Fix integer overflow in IGMP protocol. [SA-15:04]releng/10.0

Fix vt(4) crash with improper ioctl parameters. [EN-15:01]

Updated base system OpenSSL to 1.0.1l. [EN-15:02]

Fix freebsd-update libraries update ordering issue. [EN-15:03]

Approved by:	so

723 files changed, 17198 insertions, 14236 deletions

diff --git a/UPDATING b/UPDATING
index d35a91ce5820..b7c1e0088f1a 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150225:	p18	FreeBSD-SA-15:04.igmp
+			FreeBSD-EN-15:01.vt
+			FreeBSD-EN-15:02.openssl
+			FreeBSD-EN-15:03.freebsd-update
+
+	Fix integer overflow in IGMP protocol. [SA-15:04]
+
+	Fix vt(4) crash with improper ioctl parameters. [EN-15:01]
+
+	Updated base system OpenSSL to 1.0.1l. [EN-15:02]
+
+	Fix freebsd-update libraries update ordering issue. [EN-15:03]
+
 20150127:	p17	FreeBSD-SA-15:02.kmem
 			FreeBSD-SA-15:03.sctp
 
diff --git a/crypto/openssl/ACKNOWLEDGMENTS b/crypto/openssl/ACKNOWLEDGMENTS
index fb6dd912c430..59c6f01f97f6 100644
--- a/crypto/openssl/ACKNOWLEDGMENTS
+++ b/crypto/openssl/ACKNOWLEDGMENTS
@@ -10,13 +10,18 @@ OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 
+Major support:
+
+	Qualys		http://www.qualys.com/
+
 Very significant support:
 
-	OpenGear: www.opengear.com
+	OpenGear:	http://www.opengear.com/
 
 Significant support:
 
-	PSW Group: www.psw.net
+	PSW Group:	http://www.psw.net/
+	Acano Ltd.	http://acano.com/
 
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index ca82ad295d5c..d4700d9d799e 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,9 +2,376 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+  *) Build fixes for the Windows and OpenVMS platforms
+     [Matt Caswell and Richard Levitte]
+
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+     dtls1_buffer_record function under certain conditions. In particular this
+     could occur if an attacker sent repeated DTLS records with the same
+     sequence number but for the next epoch. The memory leak could be exploited
+     by an attacker in a Denial of Service attack through memory exhaustion.
+     Thanks to Chris Mueller for reporting this issue.
+     (CVE-2015-0206)
+     [Matt Caswell]
+
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
+     [Kurt Roeckx]
+
+  *) Abort handshake if server key exchange message is omitted for ephemeral
+     ECDH ciphersuites.
+
+     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+     reporting this issue.
+     (CVE-2014-3572)
+     [Steve Henson]
+
+  *) Remove non-export ephemeral RSA code on client and server. This code
+     violated the TLS standard by allowing the use of temporary RSA keys in
+     non-export ciphersuites and could be used by a server to effectively
+     downgrade the RSA key length used to a value smaller than the server
+     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+     INRIA or reporting this issue.
+     (CVE-2015-0204)
+     [Steve Henson]
+
+  *) Fixed issue where DH client certificates are accepted without verification.
+     An OpenSSL server will accept a DH certificate for client authentication
+     without the certificate verify message. This effectively allows a client to
+     authenticate without the use of a private key. This only affects servers
+     which trust a client certificate authority which issues certificates
+     containing DH keys: these are extremely rare and hardly ever encountered.
+     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+     this issue.
+     (CVE-2015-0205)
+     [Steve Henson]
+
+  *) Ensure that the session ID context of an SSL is updated when its
+     SSL_CTX is updated via SSL_set_SSL_CTX.
+
+     The session ID context is typically set from the parent SSL_CTX,
+     and can vary with the CTX.
+     [Adam Langley]
+
+  *) Fix various certificate fingerprint issues.
+
+     By using non-DER or invalid encodings outside the signed portion of a
+     certificate the fingerprint can be changed without breaking the signature.
+     Although no details of the signed portion of the certificate can be changed
+     this can cause problems with some applications: e.g. those using the
+     certificate fingerprint for blacklists.
+
+     1. Reject signatures with non zero unused bits.
+
+     If the BIT STRING containing the signature has non zero unused bits reject
+     the signature. All current signature algorithms require zero unused bits.
+
+     2. Check certificate algorithm consistency.
+
+     Check the AlgorithmIdentifier inside TBS matches the one in the
+     certificate signature. NB: this will result in signature failure
+     errors for some broken certificates.
+
+     Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+     3. Check DSA/ECDSA signatures use DER.
+
+     Reencode DSA/ECDSA signatures and compare with the original received
+     signature. Return an error if there is a mismatch.
+
+     This will reject various cases including garbage after signature
+     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+     (negative or with leading zeroes).
+
+     Further analysis was conducted and fixes were developed by Stephen Henson
+     of the OpenSSL core team.
+
+     (CVE-2014-8275)
+     [Steve Henson]
+
+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
+   *) Do not resume sessions on the server if the negotiated protocol
+      version does not match the session's version. Resuming with a different
+      version, while not strictly forbidden by the RFC, is of questionable
+      sanity and breaks all known clients.
+      [David Benjamin, Emilia Käsper]
+
+   *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+      early CCS messages during renegotiation. (Note that because
+      renegotiation is encrypted, this early CCS was not exploitable.)
+      [Emilia Käsper]
+
+   *) Tighten client-side session ticket handling during renegotiation:
+      ensure that the client only accepts a session ticket if the server sends
+      the extension anew in the ServerHello. Previously, a TLS client would
+      reuse the old extension state and thus accept a session ticket if one was
+      announced in the initial ServerHello.
+
+      Similarly, ensure that the client requires a session ticket if one
+      was advertised in the ServerHello. Previously, a TLS client would
+      ignore a missing NewSessionTicket message.
+      [Emilia Käsper]
+
+ Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
+
+  *) SRTP Memory Leak.
+
+     A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+     sends a carefully crafted handshake message, to cause OpenSSL to fail
+     to free up to 64k of memory causing a memory leak. This could be
+     exploited in a Denial Of Service attack. This issue affects OpenSSL
+     1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+     whether SRTP is used or configured. Implementations of OpenSSL that
+     have been compiled with OPENSSL_NO_SRTP defined are not affected.
+
+     The fix was developed by the OpenSSL team.
+     (CVE-2014-3513)
+     [OpenSSL team]
+
+  *) Session Ticket Memory Leak.
+
+     When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+     integrity of that ticket is first verified. In the event of a session
+     ticket integrity check failing, OpenSSL will fail to free memory
+     causing a memory leak. By sending a large number of invalid session
+     tickets an attacker could exploit this issue in a Denial Of Service
+     attack.
+     (CVE-2014-3567)
+     [Steve Henson]
+
+  *) Build option no-ssl3 is incomplete.
+
+     When OpenSSL is configured with "no-ssl3" as a build option, servers
+     could accept and complete a SSL 3.0 handshake, and clients could be
+     configured to send them.
+     (CVE-2014-3568)
+     [Akamai and the OpenSSL team]
+
+  *) Add support for TLS_FALLBACK_SCSV.
+     Client applications doing fallback retries should call
+     SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+     (CVE-2014-3566)
+     [Adam Langley, Bodo Moeller]
+
+  *) Add additional DigestInfo checks.
+ 
+     Reencode DigestInto in DER and check against the original when
+     verifying RSA signature: this will reject any improperly encoded
+     DigestInfo structures.
+
+     Note: this is a precautionary measure and no attacks are currently known.
+
+     [Steve Henson]
+
+ Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
+
+  *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+     SRP code can be overrun an internal buffer. Add sanity check that
+     g, A, B < N to SRP code.
+
+     Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
+     Group for discovering this issue.
+     (CVE-2014-3512)
+     [Steve Henson]
+
+  *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+     TLS 1.0 instead of higher protocol versions when the ClientHello message
+     is badly fragmented. This allows a man-in-the-middle attacker to force a
+     downgrade to TLS 1.0 even if both the server and the client support a
+     higher protocol version, by modifying the client's TLS records.
+
+     Thanks to David Benjamin and Adam Langley (Google) for discovering and
+     researching this issue.
+     (CVE-2014-3511)
+     [David Benjamin]
+
+  *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+     to a denial of service attack. A malicious server can crash the client
+     with a null pointer dereference (read) by specifying an anonymous (EC)DH
+     ciphersuite and sending carefully crafted handshake messages.
+
+     Thanks to Felix Gröbert (Google) for discovering and researching this
+     issue.
+     (CVE-2014-3510)
+     [Emilia Käsper]
+
+  *) By sending carefully crafted DTLS packets an attacker could cause openssl
+     to leak memory. This can be exploited through a Denial of Service attack.
+     Thanks to Adam Langley for discovering and researching this issue.
+     (CVE-2014-3507)
+     [Adam Langley]
+
+  *) An attacker can force openssl to consume large amounts of memory whilst
+     processing DTLS handshake messages. This can be exploited through a
+     Denial of Service attack.
+     Thanks to Adam Langley for discovering and researching this issue.
+     (CVE-2014-3506)
+     [Adam Langley]
+
+  *) An attacker can force an error condition which causes openssl to crash
+     whilst processing DTLS packets due to memory being freed twice. This
+     can be exploited through a Denial of Service attack.
+     Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+     this issue.
+     (CVE-2014-3505)
+     [Adam Langley]
+
+  *) If a multithreaded client connects to a malicious server using a resumed
+     session and the server sends an ec point format extension it could write
+     up to 255 bytes to freed memory.
+
+     Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
+     issue.
+     (CVE-2014-3509)
+     [Gabor Tyukasz]
+
+  *) A malicious server can crash an OpenSSL client with a null pointer
+     dereference (read) by specifying an SRP ciphersuite even though it was not
+     properly negotiated with the client. This can be exploited through a
+     Denial of Service attack.
+
+     Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+     discovering and researching this issue.
+     (CVE-2014-5139)
+     [Steve Henson]
+
+  *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
+     X509_name_oneline, X509_name_print_ex et al. to leak some information
+     from the stack. Applications may be affected if they echo pretty printing
+     output to the attacker.
+
+     Thanks to Ivan Fratric (Google) for discovering this issue.
+     (CVE-2014-3508)
+     [Emilia Käsper, and Steve Henson]
+
+  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+     for corner cases. (Certain input points at infinity could lead to
+     bogus results, with non-infinity inputs mapped to infinity too.)
+     [Bodo Moeller]
+
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+     [Jüri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+  *) Harmonize version and its documentation. -f flag is used to display
+     compilation flags.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+     in i2d_ECPrivateKey.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix some double frees. These are not thought to be exploitable.
+     [mancha <mancha1@zoho.com>]
+
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+  *) A missing bounds check in the handling of the TLS heartbeat extension
+     can be used to reveal up to 64k of memory to a connected client or
+     server.
+
+     Thanks for Neel Mehta of Google Security for discovering this bug and to
+     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+     preparing the fix (CVE-2014-0160)
+     [Adam Langley, Bodo Moeller]
+
+  *) Fix for the attack described in the paper "Recovering OpenSSL
+     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+     by Yuval Yarom and Naomi Benger. Details can be obtained from:
+     http://eprint.iacr.org/2014/140
+
+     Thanks to Yuval Yarom and Naomi Benger for discovering this
+     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+     [Yuval Yarom and Naomi Benger]
+
+  *) TLS pad extension: draft-agl-tls-padding-03
+
+     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+     TLS client Hello record length value would otherwise be > 255 and
+     less that 512 pad with a dummy extension containing zeroes so it
+     is at least 512 bytes long.
+
+     [Adam Langley, Steve Henson]
+
+ Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
+
+  *) Fix for TLS record tampering bug. A carefully crafted invalid 
+     handshake could crash OpenSSL with a NULL pointer exception.
+     Thanks to Anton Johansson for reporting this issues.
+     (CVE-2013-4353)
+
+  *) Keep original DTLS digest and encryption contexts in retransmission
+     structures so we can use the previous session parameters if they need
+     to be resent. (CVE-2013-6450)
+     [Steve Henson]
+
+  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
+     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
+     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+     [Rob Stradling, Adam Langley]
+
  Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
 
