21 files changed, 583 insertions, 30 deletions
diff --git a/src/lib/libssl/src/doc/apps/config.pod b/src/lib/libssl/src/doc/apps/config.pod
index ce874a42ce..8f823fa6d6 100644
--- a/src/lib/libssl/src/doc/apps/config.pod
+++ b/src/lib/libssl/src/doc/apps/config.pod
@@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files
 The OpenSSL CONF library can be used to read configuration files.
 It is used for the OpenSSL master configuration file B<openssl.cnf>
 and in a few other places like B<SPKAC> files and certificate extension
-files for the B<x509> utility.
+files for the B<x509> utility. OpenSSL applications can also use the
+CONF library for their own purposes.
 A configuration file is divided into a number of sections. Each section
 starts with a line B<[ section_name ]> and ends when a new section is
@@ -51,13 +52,146 @@ or the B<\> character. By making the last character of a line a B<\>
 a B<value> string can be spread across multiple lines. In addition
 the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
+=head1 OPENSSL LIBRARY CONFIGURATION
+In OpenSSL 0.9.7 and later applications can automatically configure certain
+aspects of OpenSSL using the master OpenSSL configuration file, or optionally
+an alternative configuration file. The B<openssl> utility includes this
+functionality: any sub command uses the master OpenSSL configuration file
+unless an option is used in the sub command to use an alternative configuration
+file.
+To enable library configuration the default section needs to contain an 
+appropriate line which points to the main configuration section. The default
+name is B<openssl_conf> which is used by the B<openssl> utility. Other
+applications may use an alternative name such as B<myapplicaton_conf>.
+The configuration section should consist of a set of name value pairs which
+contain specific module configuration information. The B<name> represents
+the name of the I<configuration module> the meaning of the B<value> is 
+module specific: it may, for example, represent a further configuration
+section containing configuration module specific information. E.g.
+ openssl_conf = openssl_init
+ [openssl_init]
+ oid_section = new_oids
+ engines = engine_section
+ [new_oids]
+ ... new oids here ...
+ [engine_section]
+ ... engine stuff here ...
+Currently there are two configuration modules. One for ASN1 objects another
+for ENGINE configuration.
+=head2 ASN1 OBJECT CONFIGURATION MODULE
+This module has the name B<oid_section>. The value of this variable points
+to a section containing name value pairs of OIDs: the name is the OID short
+and long name, the value is the numerical form of the OID. Although some of
+the B<openssl> utility sub commands already have their own ASN1 OBJECT section
+functionality not all do. By using the ASN1 OBJECT configuration module
+B<all> the B<openssl> utility sub commands can see the new objects as well
+as any compliant applications. For example:
+ [new_oids]
+ 
+ some_new_oid = 1.2.3.4
+ some_other_oid = 1.2.3.5
+=head2 ENGINE CONFIGURATION MODULE
+This ENGINE configuration module has the name B<engines>. The value of this
+variable points to a section containing further ENGINE configuration
+information.
+The section pointed to by B<engines> is a table of engine names (though see
+B<engine_id> below) and further sections containing configuration informations
+specific to each ENGINE.
+Each ENGINE specific section is used to set default algorithms, load
+dynamic, perform initialization and send ctrls. The actual operation performed
+depends on the I<command> name which is the name of the name value pair. The
+currently supported commands are listed below.
+For example:
+ [engine_section]
+ # Configure ENGINE named "foo"
+ foo = foo_section
+ # Configure ENGINE named "bar"
+ bar = bar_section
+ [foo_section]
+ ... foo ENGINE specific commands ...
+ [bar_section]
+ ... "bar" ENGINE specific commands ...
+The command B<engine_id> is used to give the ENGINE name. If used this 
+command must be first. For example:
+ [engine_section]
+ # This would normally handle an ENGINE named "foo"
+ foo = foo_section
+ [foo_section]
+ # Override default name and use "myfoo" instead.
