ATTRIBUTE_>I<...> handle certificate attributes.
-B<X509_EXTENSION_>I<...> handle certificate extensions.
-=head1 SEE ALSO
-L<X509_NAME_ENTRY_get_object(3)|X509_NAME_ENTRY_get_object(3)>,
-L<X509_NAME_add_entry_by_txt(3)|X509_NAME_add_entry_by_txt(3)>,
-L<X509_NAME_add_entry_by_NID(3)|X509_NAME_add_entry_by_NID(3)>,
-L<X509_NAME_print_ex(3)|X509_NAME_print_ex(3)>,
-L<X509_NAME_new(3)|X509_NAME_new(3)>,
-L<d2i_X509(3)|d2i_X509(3)>,
-L<d2i_X509_ALGOR(3)|d2i_X509_ALGOR(3)>,
-L<d2i_X509_CRL(3)|d2i_X509_CRL(3)>,
-L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<d2i_X509_REQ(3)|d2i_X509_REQ(3)>,
-L<d2i_X509_SIG(3)|d2i_X509_SIG(3)>,
-L<crypto(3)|crypto(3)>,
-L<x509v3(3)|x509v3(3)>
-=cut