-  *)
+  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+     supporting platforms or when small records were transferred.
+     [Andy Polyakov, Steve Henson]
 
  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
 
@@ -404,6 +771,63 @@
        Add command line options to s_client/s_server.
      [Steve Henson]
 
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia Käsper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     (This is a backport)
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+ Changes between 1.0.0i and 1.0.0j [10 May 2012]
+
+  [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+  OpenSSL 1.0.1.]
+
+  *) Sanity check record length before skipping explicit IV in DTLS
+     to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+ Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
 
   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
@@ -1394,6 +1818,86 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia Käsper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     (This is a backport)
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+  *) Sanity check record length before skipping explicit IV in DTLS
+     to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+  *) The fix for CVE-2012-2110 did not take into account that the 
+     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
+     rejecting negative len parameter. (CVE-2012-2131)
+     [Tomas Hoger <thoger@redhat.com>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+     in CMS and PKCS7 code. When RSA decryption fails use a random key for
+     content decryption and always return the same error. Note: this attack
+     needs on average 2^20 messages so it only affects automated senders. The
+     old behaviour can be reenabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+     an MMA defence is not necessary.
+     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+     this issue. (CVE-2012-0884)
+     [Steve Henson]
+
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
+
  Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
 
   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
@@ -1401,7 +1905,7 @@
      Development, Cisco Systems, Inc. for discovering this bug and
      preparing a fix. (CVE-2012-0050)
      [Antonio Martin]
-  
+
  Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
 
   *) Nadhem Alfardan and Kenny Paterson have discovered an extension
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 9c803dc0663d..541be9ec57d8 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -178,7 +178,7 @@ my %table=(
 "debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-bodo",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
 "debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -526,7 +526,7 @@ my %table=(
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
 "VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 # Unified CE target
-"debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+"debug-VC-WIN32","cl:-W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 
 # Borland C++ 4.5
@@ -720,6 +720,7 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 		 "sctp"       => "default",
 		 "shared"         => "default",
 		 "store"	  => "experimental",
+		 "unit-test"	  => "default",
 		 "zlib"           => "default",
 		 "zlib-dynamic"   => "default"
 	       );
@@ -727,7 +728,7 @@ my @experimental = ();
 
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
 
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).
@@ -803,6 +804,11 @@ PROCESS_ARGS:
 					{
 					$disabled{"tls1"} = "option(tls)"
 					}
+				elsif ($1 eq "ssl3-method")
+					{
+					$disabled{"ssl3-method"} = "option(ssl)";
+					$disabled{"ssl3"} = "option(ssl)";
+					}
 				else
 					{
 					$disabled{$1} = "option";
@@ -1766,6 +1772,9 @@ open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslcon
 print OUT "/* opensslconf.h */\n";
 print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
 
+print OUT "#ifdef  __cplusplus\n";
+print OUT "extern \"C\" {\n";
+print OUT "#endif\n";
 print OUT "/* OpenSSL was configured with the following options: */\n";
 my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
 $openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n#  define OPENSSL_NO_$1\n# endif\n#endif/mg;
@@ -1870,6 +1879,9 @@ while (<IN>)
 		{ print OUT $_; }
 	}
 close(IN);
+print OUT "#ifdef  __cplusplus\n";
+print OUT "}\n";
+print OUT "#endif\n";
 close(OUT);
 rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
 rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
index 35780f807bd6..f8ea604273a5 100644
--- a/crypto/openssl/FAQ
+++ b/crypto/openssl/FAQ
@@ -113,11 +113,6 @@ that came with the version of OpenSSL you are using. The pod format
 documentation is included in each OpenSSL distribution under the docs
 directory.
 
-For information on parts of libcrypto that are not yet documented, you
-might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
-predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>.  Much
-of this still applies to OpenSSL.
-
 There is some documentation about certificate extensions and PKCS#12
 in doc/openssl.txt
 
@@ -768,6 +763,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least
 acknowledging receipt then resend or mail it directly to one of the
 more active team members (e.g. Steve).
 
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues. 
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?
diff --git a/crypto/openssl/Makefile b/crypto/openssl/Makefile
index 54e3541613ac..f68eab69676a 100644
--- a/crypto/openssl/Makefile
+++ b/crypto/openssl/Makefile
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1e
+VERSION=1.0.1l
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0
@@ -13,7 +13,7 @@ SHLIB_MAJOR=1
 SHLIB_MINOR=0.0
 SHLIB_EXT=
 PLATFORM=dist
-OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-store no-zlib no-zlib-dynamic static-engine
+OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-store no-unit-test no-zlib no-zlib-dynamic static-engine
 CONFIGURE_ARGS=dist
 SHLIB_TARGET=
 