+ engine_id = myfoo
+The command B<dynamic_path> loads and adds an ENGINE from the given path. It
+is equivalent to sending the ctrls B<SO_PATH> with the path argument followed
+by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is
+not the required behaviour then alternative ctrls can be sent directly
+to the dynamic ENGINE using ctrl commands.
+The command B<init> determines whether to initialize the ENGINE. If the value
+is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to
+initialized the ENGINE immediately. If the B<init> command is not present
+then an attempt will be made to initialize the ENGINE after all commands in
+its section have been processed.
+The command B<default_algorithms> sets the default algorithms an ENGINE will
+supply using the functions B<ENGINE_set_default_string()>
+If the name matches none of the above command names it is assumed to be a
+ctrl command which is sent to the ENGINE. The value of the command is the 
+argument to the ctrl command. If the value is the string B<EMPTY> then no
+value is sent to the command.
+For example:
+ [engine_section]
+ # Configure ENGINE named "foo"
+ foo = foo_section
+ [foo_section]
+ # Load engine from DSO
+ dynamic_path = /some/path/fooengine.so
+ # A foo specific ctrl.
+ some_ctrl = some_value
+ # Another ctrl that doesn't take a value.
+ other_ctrl = EMPTY
+ # Supply all default algorithms
+ default_algorithms = ALL
 =head1 NOTES
 If a configuration file attempts to expand a variable that doesn't exist
 then an error is flagged and the file will not load. This can happen
 if an attempt is made to expand an environment variable that doesn't
-exist. For example the default OpenSSL master configuration file used
+exist. For example in a previous version of OpenSSL the default OpenSSL
-the value of B<HOME> which may not be defined on non Unix systems.
+master configuration file used the value of B<HOME> which may not be
+defined on non Unix systems and would cause an error.
 This can be worked around by including a B<default> section to provide
 a default value: then if the environment lookup fails the default value
diff --git a/src/lib/libssl/src/doc/apps/openssl.pod b/src/lib/libssl/src/doc/apps/openssl.pod
index 07dd80eabe..dc0f49ddca 100644
--- a/src/lib/libssl/src/doc/apps/openssl.pod
+++ b/src/lib/libssl/src/doc/apps/openssl.pod
@@ -329,7 +329,8 @@ L<passwd(1)|passwd(1)>,
 L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
 L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
 L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
-L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
+L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
 L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
 L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)> 
diff --git a/src/lib/libssl/src/doc/apps/s_client.pod b/src/lib/libssl/src/doc/apps/s_client.pod
index d061326c1f..8d19079973 100644
--- a/src/lib/libssl/src/doc/apps/s_client.pod
+++ b/src/lib/libssl/src/doc/apps/s_client.pod
@@ -8,7 +8,7 @@ s_client - SSL/TLS client program
 =head1 SYNOPSIS
 B<openssl> B<s_client>
-[B<-connect> host:port>]
+[B<-connect host:port>]
 [B<-verify depth>]
 [B<-cert filename>]
 [B<-key filename>]
@@ -208,7 +208,7 @@ then an HTTP command can be given such as "GET /" to retrieve a web page.
 If the handshake fails then there are several possible causes, if it is
 nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> can be tried
+B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
@@ -219,7 +219,7 @@ the clients certificate authority in its "acceptable CA list" when it
 requests a certificate. By using B<s_client> the CA list can be viewed
 and checked. However some servers only request client authentication
 after a specific URL is requested. To obtain the list in this case it
-is necessary to use the B<-prexit> command and send an HTTP request
+is necessary to use the B<-prexit> option and send an HTTP request
 for an appropriate page.