@@ -61,7 +61,7 @@ OPENSSLDIR=/usr/local/ssl
 
 CC= cc
 CFLAG= -O
-DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE
+DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
@@ -304,7 +304,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
 			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
 			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
+		(touch -c fips_premain_dso$(EXE_EXT) || :); \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index a4feb21bf658..c0e16bb50031 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -302,7 +302,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
 			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
 			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
+		(touch -c fips_premain_dso$(EXE_EXT) || :); \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 0269f2277fce..4ff27753ea7d 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,11 +5,67 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e:
+  Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
+
+      o Build fixes for the Windows and OpenVMS platforms
+
+  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2015-0206
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2015-0205
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
+
+  Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
+
+      o Fix for CVE-2014-3513
+      o Fix for CVE-2014-3567
+      o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
+      o Fix for CVE-2014-3568
+
+  Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
+
+      o Fix for CVE-2014-3512
+      o Fix for CVE-2014-3511
+      o Fix for CVE-2014-3510
+      o Fix for CVE-2014-3507
+      o Fix for CVE-2014-3506
+      o Fix for CVE-2014-3505
+      o Fix for CVE-2014-3509
+      o Fix for CVE-2014-5139
+      o Fix for CVE-2014-3508
+
+  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
+
+      o Fix for CVE-2014-0224
+      o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0198
+      o Fix for CVE-2014-0195
+      o Fix for CVE-2014-3470
+      o Fix for CVE-2010-5298
+
+  Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
+
+      o Fix for CVE-2014-0160
+      o Add TLS padding extension workaround for broken servers.
+      o Fix for CVE-2014-0076
+
+  Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
+
+      o Don't include gmt_unix_time in TLS server and client random values
+      o Fix for TLS record tampering bug CVE-2013-4353
+      o Fix for TLS version checking bug CVE-2013-6449
+      o Fix for DTLS retransmission bug CVE-2013-6450
+
+  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
 
       o Corrected fix for CVE-2013-0169
 
-  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d:
+  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
 
       o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
       o Include the fips configuration module.
@@ -17,24 +73,24 @@
       o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
       o Fix for TLS AESNI record handling flaw CVE-2012-2686
 
-  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c:
+  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
 
       o Fix TLS/DTLS record length checking bug CVE-2012-2333
       o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
 
-  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b:
+  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
 
       o Fix compilation error on non-x86 platforms.
       o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
       o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
 
-  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a:
+  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
 
       o Fix for ASN1 overflow bug CVE-2012-2110
       o Workarounds for some servers that hang on long client hellos.
       o Fix SEGV in AES code.
 
-  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
 
       o TLS/DTLS heartbeat support.
       o SCTP support.
@@ -47,17 +103,30 @@
       o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
       o SRP support.
 
-  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
+  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
+
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+
+  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
+
+      o Fix DTLS record length checking bug CVE-2012-2333
+
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+
+  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
 
       o Fix for CMS/PKCS#7 MMA CVE-2012-0884
       o Corrected fix for CVE-2011-4619
       o Various DTLS fixes.
 
-  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g:
+  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
 
       o Fix for DTLS DoS issue CVE-2012-0050
 
-  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f:
+  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
 
       o Fix for DTLS plaintext recovery attack CVE-2011-4108
       o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
@@ -65,7 +134,7 @@
       o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
       o Check for malformed RFC3779 data CVE-2011-4577
 
-  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
+  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
 
       o Fix for CRL vulnerability issue CVE-2011-3207
       o Fix for ECDH crashes CVE-2011-3210
@@ -73,11 +142,11 @@
       o Support ECDH ciphersuites for certificates using SHA2 algorithms.
       o Various DTLS fixes.
 
-  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
@@ -85,18 +154,18 @@
       o Fix various platform compilation issues.
       o Corrected fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
       o Fix for CVE-2010-2939
       o Fix WIN32 build system for GOST ENGINE.
 
-  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-1633.
       o GOST MAC and CFB fixes.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
 
       o RFC3280 path validation: sufficient to process PKITS tests.
       o Integrated support for PVK files and keyblobs.
@@ -119,20 +188,55 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
+
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+
+  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
+
+      o Fix DTLS record length checking bug CVE-2012-2333
+
+  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
+
+      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
+
+  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+
+  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
+
+      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
+      o Corrected fix for CVE-2011-4619
+      o Various DTLS fixes.
+
+  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
+
+      o Fix for DTLS DoS issue CVE-2012-0050
+
+  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
+
+      o Fix for DTLS plaintext recovery attack CVE-2011-4108
+      o Fix policy check double free error CVE-2011-4109
+      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
+      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
+      o Check for malformed RFC3779 data CVE-2011-4577
+
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
 
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
+  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-0742.
       o Various DTLS fixes.
@@ -140,12 +244,12 @@
       o Fix for no-rc4 compilation.
       o Chil ENGINE unload workaround.
 
-  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.
       o Fix security issues CVE-2010-0740 and CVE-2010-0433.
 
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
 
       o Cipher definition fixes.
       o Workaround for slow RAND_poll() on some WIN32 versions.
@@ -157,33 +261,33 @@
       o Ticket and SNI coexistence fixes.
       o Many fixes to DTLS handling. 
 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
 
       o Temporary work around for CVE-2009-3555: disable renegotiation.
 
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
 
       o Fix various build issues.
       o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
 
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
 
       o Fix security issue (CVE-2008-5077)
       o Merge FIPS 140-2 branch code.
 
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
 
       o CryptoAPI ENGINE support.
       o Various precautionary measures.
       o Fix for bugs affecting certificate request creation.
       o Support for local machine keyset attribute in PKCS#12 files.
 
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
 
       o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
 
       o Add gcc 4.2 support.
       o Add support for AES and SSE2 assembly lanugauge optimization
@@ -194,23 +298,23 @@
       o RFC4507bis support.
       o TLS Extensions support.
 
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
 
       o Various ciphersuite selection fixes.
       o RFC3779 support.
 
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
       o Changes to ciphersuite selection algorithm
 
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
       o New cipher Camellia
 
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
 
       o Cipher string fixes.
       o Fixes for VC++ 2005.
@@ -220,12 +324,12 @@
       o Built in dynamic engine compilation support on Win32.
       o Fixes auto dynamic engine loading in Win32.
 
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
 
       o Fix potential SSL 2.0 rollback, CVE-2005-2969
       o Extended Windows CE support
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
 
       o Major work on the BIGNUM library for higher efficiency and to
         make operations more streamlined and less contradictory.  This
@@ -299,36 +403,36 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
 
       o FIPS 1.1.1 module linking.
       o Various ciphersuite selection fixes.
 
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
 
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
 
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
 
       o Visual C++ 2005 fixes.
       o Update Windows build system for FIPS.
 
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
 
       o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
 
       o Fix SSL 2.0 Rollback, CVE-2005-2969
       o Allow use of fixed-length exponent on DSA signing
       o Default fixed-window RSA, DSA, DH private-key operations
 
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
 
       o More compilation issues fixed.
       o Adaptation to more modern Kerberos API.
@@ -337,7 +441,7 @@
       o More constification.
       o Added processing of proxy certificates (RFC 3820).
 
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
 
       o Several compilation issues fixed.
       o Many memory allocation failure checks added.
@@ -345,12 +449,12 @@
       o Mandatory basic checks on certificates.
       o Performance improvements.
 
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
 
       o Fix race condition in CRL checking code.
       o Fixes to PKCS#7 (S/MIME) code.
 
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
 
       o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
       o Security: Fix null-pointer assignment in do_change_cipher_spec()
@@ -358,14 +462,14 @@
       o Multiple X509 verification fixes
       o Speed up HMAC and other operations
 
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o New -ignore_err option to OCSP utility.
       o Various interop and bug fixes in S/MIME code.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
@@ -376,7 +480,7 @@
       o ASN.1: treat domainComponent correctly.
       o Documentation: fixes and additions.
 
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
 
       o Security: Important security related bugfixes.
       o Enhanced compatibility with MIT Kerberos.
@@ -387,7 +491,7 @@
       o SSL/TLS: now handles manual certificate chain building.
       o SSL/TLS: certain session ID malfunctions corrected.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
 
       o New library section OCSP.
       o Complete rewrite of ASN1 code.
@@ -433,23 +537,23 @@
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
       o SSL/TLS: support AES cipher suites (RFC3268).
 
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
       o Security: make RSA blinding default.
       o Build: shared library support fixes.
 
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
 
       o Important security related bugfixes.
 
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
 
       o New configuration targets for Tandem OSS and A/UX.
       o New OIDs for Microsoft attributes.
@@ -463,25 +567,25 @@
       o Fixes for smaller building problems.
       o Updates of manuals, FAQ and other instructive documents.
 
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
 
       o Important building fixes on Unix.
 
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
 
       o Various important bugfixes.
 
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
 
       o Important security related bugfixes.
       o Various SSL/TLS library bugfixes.
 
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
 
       o Various SSL/TLS library bugfixes.
       o Fix DH parameter generation for 'non-standard' generators.
 
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
 
       o Various SSL/TLS library bugfixes.
       o BIGNUM library fixes.
@@ -494,7 +598,7 @@
         Broadcom and Cryptographic Appliance's keyserver
         [in 0.9.6c-engine release].
 
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
 
       o Security fix: PRNG improvements.
       o Security fix: RSA OAEP check.
@@ -511,7 +615,7 @@
       o Increase default size for BIO buffering filter.
       o Compatibility fixes in some scripts.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
 
       o Security fix: change behavior of OpenSSL to avoid using
         environment variables when running as root.
@@ -536,7 +640,7 @@
       o New function BN_rand_range().
       o Add "-rand" option to openssl s_client and s_server.
 
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
 
       o Some documentation for BIO and SSL libraries.
       o Enhanced chain verification using key identifiers.
@@ -551,7 +655,7 @@
     [1] The support for external crypto devices is currently a separate
         distribution.  See the file README.ENGINE.
 
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
 
       o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
       o Shared library support for HPUX and Solaris-gcc
@@ -560,7 +664,7 @@
       o New 'rand' application
       o New way to check for existence of algorithms from scripts
 
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
 
       o S/MIME support in new 'smime' command
       o Documentation for the OpenSSL command line application
@@ -596,7 +700,7 @@
       o Enhanced support for Alpha Linux
       o Experimental MacOS support
 
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
 
       o Transparent support for PKCS#8 format private keys: these are used
         by several software packages and are more secure than the standard
@@ -607,7 +711,7 @@
       o New pipe-like BIO that allows using the SSL library when actual I/O
         must be handled by the application (BIO pair)
 
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
       o Lots of enhancements and cleanups to the Configuration mechanism
       o RSA OEAP related fixes
       o Added `openssl ca -revoke' option for revoking a certificate
@@ -621,7 +725,7 @@
       o Sparc assembler bignum implementation, optimized hash functions
       o Option to disable selected ciphers
 
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
       o Fixed a security hole related to session resumption
       o Fixed RSA encryption routines for the p < q case
       o "ALL" in cipher lists now means "everything except NULL ciphers"
@@ -643,7 +747,7 @@
       o Lots of memory leak fixes.
       o Lots of bug fixes.
 
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
       o Integration of the popular NO_RSA/NO_DSA patches
       o Initial support for compression inside the SSL record layer
       o Added BIO proxy and filtering functionality
diff --git a/crypto/openssl/README b/crypto/openssl/README
index ad2d90f0d1dd..ef7eec7a2b7c 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1e 11 Feb 2013
+ OpenSSL 1.0.1l 15 Jan 2015
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/openssl/apps/Makefile b/crypto/openssl/apps/Makefile
index 95f499e33054..72657ea65873 100644
--- a/crypto/openssl/apps/Makefile
+++ b/crypto/openssl/apps/Makefile
@@ -577,14 +577,15 @@ openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-openssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+openssl.o: openssl.c progs.h s_apps.h
 passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 1096eee4cfae..3e18289a4b5b 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -390,6 +390,8 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		{
 		arg->count=20;
 		arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count);
+		if (arg->data == NULL)
+			return 0;
 		}
 	for (i=0; i<arg->count; i++)
 		arg->data[i]=NULL;
@@ -586,12 +588,12 @@ int password_callback(char *buf, int bufsiz, int verify,
 
 		if (ok >= 0)
 			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-				PW_MIN_LENGTH,BUFSIZ-1);
+				PW_MIN_LENGTH,bufsiz-1);
 		if (ok >= 0 && verify)
 			{
 			buff = (char *)OPENSSL_malloc(bufsiz);
 			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-				PW_MIN_LENGTH,BUFSIZ-1, buf);
+				PW_MIN_LENGTH,bufsiz-1, buf);
 			}
 		if (ok >= 0)
 			do
@@ -1542,6 +1544,8 @@ char *make_config_name()
 
 	len=strlen(t)+strlen(OPENSSL_CONF)+2;
 	p=OPENSSL_malloc(len);
+	if (p == NULL)
+		return NULL;
 	BUF_strlcpy(p,t,len);
 #ifndef OPENSSL_SYS_VMS
 	BUF_strlcat(p,"/",len);
@@ -2841,7 +2845,7 @@ double app_tminterval(int stop,int usertime)
 
 	if (proc==NULL)
 		{
-		if (GetVersion() < 0x80000000)
+		if (check_winnt())
 			proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
 						GetCurrentProcessId());
 		if (proc==NULL) proc = (HANDLE)-1;
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
index c1ca99da12e8..3aeb46c4e299 100644
--- a/crypto/openssl/apps/apps.h
+++ b/crypto/openssl/apps/apps.h
@@ -188,6 +188,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
 #    define apps_startup() \
@@ -198,6 +199,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif
diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c
index 1cf50e00294d..613f5bee5cc3 100644
--- a/crypto/openssl/apps/ca.c
+++ b/crypto/openssl/apps/ca.c
@@ -703,7 +703,7 @@ bad:
 		ERR_clear_error();
 #ifdef RL_DEBUG
 	if (!p)
-		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
 #endif
 #ifdef RL_DEBUG
 	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
@@ -1620,12 +1620,14 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 		{
 		ok=0;
 		BIO_printf(bio_err,"Signature verification problems....\n");
+		ERR_print_errors(bio_err);
 		goto err;
 		}
 	if (i == 0)
 		{
 		ok=0;
 		BIO_printf(bio_err,"Signature did not match the certificate request\n");
+		ERR_print_errors(bio_err);
 		goto err;
 		}
 	else
@@ -2777,6 +2779,9 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 
 	revtm = X509_gmtime_adj(NULL, 0);
 
+	if (!revtm)
+		return NULL;
+
 	i = revtm->length + 1;
 
 	if (reason) i += strlen(reason) + 1;
diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c
index 5f2b73970080..93dce1c40b4a 100644
--- a/crypto/openssl/apps/ciphers.c
+++ b/crypto/openssl/apps/ciphers.c
@@ -96,13 +96,7 @@ int MAIN(int argc, char **argv)
 	char buf[512];
 	BIO *STDout=NULL;
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	meth=SSLv2_server_method();
-#endif
 
 	apps_startup();
 
diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c
index c395b2afd5d4..8797d300cf13 100644
--- a/crypto/openssl/apps/crl.c
+++ b/crypto/openssl/apps/crl.c
@@ -81,6 +81,9 @@ static const char *crl_usage[]={
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -hash           - print hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -hash_old       - print old-style (MD5) hash value\n",
+#endif
 " -fingerprint    - print the crl fingerprint\n",
 " -issuer         - print issuer DN\n",
 " -lastupdate     - lastUpdate field\n",
@@ -108,6 +111,9 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
+#ifndef OPENSSL_NO_MD5
+       int hash_old=0;
+#endif
 	int fingerprint = 0, crlnumber = 0;
 	const char **pp;
 	X509_STORE *store = NULL;
@@ -192,6 +198,10 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
+#ifndef OPENSSL_NO_MD5
+		else if (strcmp(*argv,"-hash_old") == 0)
+			hash_old= ++num;
+#endif
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -304,6 +314,14 @@ bad:
 				BIO_printf(bio_out,"%08lx\n",
 					X509_NAME_hash(X509_CRL_get_issuer(x)));
 				}
+#ifndef OPENSSL_NO_MD5
+			if (hash_old == i)
+				{
+				BIO_printf(bio_out,"%08lx\n",
+					X509_NAME_hash_old(
+						X509_CRL_get_issuer(x)));
+				}
+#endif
 			if (lastupdate == i)
 				{
 				BIO_printf(bio_out,"lastUpdate=");
diff --git a/crypto/openssl/apps/crl2p7.c b/crypto/openssl/apps/crl2p7.c
index bbc83774dbee..42c6886b83f8 100644
--- a/crypto/openssl/apps/crl2p7.c
+++ b/crypto/openssl/apps/crl2p7.c
@@ -141,7 +141,13 @@ int MAIN(int argc, char **argv)
 			{
 			if (--argc < 1) goto bad;
 			if(!certflst) certflst = sk_OPENSSL_STRING_new_null();
-			sk_OPENSSL_STRING_push(certflst,*(++argv));
+			if (!certflst)
+				goto end;
+			if (!sk_OPENSSL_STRING_push(certflst,*(++argv)))
+				{
+				sk_OPENSSL_STRING_free(certflst);
+				goto end;
+				}
 			}
 		else
 			{
diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c
index 81bd870f991a..e31a6b182eb8 100644
--- a/crypto/openssl/apps/dgst.c
+++ b/crypto/openssl/apps/dgst.c
@@ -273,6 +273,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-hmac arg       set the HMAC key to arg\n");
+		BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
@@ -427,9 +429,9 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}
 		if (do_verify)
-			r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
+			r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
 		else
-			r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
+			r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
 		if (!r)
 			{
 			BIO_printf(bio_err, "Error setting context\n");
diff --git a/crypto/openssl/apps/ecparam.c b/crypto/openssl/apps/ecparam.c
index 465480bedd01..976ebef12ba3 100644
--- a/crypto/openssl/apps/ecparam.c
+++ b/crypto/openssl/apps/ecparam.c
@@ -105,7 +105,7 @@
  *                    in the asn1 der encoding
  *                    possible values: named_curve (default)
  *                                     explicit
- * -no_seed         - if 'explicit' parameters are choosen do not use the seed
+ * -no_seed         - if 'explicit' parameters are chosen do not use the seed
  * -genkey          - generate ec key
  * -rand file       - files to use for random number input
  * -engine e        - use engine e, possibly a hardware device
@@ -286,7 +286,7 @@ bad:
 		BIO_printf(bio_err, "                                   "
 				" explicit\n");
 		BIO_printf(bio_err, " -no_seed          if 'explicit'"
-				" parameters are choosen do not"
+				" parameters are chosen do not"
 				" use the seed\n");
 		BIO_printf(bio_err, " -genkey           generate ec"
 				" key\n");
diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c
index 719acc325053..c8cb021224e6 100644
--- a/crypto/openssl/apps/enc.c
+++ b/crypto/openssl/apps/enc.c
@@ -67,7 +67,9 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 #include <openssl/pem.h>
+#ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
+#endif
 #include <ctype.h>
 
 int set_hex(char *in,unsigned char *out,int size);
@@ -331,6 +333,18 @@ bad:
         setup_engine(bio_err, engine, 0);
 #endif
 