 If a certificate is specified on the command line using the B<-cert>
diff --git a/src/lib/libssl/src/doc/apps/s_time.pod b/src/lib/libssl/src/doc/apps/s_time.pod
new file mode 100644
index 0000000000..5a38aa2e03
--- /dev/null
+++ b/src/lib/libssl/src/doc/apps/s_time.pod
@@ -0,0 +1,173 @@
+=pod
+=head1 NAME
+s_time - SSL/TLS performance timing program
+=head1 SYNOPSIS
+B<openssl> B<s_time>
+[B<-connect host:port>]
+[B<-www page>]
+[B<-cert filename>]
+[B<-key filename>]
+[B<-CApath directory>]
+[B<-CAfile filename>]
+[B<-reuse>]
+[B<-new>]
+[B<-verify depth>]
+[B<-nbio>]
+[B<-time seconds>]
+[B<-ssl2>]
+[B<-ssl3>]
+[B<-bugs>]
+[B<-cipher cipherlist>]
+=head1 DESCRIPTION
+The B<s_client> command implements a generic SSL/TLS client which connects to a
+remote host using SSL/TLS. It can request a page from the server and includes
+the time to transfer the payload data in its timing measurements. It measures
+the number of connections within a given timeframe, the amount of data
+transferred (if any), and calculates the average time spent for one connection.
+=head1 OPTIONS
+=over 4
+=item B<-connect host:port>
+This specifies the host and optional port to connect to.
+=item B<-www page>
+This specifies the page to GET from the server. A value of '/' gets the
+index.htm[l] page. If this parameter is not specified, then B<s_time> will only
+perform the handshake to establish SSL connections but not transfer any
+payload data.
+=item B<-cert certname>
+The certificate to use, if one is requested by the server. The default is
+not to use a certificate. The file is in PEM format.
+=item B<-key keyfile>
+The private key to use. If not specified then the certificate file will
+be used. The file is in PEM format.
+=item B<-verify depth>
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+=item B<-CApath directory>
+The directory to use for server certificate verification. This directory
+must be in "hash format", see B<verify> for more information. These are
+also used when building the client certificate chain.
+=item B<-CAfile file>
+A file containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+=item B<-new>
+performs the timing test using a new session ID for each connection.
+If neither B<-new> nor B<-reuse> are specified, they are both on by default
+and executed in sequence.
+=item B<-reuse>
+performs the timing test using the same session ID; this can be used as a test
+that session caching is working. If neither B<-new> nor B<-reuse> are
+specified, they are both on by default and executed in sequence.
+=item B<-nbio>
+turns on non-blocking I/O.
+=item B<-ssl2>, B<-ssl3>
+these options disable the use of certain SSL or TLS protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+The timing program is not as rich in options to turn protocols on and off as
+the L<s_client(1)|s_client(1)> program and may not connect to all servers.
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect. Some servers only
+work if TLS is turned off with the B<-ssl3> option; others
+will only support SSL v2 and may need the B<-ssl2> option.
+=item B<-bugs>
+there are several known bug in SSL and TLS implementations. Adding this
+option enables various workarounds.
+=item B<-cipher cipherlist>
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client.
+See the L<ciphers(1)|ciphers(1)> command for more information.
+=item B<-time length>
+specifies how long (in seconds) B<s_time> should establish connections and
+optionally transfer payload data from a server. Server and client performance
+and the link speed determine how many connections B<s_time> can establish.
+=back
+=head1 NOTES
+B<s_client> can be used to measure the performance of an SSL connection.
+To connect to an SSL HTTP server and get the default page the command
+ openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
+would typically be used (https uses port 443). 'commoncipher' is a cipher to
+which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command
+for details.
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+B<-ssl3> options can be tried
+in case it is a buggy server. In particular you should play with these
+options B<before> submitting a bug report to an OpenSSL mailing list.
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its "acceptable CA list" when it
+requests a certificate. By using L<s_client(1)|s_client(1)> the CA list can be
+viewed and checked. However some servers only request client authentication
+after a specific URL is requested. To obtain the list in this case it
+is necessary to use the B<-prexit> option of L<s_client(1)|s_client(1)> and
+send an HTTP request for an appropriate page.
+If a certificate is specified on the command line using the B<-cert>
+option it will not be used unless the server specifically requests
+a client certificate. Therefor merely including a client certificate
+on the command line is no guarantee that the certificate works.
+=head1 BUGS
+Because this program does not have all the options of the
+L<s_client(1)|s_client(1)> program to turn protocols on and off, you may not be
+able to measure the performance of all protocols with all servers.
+The B<-verify> option should really exit if the server verification
+fails.
+=head1 SEE ALSO
+L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+=cut
diff --git a/src/lib/libssl/src/doc/apps/smime.pod b/src/lib/libssl/src/doc/apps/smime.pod
index 2453dd2738..84b673f791 100644
--- a/src/lib/libssl/src/doc/apps/smime.pod
+++ b/src/lib/libssl/src/doc/apps/smime.pod
@@ -17,6 +17,9 @@ B<openssl> B<smime>
 [B<-rc2-40>]
 [B<-rc2-64>]
 [B<-rc2-128>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
 [B<-in file>]
 [B<-certfile file>]
 [B<-signer file>]
@@ -126,11 +129,11 @@ B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
-=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128>
+=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256>
-the encryption algorithm to use. DES (56 bits), triple DES (168 bits)
+the encryption algorithm to use. DES (56 bits), triple DES (168 bits),
-or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is
+40, 64 or 128 bit RC2 or 128, 192 or 256 bit AES respectively.  If not
-used. Only used with B<-encrypt>.
+specified 40 bit RC2 is used. Only used with B<-encrypt>.
 =item B<-nointern>
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod b/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
index a56ee2b92f..f0b731731f 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_ssl.pod
@@ -287,8 +287,8 @@ a client and also echoes the request to standard output.
        return 0;
 }
- BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/html\r\n\r\n");
+ BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n");
- BIO_puts(sbio, "<pre>\r\nConnection Established\r\nRequest headers:\r\n");
+ BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
 BIO_puts(sbio, "--------------------------------------------------\r\n");
 for(;;) {
@@ -301,7 +301,7 @@ a client and also echoes the request to standard output.
 }
 BIO_puts(sbio, "--------------------------------------------------\r\n");
- BIO_puts(sbio, "</pre>\r\n");
+ BIO_puts(sbio, "\r\n");
 /* Since there is a buffering BIO present we had better flush it */
 BIO_flush(sbio);
diff --git a/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod b/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod
new file mode 100644
index 0000000000..af8ae6a5c9
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod
@@ -0,0 +1,47 @@
+=pod
+=head1 NAME
+ CONF_modules_free, CONF_modules_load, CONF_modules_unload -
+ OpenSSL configuration cleanup functions
+=head1 SYNOPSIS
+ #include <openssl/conf.h>
+ void CONF_modules_free(void);
+ void CONF_modules_unload(int all);
+ void CONF_modules_finish(void);
+=head1 DESCRIPTION
+CONF_modules_free() closes down and frees up all memory allocated by all
+configuration modules.
+CONF_modules_finish() calls each configuration modules B<finish> handler
+to free up any configuration that module may have performed.
+CONF_modules_unload() finishes and unloads configuration modules. If
+B<all> is set to B<0> only modules loaded from DSOs will be unloads. If
+B<all> is B<1> all modules, including builtin modules will be unloaded.
+=head1 NOTES
+Normally applications will only call CONF_modules_free() at application to
+tidy up any configuration performed.
+=head1 RETURN VALUE
+None of the functions return a value.
+=head1 SEE ALSO
+L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
+L<CONF_modules_load_file(3), CONF_modules_load_file(3)>
+=head1 HISTORY
+CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish()
+first appeared in OpenSSL 0.9.7.