+	if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+		{
+		BIO_printf(bio_err, "AEAD ciphers not supported by the enc utility\n");
+		goto end;
+		}
+
+	if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE))
+		{
+		BIO_printf(bio_err, "Ciphers in XTS mode are not supported by the enc utility\n");
+		goto end;
+		}
+
 	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
 		{
 		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c
index 83c5a7670052..8883afc9565b 100644
--- a/crypto/openssl/apps/ocsp.c
+++ b/crypto/openssl/apps/ocsp.c
@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 	char **args;
 	char *host = NULL, *port = NULL, *path = "/";
+	char *thost = NULL, *tport = NULL, *tpath = NULL;
 	char *reqin = NULL, *respin = NULL;
 	char *reqout = NULL, *respout = NULL;
 	char *signfile = NULL, *keyfile = NULL;
@@ -204,6 +205,12 @@ int MAIN(int argc, char **argv)
 			}
 		else if (!strcmp(*args, "-url"))
 			{
+			if (thost)
+				OPENSSL_free(thost);
+			if (tport)
+				OPENSSL_free(tport);
+			if (tpath)
+				OPENSSL_free(tpath);
 			if (args[1])
 				{
 				args++;
@@ -212,6 +219,9 @@ int MAIN(int argc, char **argv)
 					BIO_printf(bio_err, "Error parsing URL\n");
 					badarg = 1;
 					}
+				thost = host;
+				tport = port;
+				tpath = path;
 				}
 			else badarg = 1;
 			}
@@ -573,51 +583,52 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "OCSP utility\n");
 		BIO_printf (bio_err, "Usage ocsp [options]\n");
 		BIO_printf (bio_err, "where options are\n");
-		BIO_printf (bio_err, "-out file          output filename\n");
-		BIO_printf (bio_err, "-issuer file       issuer certificate\n");
-		BIO_printf (bio_err, "-cert file         certificate to check\n");
-		BIO_printf (bio_err, "-serial n          serial number to check\n");
-		BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
-		BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
-		BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
-		BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
-		BIO_printf (bio_err, "-req_text          print text form of request\n");
-		BIO_printf (bio_err, "-resp_text         print text form of response\n");
-		BIO_printf (bio_err, "-text              print text form of request and response\n");
-		BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
-		BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
-		BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
-		BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
-		BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
-		BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
-		BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
-		BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
-		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
-		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
-		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
-		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
-		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
-		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
-		BIO_printf (bio_err, "-noverify          don't verify response at all\n");
-		BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
-		BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
-		BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
+		BIO_printf (bio_err, "-out file            output filename\n");
+		BIO_printf (bio_err, "-issuer file         issuer certificate\n");
+		BIO_printf (bio_err, "-cert file           certificate to check\n");
+		BIO_printf (bio_err, "-serial n            serial number to check\n");
+		BIO_printf (bio_err, "-signer file         certificate to sign OCSP request with\n");
+		BIO_printf (bio_err, "-signkey file        private key to sign OCSP request with\n");
+		BIO_printf (bio_err, "-sign_other file     additional certificates to include in signed request\n");
+		BIO_printf (bio_err, "-no_certs            don't include any certificates in signed request\n");
+		BIO_printf (bio_err, "-req_text            print text form of request\n");
+		BIO_printf (bio_err, "-resp_text           print text form of response\n");
+		BIO_printf (bio_err, "-text                print text form of request and response\n");
+		BIO_printf (bio_err, "-reqout file         write DER encoded OCSP request to \"file\"\n");
+		BIO_printf (bio_err, "-respout file        write DER encoded OCSP reponse to \"file\"\n");
+		BIO_printf (bio_err, "-reqin file          read DER encoded OCSP request from \"file\"\n");
+		BIO_printf (bio_err, "-respin file         read DER encoded OCSP reponse from \"file\"\n");
+		BIO_printf (bio_err, "-nonce               add OCSP nonce to request\n");
+		BIO_printf (bio_err, "-no_nonce            don't add OCSP nonce to request\n");
+		BIO_printf (bio_err, "-url URL             OCSP responder URL\n");
+		BIO_printf (bio_err, "-host host:n         send OCSP request to host on port n\n");
+		BIO_printf (bio_err, "-path                path to use in OCSP request\n");
+		BIO_printf (bio_err, "-CApath dir          trusted certificates directory\n");
+		BIO_printf (bio_err, "-CAfile file         trusted certificates file\n");
+		BIO_printf (bio_err, "-VAfile file         validator certificates file\n");
+		BIO_printf (bio_err, "-validity_period n   maximum validity discrepancy in seconds\n");
+		BIO_printf (bio_err, "-status_age n        maximum status age in seconds\n");
+		BIO_printf (bio_err, "-noverify            don't verify response at all\n");
+		BIO_printf (bio_err, "-verify_other file   additional certificates to search for signer\n");
+		BIO_printf (bio_err, "-trust_other         don't verify additional certificates\n");
+		BIO_printf (bio_err, "-no_intern           don't search certificates contained in response for signer\n");
 		BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
-		BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
-		BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
-		BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
-		BIO_printf (bio_err, "-port num		 port to run responder on\n");
-		BIO_printf (bio_err, "-index file	 certificate status index file\n");
-		BIO_printf (bio_err, "-CA file		 CA certificate\n");
-		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign responses with\n");
-		BIO_printf (bio_err, "-rkey file	 responder key to sign responses with\n");
-		BIO_printf (bio_err, "-rother file	 other certificates to include in response\n");
-		BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
-		BIO_printf (bio_err, "-nmin n	 	 number of minutes before next update\n");
-		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");
-		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
-		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
-		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request\n");
+		BIO_printf (bio_err, "-no_cert_verify      don't check signing certificate\n");
+		BIO_printf (bio_err, "-no_chain            don't chain verify response\n");
+		BIO_printf (bio_err, "-no_cert_checks      don't do additional checks on signing certificate\n");
+		BIO_printf (bio_err, "-port num            port to run responder on\n");
+		BIO_printf (bio_err, "-index file          certificate status index file\n");
+		BIO_printf (bio_err, "-CA file             CA certificate\n");
+		BIO_printf (bio_err, "-rsigner file        responder certificate to sign responses with\n");
+		BIO_printf (bio_err, "-rkey file           responder key to sign responses with\n");
+		BIO_printf (bio_err, "-rother file         other certificates to include in response\n");
+		BIO_printf (bio_err, "-resp_no_certs       don't include any certificates in response\n");
+		BIO_printf (bio_err, "-nmin n              number of minutes before next update\n");
+		BIO_printf (bio_err, "-ndays n             number of days before next update\n");
+		BIO_printf (bio_err, "-resp_key_id         identify reponse by signing certificate key ID\n");
+		BIO_printf (bio_err, "-nrequest n          number of requests to accept (default unlimited)\n");
+		BIO_printf (bio_err, "-<dgst alg>          use specified digest in the request\n");
+		BIO_printf (bio_err, "-timeout n           timeout connection to OCSP responder after n seconds\n");
 		goto end;
 		}
 
@@ -920,12 +931,12 @@ end:
 	sk_X509_pop_free(verify_other, X509_free);
 	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
 
-	if (use_ssl != -1)
-		{
-		OPENSSL_free(host);
-		OPENSSL_free(port);
-		OPENSSL_free(path);
-		}
+	if (thost)
+		OPENSSL_free(thost);
+	if (tport)
+		OPENSSL_free(tport);
+	if (tpath)
+		OPENSSL_free(tpath);
 