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod b/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
new file mode 100644
index 0000000000..9965d69bf2
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
@@ -0,0 +1,60 @@
+=pod
+=head1 NAME
+ CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
+=head1 SYNOPSIS
+ #include <openssl/conf.h>
+ int CONF_modules_load_file(const char *filename, const char *appname,
+                           unsigned long flags);
+ int CONF_modules_load(const CONF *cnf, const char *appname,
+                      unsigned long flags);
+=head1 DESCRIPTION
+The function CONF_modules_load_file() configures OpenSSL using file
+B<filename> and application name B<appname>. If B<filename> is NULL
+the standard OpenSSL configuration file is used. If B<appname> is
+NULL the standard OpenSSL application name B<openssl_conf> is used.
+The behaviour can be cutomized using B<flags>.
+CONF_modules_load() is idential to CONF_modules_load_file() except it
+read configuration information from B<cnf>. 
+=head1 NOTES
+The following B<flags> are currently recognized:
+B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual
+configuration modules are ignored. If not set the first module error is
+considered fatal and no further modules are loads.
+Normally any modules errors will add error information to the error queue. If
+B<CONF_MFLAGS_SILENT> is set no error information is added.
+If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is
+disabled.
+B<CONF_MFLAGS_IGNORE_MISSING_FILE> if set will make CONF_load_modules_file()
+ignore missing configuration files. Normally a missing configuration file
+return an error.
+=head1 RETURN VALUE
+These functions return 1 for success and a zero or negative value for
+failure. If module errors are not ignored the return code will reflect the
+return value of the failing module (this will always be zero or negative).
+=head1 SEE ALSO
+L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
+L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)>
+=head1 HISTORY
+CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7.
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod b/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
index 5ce4add082..016381f3e9 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_BytesToKey.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- EVP_BytesToKey - password based encryption routine
+EVP_BytesToKey - password based encryption routine
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod b/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
index 5901c39526..1cb315e739 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
@@ -4,7 +4,7 @@
 EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
 EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
 EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
 EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
diff --git a/src/lib/libssl/src/doc/crypto/OPENSSL_config.pod b/src/lib/libssl/src/doc/crypto/OPENSSL_config.pod
new file mode 100644
index 0000000000..16600620cc
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/OPENSSL_config.pod
@@ -0,0 +1,82 @@
+=pod
+=head1 NAME
+OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions
+=head1 SYNOPSIS
+ #include <openssl/conf.h>
+ void OPENSSL_config(const char *config_name);
+ void OPENSSL_no_config(void);
+=head1 DESCRIPTION
+OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf>
+configuration file name using B<config_name>. If B<config_name> is NULL then
+the default name B<openssl_conf> will be used. Any errors are ignored. Further
+calls to OPENSSL_config() will have no effect. The configuration file format
+is documented in the L<conf(5)|conf(5)> manual page.
+OPENSSL_no_config() disables configuration. If called before OPENSSL_config()
+no configuration takes place.
+=head1 NOTES
+It is B<strongly> recommended that B<all> new applications call OPENSSL_config()
+or the more sophisticated functions such as CONF_modules_load() during
+initialization (that is before starting any threads). By doing this
+an application does not need to keep track of all configuration options
+and some new functionality can be supported automatically.
+It is also possible to automatically call OPENSSL_config() when an application
+calls OPENSSL_add_all_algorithms() by compiling an application with the
+preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
+can be added without source changes.
+The environment variable B<OPENSSL_CONFIG> can be set to specify the location
+of the configuration file.
+ 
+Currently ASN1 OBJECTs and ENGINE configuration can be performed future
+versions of OpenSSL will add new configuration options.
+There are several reasons why calling the OpenSSL configuration routines is
+advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7.
+In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be
+used (among other things) to load dynamic ENGINEs from shared libraries (DSOs).
+However very few applications currently support the control interface and so
+very few can load and use dynamic ENGINEs. Equally in future more sophisticated
+ENGINEs will require certain control operations to customize them. If an
+application calls OPENSSL_config() it doesn't need to know or care about
+ENGINE control operations because they can be performed by editing a
+configuration file.