 	OPENSSL_EXIT(ret);
 }
@@ -1388,16 +1399,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
 	if (use_ssl == 1)
 		{
 		BIO *sbio;
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 		ctx = SSL_CTX_new(SSLv23_client_method());
-#elif !defined(OPENSSL_NO_SSL3)
-		ctx = SSL_CTX_new(SSLv3_client_method());
-#elif !defined(OPENSSL_NO_SSL2)
-		ctx = SSL_CTX_new(SSLv2_client_method());
-#else
-		BIO_printf(err, "SSL is disabled\n");
-			goto end;
-#endif
 		if (ctx == NULL)
 			{
 			BIO_printf(err, "Error creating SSL context.\n");
@@ -1409,7 +1411,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
 		}
 	resp = query_responder(err, cbio, path, headers, req, req_timeout);
 	if (!resp)
-		BIO_printf(bio_err, "Error querying OCSP responsder\n");
+		BIO_printf(bio_err, "Error querying OCSP responder\n");
 	end:
 	if (cbio)
 		BIO_free_all(cbio);
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
index 1c880d90ba1d..5372459456a3 100644
--- a/crypto/openssl/apps/openssl.c
+++ b/crypto/openssl/apps/openssl.c
@@ -117,6 +117,7 @@
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
+#include <openssl/rand.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/x509.h>
@@ -434,9 +435,7 @@ end:
 	if (prog != NULL) lh_FUNCTION_free(prog);
 	if (arg.data != NULL) OPENSSL_free(arg.data);
 
-	apps_shutdown();
 
-	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
 		{
 		BIO_free(bio_err);
@@ -449,6 +448,9 @@ end:
 		OPENSSL_free(Argv);
 		}
 #endif
+	apps_shutdown();
+	CRYPTO_mem_leaks(bio_err);
+
 	OPENSSL_EXIT(ret);
 	}
 
diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c
index b54c6f84a4a0..4d62a7b8cabd 100644
--- a/crypto/openssl/apps/pkcs12.c
+++ b/crypto/openssl/apps/pkcs12.c
@@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
     int maciter = PKCS12_DEFAULT_ITER;
     int twopass = 0;
     int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     int ret = 1;
     int macver = 1;
@@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+#endif
+    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 
diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h
index 949e78066b78..d79b974ad159 100644
--- a/crypto/openssl/apps/progs.h
+++ b/crypto/openssl/apps/progs.h
@@ -107,16 +107,16 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},
 #endif
 	{FUNC_TYPE_GENERAL,"genpkey",genpkey_main},
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"s_server",s_server_main},
 #endif
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
 #endif
 #ifndef OPENSSL_NO_SPEED
 	{FUNC_TYPE_GENERAL,"speed",speed_main},
 #endif
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
 #endif
 	{FUNC_TYPE_GENERAL,"version",version_main},
@@ -126,7 +126,7 @@ FUNCTION functions[] = {
 #endif
 	{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
 	{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"ciphers",ciphers_main},
 #endif
 	{FUNC_TYPE_GENERAL,"nseq",nseq_main},
diff --git a/crypto/openssl/apps/progs.pl b/crypto/openssl/apps/progs.pl
index 39ca8f71fbbc..fa6258cf5e13 100644
--- a/crypto/openssl/apps/progs.pl
+++ b/crypto/openssl/apps/progs.pl
@@ -32,7 +32,7 @@ foreach (@ARGV)
 	push(@files,$_);
 	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
 	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
-		{ print "#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))\n${str}#endif\n"; } 
+		{ print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n"; } 
 	elsif ( ($_ =~ /^speed$/))
 		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^engine$/))
diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c
index 85526581cefe..d41385d7063a 100644
--- a/crypto/openssl/apps/req.c
+++ b/crypto/openssl/apps/req.c
@@ -644,6 +644,11 @@ bad:
 		if (inrand)
 			app_RAND_load_files(inrand);
 
+		if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+			{
+			newkey=DEFAULT_KEY_LENGTH;
+			}
+
 		if (keyalg)
 			{
 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@@ -652,12 +657,6 @@ bad:
 				goto end;
 			}
 	
-		if (newkey <= 0)
-			{
-			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
-				newkey=DEFAULT_KEY_LENGTH;
-			}
-
 		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
@@ -1490,7 +1489,13 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
+		{
+		if (batch || value)
+			return 0;
+		goto start;
+		}
+
 	if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
 				(unsigned char *) buf, -1,-1,mval)) goto err;
 	ret=1;
@@ -1549,7 +1554,12 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
+		{
+		if (batch || value)
+			return 0;
+		goto start;
+		}
 
 	if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
 					(unsigned char *)buf, -1)) {
@@ -1649,6 +1659,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
 				keylen = atol(p + 1);
 				*pkeylen = keylen;
 				}
+			else
+				keylen = *pkeylen;
 			}
 		else if (p)
 			paramfile = p + 1;
diff --git a/crypto/openssl/apps/s_cb.c b/crypto/openssl/apps/s_cb.c
index 84c3b447c295..146a96079516 100644
--- a/crypto/openssl/apps/s_cb.c
+++ b/crypto/openssl/apps/s_cb.c
@@ -747,6 +747,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
 		break;
 #endif
 
+		case TLSEXT_TYPE_padding:
+		extname = "TLS padding";
+		break;
+
 		default:
 		extname = "unknown";
 		break;
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index 0b06b6c0b632..19545e24bd0f 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -290,6 +290,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
 
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
+	BIO_printf(bio_err," -verify_return_error - return verification errors\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
@@ -300,6 +301,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
+	BIO_printf(bio_err," -prexit       - print session information even on connection failure\n");
 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
 	BIO_printf(bio_err," -debug        - extra output\n");
 #ifdef WATT32
@@ -327,10 +329,12 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
-	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+	BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
+#endif
 	BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
 	BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
@@ -805,7 +809,7 @@ int MAIN(int argc, char **argv)
 		else if	(strcmp(*argv,"-ssl2") == 0)
 			meth=SSLv2_client_method();
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
 #endif
@@ -1317,10 +1321,22 @@ re_start:
 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
 			}
 
-		if (socket_mtu > 28)
+		if (socket_mtu)
 			{
+			if(socket_mtu < DTLS_get_link_min_mtu(con))
+				{
+				BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+					DTLS_get_link_min_mtu(con));
+				BIO_free(sbio);
+				goto shut;
+				}
 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-			SSL_set_mtu(con, socket_mtu - 28);
+			if(!DTLS_set_link_mtu(con, socket_mtu))
+				{
+				BIO_printf(bio_err, "Failed to set MTU\n");
+				BIO_free(sbio);
+				goto shut;
+				}
 			}
 		else
 			/* want to do MTU discovery */
diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c
index 8198d7f0653e..f47328ab352a 100644
--- a/crypto/openssl/apps/s_server.c
+++ b/crypto/openssl/apps/s_server.c
@@ -463,6 +463,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -context arg  - set session ID context\n");
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
+	BIO_printf(bio_err," -verify_return_error - return verification errors\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use\n");
 	BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
 	BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
@@ -514,7 +515,9 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
 	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+#endif
 	BIO_printf(bio_err," -tls1_2       - Just talk TLSv1.2\n");
 	BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
 	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
@@ -534,6 +537,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
 #endif
 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
+	BIO_printf(bio_err," -hack         - workaround for early Netscape code\n");
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -562,6 +566,10 @@ static void sv_usage(void)
 #endif
 	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
 	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
+	BIO_printf(bio_err," -status           - respond to certificate status requests\n");
+	BIO_printf(bio_err," -status_verbose   - enable status request verbose printout\n");
+	BIO_printf(bio_err," -status_timeout n - status request responder timeout\n");
+	BIO_printf(bio_err," -status_url URL   - status request fallback URL\n");
 	}
 
 static int local_argc=0;
@@ -739,7 +747,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 	
 	if (servername)
 		{
-    		if (strcmp(servername,p->servername)) 
+    		if (strcasecmp(servername,p->servername)) 
 			return p->extension_error;
 		if (ctx2)
 			{
@@ -1245,7 +1253,7 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-ssl2") == 0)
 			{ meth=SSLv2_server_method(); }
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			{ meth=SSLv3_server_method(); }
 #endif
@@ -1356,6 +1364,14 @@ bad:
 		sv_usage();
 		goto end;
 		}
+#ifndef OPENSSL_NO_DTLS1
+	if (www && socket_type == SOCK_DGRAM)
+		{
+		BIO_printf(bio_err,
+				"Can't use -HTTP, -www or -WWW with DTLS\n");
+		goto end;
+		}
+#endif
 
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
 	if (jpake_secret)
@@ -2035,10 +2051,24 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
 			}
 
-		if (socket_mtu > 28)
+		if (socket_mtu)
 			{
+			if(socket_mtu < DTLS_get_link_min_mtu(con))
+				{
+				BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+					DTLS_get_link_min_mtu(con));
+				ret = -1;
+				BIO_free(sbio);
+				goto err;
+				}
 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-			SSL_set_mtu(con, socket_mtu - 28);
+			if(!DTLS_set_link_mtu(con, socket_mtu))
+				{
+				BIO_printf(bio_err, "Failed to set MTU\n");
+				ret = -1;
+				BIO_free(sbio);
+				goto err;
+				}
 			}
 		else
 			/* want to do MTU discovery */
diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c
index 380efdb1b976..94eb40f3ffc8 100644
--- a/crypto/openssl/apps/s_socket.c
+++ b/crypto/openssl/apps/s_socket.c
@@ -274,7 +274,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 		{
 		i=0;
 		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-		if (i < 0) { perror("keepalive"); return(0); }
+		if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
 		}
 #endif
 
@@ -450,6 +450,7 @@ redoit:
 		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
 			perror("OPENSSL_malloc");
+			closesocket(ret);
 			return(0);
 			}
 		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
@@ -458,11 +459,13 @@ redoit:
 		if (h2 == NULL)
 			{
 			BIO_printf(bio_err,"gethostbyname failure\n");
+			closesocket(ret);
 			return(0);
 			}
 		if (h2->h_addrtype != AF_INET)
 			{
 			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+			closesocket(ret);
 			return(0);
 			}
 		}
diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c
index b823c33c58a0..81dad53243a4 100644
--- a/crypto/openssl/apps/s_time.c
+++ b/crypto/openssl/apps/s_time.c
@@ -349,13 +349,7 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	s_time_meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	s_time_meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	s_time_meth=SSLv2_client_method();
-#endif
 
 	/* parse the command line arguments */
 	if( parseArgs( argc, argv ) < 0 )
diff --git a/crypto/openssl/apps/smime.c b/crypto/openssl/apps/smime.c
index c583f8a0e162..d1fe32d31b3f 100644
--- a/crypto/openssl/apps/smime.c
+++ b/crypto/openssl/apps/smime.c
@@ -541,8 +541,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (!cipher)
 			{
-#ifndef OPENSSL_NO_RC2			
-			cipher = EVP_rc2_40_cbc();
+#ifndef OPENSSL_NO_DES			
+			cipher = EVP_des_ede3_cbc();
 #else
 			BIO_printf(bio_err, "No cipher selected\n");
 			goto end;
diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c
index 9886ca376691..24d41227ba66 100644
--- a/crypto/openssl/apps/speed.c
+++ b/crypto/openssl/apps/speed.c
@@ -225,7 +225,7 @@
 
 #undef BUFSIZE
 #define BUFSIZE	((long)1024*8+1)
-int run=0;
+static volatile int run=0;
 
 static int mr=0;
 static int usertime=1;
@@ -2739,27 +2739,6 @@ static int do_multi(int multi)
 				else
 					rsa_results[k][1]=d;
 				}
-			else if(!strncmp(buf,"+F2:",4))
-				{
-				int k;
-				double d;
-				
-				p=buf+4;
-				k=atoi(sstrsep(&p,sep));
-				sstrsep(&p,sep);
-
-				d=atof(sstrsep(&p,sep));
-				if(n)
-					rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d);
-				else
-					rsa_results[k][0]=d;
-
-				d=atof(sstrsep(&p,sep));
-				if(n)
-					rsa_results[k][1]=1/(1/rsa_results[k][1]+1/d);
-				else
-					rsa_results[k][1]=d;
-				}
 #ifndef OPENSSL_NO_DSA
 			else if(!strncmp(buf,"+F3:",4))
 				{
diff --git a/crypto/openssl/config b/crypto/openssl/config
index 88b9bc69da4c..41fa2a6b8296 100755
--- a/crypto/openssl/config
+++ b/crypto/openssl/config
@@ -739,7 +739,7 @@ case "$GUESSOS" in
 			    libc=/usr/lib/libc.so
 			else					# OpenBSD
 			    # ld searches for highest libc.so.* and so do we
-			    libc=`(ls /usr/lib/libc.so.* | tail -1) 2>/dev/null`
+			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
 			fi
 			case "`(file -L $libc) 2>/dev/null`" in
 			*ELF*)	OUT="BSD-x86-elf" ;;
diff --git a/crypto/openssl/crypto/Makefile b/crypto/openssl/crypto/Makefile
index 03b708b45555..b839b5586927 100644
--- a/crypto/openssl/crypto/Makefile
+++ b/crypto/openssl/crypto/Makefile
@@ -32,6 +32,7 @@ CPUID_OBJ=mem_clr.o
 LIBS=
 
 GENERAL=Makefile README crypto-lib.com install.com
+TEST=constant_time_test.c
 
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
@@ -44,7 +45,8 @@ SRC= $(LIBSRC)
 
 EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
+	constant_time_locl.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -54,12 +56,7 @@ top:
 all: shared
 
 buildinf.h: ../Makefile
-	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
-	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo '#endif' ) >buildinf.h
+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
@@ -78,7 +75,9 @@ ia64cpuid.s: ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:	pariscid.pl;	$(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:	alphacpuid.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) alphacpuid.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
 
 testapps:
 	[ -z "$(THIS)" ] || (	if echo $(SDIRS) | fgrep ' des '; \
diff --git a/crypto/openssl/crypto/aes/asm/aes-mips.pl b/crypto/openssl/crypto/aes/asm/aes-mips.pl
index e52395421b3c..537c8d3172b6 100755
--- a/crypto/openssl/crypto/aes/asm/aes-mips.pl
+++ b/crypto/openssl/crypto/aes/asm/aes-mips.pl
@@ -70,7 +70,7 @@ $pf = ($flavour =~ /nubi/i) ? $t0 : $t2;
 #
 ######################################################################
 
-$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0;
+$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
 
 for (@ARGV) {	$output=$_ if (/^\w[\w\-]*\.\w+$/);	}
 open STDOUT,">$output";
diff --git a/crypto/openssl/crypto/aes/asm/aes-parisc.pl b/crypto/openssl/crypto/aes/asm/aes-parisc.pl
index c36b6a22705c..714dcfbbe3b7 100755
--- a/crypto/openssl/crypto/aes/asm/aes-parisc.pl
+++ b/crypto/openssl/crypto/aes/asm/aes-parisc.pl
@@ -1015,7 +1015,8 @@ foreach (split("\n",$code)) {
 		$SIZE_T==4 ? sprintf("extru%s,%d,8,",$1,31-$2)
 		:            sprintf("extrd,u%s,%d,8,",$1,63-$2)/e;
 
-	s/,\*/,/ if ($SIZE_T==4);
+	s/,\*/,/			if ($SIZE_T==4);
+	s/\bbv\b(.*\(%r2\))/bve$1/	if ($SIZE_T==8);
 	print $_,"\n";
 }
 close STDOUT;
diff --git a/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl b/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl
index 0dbb194b8d74..c9270dfddc18 100755
--- a/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl
+++ b/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl
@@ -525,6 +525,16 @@ $code.=<<___;
 .type	aesni_ecb_encrypt,\@function,5
 .align	16
 aesni_ecb_encrypt:
+___
+$code.=<<___ if ($win64);
+	lea	-0x58(%rsp),%rsp
+	movaps	%xmm6,(%rsp)
+	movaps	%xmm7,0x10(%rsp)
+	movaps	%xmm8,0x20(%rsp)
+	movaps	%xmm9,0x30(%rsp)
+.Lecb_enc_body:
+___
+$code.=<<___;
 	and	\$-16,$len
 	jz	.Lecb_ret
 
@@ -805,6 +815,16 @@ $code.=<<___;
 	movups	$inout5,0x50($out)
 
 .Lecb_ret:
+___
+$code.=<<___ if ($win64);
+	movaps	(%rsp),%xmm6
+	movaps	0x10(%rsp),%xmm7
+	movaps	0x20(%rsp),%xmm8
+	movaps	0x30(%rsp),%xmm9
+	lea	0x58(%rsp),%rsp
+.Lecb_enc_ret:
+___
+$code.=<<___;
 	ret
 .size	aesni_ecb_encrypt,.-aesni_ecb_encrypt
 ___
@@ -2730,28 +2750,9 @@ $code.=<<___;
 .extern	__imp_RtlVirtualUnwind
 ___
 $code.=<<___ if ($PREFIX eq "aesni");
-.type	ecb_se_handler,\@abi-omnipotent
-.align	16
-ecb_se_handler:
-	push	%rsi
-	push	%rdi
-	push	%rbx
-	push	%rbp
-	push	%r12
-	push	%r13
-	push	%r14
-	push	%r15
-	pushfq
-	sub	\$64,%rsp
-
-	mov	152($context),%rax	# pull context->Rsp
-
-	jmp	.Lcommon_seh_tail
-.size	ecb_se_handler,.-ecb_se_handler
-
-.type	ccm64_se_handler,\@abi-omnipotent
+.type	ecb_ccm64_se_handler,\@abi-omnipotent
 .align	16
-ccm64_se_handler:
+ecb_ccm64_se_handler:
 	push	%rsi
 	push	%rdi
 	push	%rbx
@@ -2788,7 +2789,7 @@ ccm64_se_handler:
 	lea	0x58(%rax),%rax		# adjust stack pointer
 
 	jmp	.Lcommon_seh_tail
-.size	ccm64_se_handler,.-ccm64_se_handler
+.size	ecb_ccm64_se_handler,.-ecb_ccm64_se_handler
 