+Applications should free up configuration at application closedown by calling
+CONF_modules_free().
+=head1 RESTRICTIONS
+The OPENSSL_config() function is designed to be a very simple "call it and
+forget it" function. As a result its behaviour is somewhat limited. It ignores
+all errors silently and it can only load from the standard configuration file
+location for example.
+It is however B<much> better than nothing. Applications which need finer
+control over their configuration functionality should use the configuration
+functions such as CONF_load_modules() directly.
+=head1 RETURN VALUES
+Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
+=head1 SEE ALSO
+L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
+L<CONF_modules_free(3),CONF_modules_free(3)>
+=head1 HISTORY
+OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod b/src/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod
new file mode 100644
index 0000000000..f14dfaf005
--- /dev/null
+++ b/src/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod
@@ -0,0 +1,51 @@
+=pod
+=head1 NAME
+OPENSSL_load_builtin_modules - add standard configuration modules
+=head1 SYNOPSIS
+ #include <openssl/conf.h>
+ void OPENSSL_load_builtin_modules(void);
+ void ASN1_add_oid_module(void);
+ ENGINE_add_conf_module();
+=head1 DESCRIPTION
+The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL
+configuration modules to the internal list. They can then be used by the
+OpenSSL configuration code.
+ASN1_add_oid_module() adds just the ASN1 OBJECT module.
+ENGINE_add_conf_module() adds just the ENGINE configuration module.
+=head1 NOTES
+If the simple configuration function OPENSSL_config() is called then 
+OPENSSL_load_builtin_modules() is called automatically.
+Applications which use the configuration functions directly will need to
+call OPENSSL_load_builtin_modules() themselves I<before> any other 
+configuration code.
+Applications should call OPENSSL_load_builtin_modules() to load all
+configuration modules instead of adding modules selectively: otherwise 
+functionality may be missing from the application if an when new
+modules are added.
+=head1 RETURN VALUE
+None of the functions return a value.
+=head1 SEE ALSO
+L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)>
+=head1 HISTORY
+These functions first appeared in OpenSSL 0.9.7.
+=cut
diff --git a/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod b/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
index 486c903430..e63411b5bb 100644
--- a/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
+++ b/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
@@ -36,7 +36,7 @@ None of the functions return a value.
 =head1 NOTES
-A typical application will will call OpenSSL_add_all_algorithms() initially and
+A typical application will call OpenSSL_add_all_algorithms() initially and
 EVP_cleanup() before exiting.
 An application does not need to add algorithms to use them explicitly, for example
diff --git a/src/lib/libssl/src/doc/crypto/RSA_print.pod b/src/lib/libssl/src/doc/crypto/RSA_print.pod
index e28d107d1c..c971e91f4d 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_print.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_print.pod
@@ -44,6 +44,6 @@ L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
 RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
 DH_print_fp() are available in all versions of SSLeay and OpenSSL.
-DSAparams_print() and DSAparams_print_pf() were added in SSLeay 0.8.
+DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8.
 =cut
diff --git a/src/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod b/src/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod
index 6ebd30427b..22c1b50f22 100644
--- a/src/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod
+++ b/src/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod
@@ -9,6 +9,7 @@ and parsing functions.
 =head1 SYNOPSIS
 #include <openssl/dsa.h>
+ #include <openssl/x509.h>
 DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
@@ -35,8 +36,8 @@ and parsing functions.
 d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key
 components structure.
-d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a
+d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using
-SubjectPublicKeyInfo (certificate public key) structure.
+a SubjectPublicKeyInfo (certificate public key) structure.
 d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key
 components.
diff --git a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
index 7c71bcbf3d..279b29c873 100644
--- a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
+++ b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
@@ -9,6 +9,7 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
 =head1 SYNOPSIS
 #include <openssl/rsa.h>
+ #include <openssl/x509.h>
 RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
@@ -31,8 +32,8 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
 d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey
 structure.
-d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a
+d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using
-SubjectPublicKeyInfo (certificate public key) structure.
+a SubjectPublicKeyInfo (certificate public key) structure.
 d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey
 structure.
diff --git a/src/lib/libssl/src/doc/crypto/des.pod b/src/lib/libssl/src/doc/crypto/des.pod
index 528c73acac..6f0cf1cc5e 100644
--- a/src/lib/libssl/src/doc/crypto/des.pod
+++ b/src/lib/libssl/src/doc/crypto/des.pod
@@ -283,7 +283,7 @@ DES_cbc_encrypt is used.
 =head1 NOTES
 Single-key DES is insecure due to its short key size.  ECB mode is
-not suitable for most applications; see L<DES_modes(7)|DES_modes(7)>.
+not suitable for most applications; see L<des_modes(7)|des_modes(7)>.
 The L<evp(3)|evp(3)> library provides higher-level encryption functions.
diff --git a/src/lib/libssl/src/doc/crypto/pem.pod b/src/lib/libssl/src/doc/crypto/pem.pod
index a4f8cc3337..8613114452 100644
--- a/src/lib/libssl/src/doc/crypto/pem.pod
+++ b/src/lib/libssl/src/doc/crypto/pem.pod
@@ -330,7 +330,7 @@ most of them are set to 0 or NULL.
 Read a certificate in PEM format from a BIO:
 X509 *x;
- x = PEM_read_bio(bp, NULL, 0, NULL);
+ x = PEM_read_bio_X509(bp, NULL, 0, NULL);
 if (x == NULL)
        {
        /* Error */
@@ -459,12 +459,12 @@ returned by EVP_bytestokey().
 The PEM read routines in some versions of OpenSSL will not correctly reuse
 an existing structure. Therefore the following:
- PEM_read_bio(bp, &x, 0, NULL);
+ PEM_read_bio_X509(bp, &x, 0, NULL);
 where B<x> already contains a valid certificate, may not work, whereas: 
 X509_free(x);
- x = PEM_read_bio(bp, NULL, 0, NULL);
+ x = PEM_read_bio_X509(bp, NULL, 0, NULL);
 is guaranteed to work.
diff --git a/src/lib/libssl/src/doc/crypto/ui.pod b/src/lib/libssl/src/doc/crypto/ui.pod
index 2b3535a746..6df68d604a 100644
--- a/src/lib/libssl/src/doc/crypto/ui.pod
+++ b/src/lib/libssl/src/doc/crypto/ui.pod
@@ -5,7 +5,7 @@
 UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string,
 UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean,
 UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string,
-UI_add_error_string, UI_dup_error_string, UI_construct_prompt
+UI_add_error_string, UI_dup_error_string, UI_construct_prompt,
 UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process,
 UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method,
 UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface
diff --git a/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod b/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
index 2a98739114..42fa66b197 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values:
 =over 4
-=item 1
+=item 0
 The operation succeeded.
-=item 0
+=item 1
 The operation failed. Check the error queue to find out the reason.
diff --git a/src/lib/libssl/src/doc/ssleay.txt b/src/lib/libssl/src/doc/ssleay.txt
index c6049d5e53..d44d2f04a0 100644
--- a/src/lib/libssl/src/doc/ssleay.txt
+++ b/src/lib/libssl/src/doc/ssleay.txt
@@ -6245,7 +6245,7 @@ SSL_get_app_data
 void SSL_CTX_set_default_verify
 /* This callback, if set, totaly overrides the normal SSLeay verification
- * functions and should return 1 on sucesss and 0 on failure */
+ * functions and should return 1 on success and 0 on failure */
 void SSL_CTX_set_cert_verify_callback
 /* The following are the same as the equivilent SSL_xxx functions.