 .type	ctr32_se_handler,\@abi-omnipotent
 .align	16
@@ -2993,14 +2994,15 @@ ___
 $code.=<<___ if ($PREFIX eq "aesni");
 .LSEH_info_ecb:
 	.byte	9,0,0,0
-	.rva	ecb_se_handler
+	.rva	ecb_ccm64_se_handler
+	.rva	.Lecb_enc_body,.Lecb_enc_ret		# HandlerData[]
 .LSEH_info_ccm64_enc:
 	.byte	9,0,0,0
-	.rva	ccm64_se_handler
+	.rva	ecb_ccm64_se_handler
 	.rva	.Lccm64_enc_body,.Lccm64_enc_ret	# HandlerData[]
 .LSEH_info_ccm64_dec:
 	.byte	9,0,0,0
-	.rva	ccm64_se_handler
+	.rva	ecb_ccm64_se_handler
 	.rva	.Lccm64_dec_body,.Lccm64_dec_ret	# HandlerData[]
 .LSEH_info_ctr32:
 	.byte	9,0,0,0
diff --git a/crypto/openssl/crypto/aes/asm/bsaes-x86_64.pl b/crypto/openssl/crypto/aes/asm/bsaes-x86_64.pl
index ceb02b50ddb6..41b90f08443f 100755
--- a/crypto/openssl/crypto/aes/asm/bsaes-x86_64.pl
+++ b/crypto/openssl/crypto/aes/asm/bsaes-x86_64.pl
@@ -83,9 +83,9 @@
 # Add decryption procedure. Performance in CPU cycles spent to decrypt
 # one byte out of 4096-byte buffer with 128-bit key is:
 #
-# Core 2	11.0
-# Nehalem	9.16
-# Atom		20.9
+# Core 2	9.83
+# Nehalem	7.74
+# Atom		19.0
 #
 # November 2011.
 #
@@ -456,6 +456,7 @@ sub MixColumns {
 # modified to emit output in order suitable for feeding back to aesenc[last]
 my @x=@_[0..7];
 my @t=@_[8..15];
+my $inv=@_[16];	# optional
 $code.=<<___;
 	pshufd	\$0x93, @x[0], @t[0]	# x0 <<< 32
 	pshufd	\$0x93, @x[1], @t[1]
@@ -497,7 +498,8 @@ $code.=<<___;
 	pxor	@t[4], @t[0]
 	 pshufd	\$0x4E, @x[2], @x[6]
 	pxor	@t[5], @t[1]
-
+___
+$code.=<<___ if (!$inv);
 	pxor	@t[3], @x[4]
 	pxor	@t[7], @x[5]
 	pxor	@t[6], @x[3]
@@ -505,9 +507,20 @@ $code.=<<___;
 	pxor	@t[2], @x[6]
 	 movdqa	@t[1], @x[7]
 ___
+$code.=<<___ if ($inv);
+	pxor	@x[4], @t[3]
+	pxor	@t[7], @x[5]
+	pxor	@x[3], @t[6]
+	 movdqa	@t[0], @x[3]
+	pxor	@t[2], @x[6]
+	 movdqa	@t[6], @x[2]
+	 movdqa	@t[1], @x[7]
+	 movdqa	@x[6], @x[4]
+	 movdqa	@t[3], @x[6]
+___
 }
 
-sub InvMixColumns {
+sub InvMixColumns_orig {
 my @x=@_[0..7];
 my @t=@_[8..15];
 
@@ -661,6 +674,54 @@ $code.=<<___;
 ___
 }
 
+sub InvMixColumns {
+my @x=@_[0..7];
+my @t=@_[8..15];
+
+# Thanks to Jussi Kivilinna for providing pointer to
+#
+# | 0e 0b 0d 09 |   | 02 03 01 01 |   | 05 00 04 00 |
+# | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
+# | 0d 09 0e 0b |   | 01 01 02 03 |   | 04 00 05 00 |
+# | 0b 0d 09 0e |   | 03 01 01 02 |   | 00 04 00 05 |
+
+$code.=<<___;
+	# multiplication by 0x05-0x00-0x04-0x00
+	pshufd	\$0x4E, @x[0], @t[0]
+	pshufd	\$0x4E, @x[6], @t[6]
+	pxor	@x[0], @t[0]
+	pshufd	\$0x4E, @x[7], @t[7]
+	pxor	@x[6], @t[6]
+	pshufd	\$0x4E, @x[1], @t[1]
+	pxor	@x[7], @t[7]
+	pshufd	\$0x4E, @x[2], @t[2]
+	pxor	@x[1], @t[1]
+	pshufd	\$0x4E, @x[3], @t[3]
+	pxor	@x[2], @t[2]
+	 pxor	@t[6], @x[0]
+	 pxor	@t[6], @x[1]
+	pshufd	\$0x4E, @x[4], @t[4]
+	pxor	@x[3], @t[3]
+	 pxor	@t[0], @x[2]
+	 pxor	@t[1], @x[3]
+	pshufd	\$0x4E, @x[5], @t[5]
+	pxor	@x[4], @t[4]
+	 pxor	@t[7], @x[1]
+	 pxor	@t[2], @x[4]
+	pxor	@x[5], @t[5]
+
+	 pxor	@t[7], @x[2]
+	 pxor	@t[6], @x[3]
+	 pxor	@t[6], @x[4]
+	 pxor	@t[3], @x[5]
+	 pxor	@t[4], @x[6]
+	 pxor	@t[7], @x[4]
+	 pxor	@t[7], @x[5]
+	 pxor	@t[5], @x[7]
+___
+	&MixColumns	(@x,@t,1);	# flipped 2<->3 and 4<->6
+}
+
 sub aesenc {				# not used
 my @b=@_[0..7];
 my @t=@_[8..15];
@@ -2028,6 +2089,8 @@ ___
 #	const unsigned char iv[16]);
 #
 my ($twmask,$twres,$twtmp)=@XMM[13..15];
+$arg6=~s/d$//;
+
 $code.=<<___;
 .globl	bsaes_xts_encrypt
 .type	bsaes_xts_encrypt,\@abi-omnipotent
diff --git a/crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl b/crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl
index 41f2e46f60c6..bd7f45b85091 100755
--- a/crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl
+++ b/crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl
@@ -1060,7 +1060,7 @@ _vpaes_consts:
 .Lk_dsbo:	# decryption sbox final output
 	.quad	0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
 	.quad	0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz	"Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
+.asciz	"Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
 .align	64
 .size	_vpaes_consts,.-_vpaes_consts
 ___
diff --git a/crypto/openssl/crypto/armcap.c b/crypto/openssl/crypto/armcap.c
index 5258d2fbddfa..9abaf396e53e 100644
--- a/crypto/openssl/crypto/armcap.c
+++ b/crypto/openssl/crypto/armcap.c
@@ -23,7 +23,7 @@ unsigned int _armv7_tick(void);
 
 unsigned int OPENSSL_rdtsc(void)
 	{
-	if (OPENSSL_armcap_P|ARMV7_TICK)
+	if (OPENSSL_armcap_P & ARMV7_TICK)
 		return _armv7_tick();
 	else
 		return 0;
diff --git a/crypto/openssl/crypto/asn1/a_int.c b/crypto/openssl/crypto/asn1/a_int.c
index ad0d2506f632..297c45a9ff12 100644
--- a/crypto/openssl/crypto/asn1/a_int.c
+++ b/crypto/openssl/crypto/asn1/a_int.c
@@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 	int pad=0,ret,i,neg;
 	unsigned char *p,*n,pb=0;
 
-	if ((a == NULL) || (a->data == NULL)) return(0);
+	if (a == NULL) return(0);
 	neg=a->type & V_ASN1_NEG;
 	if (a->length == 0)
 		ret=1;
diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c
index ead37ac32582..8fb4193bc0b2 100644
--- a/crypto/openssl/crypto/asn1/a_strex.c
+++ b/crypto/openssl/crypto/asn1/a_strex.c
@@ -568,6 +568,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
 	stmp.length = 0;
+	stmp.flags = 0;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
 	*out = stmp.data;
diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c
index 2fc48c1551a5..2afd5a41368d 100644
--- a/crypto/openssl/crypto/asn1/a_strnid.c
+++ b/crypto/openssl/crypto/asn1/a_strnid.c
@@ -74,7 +74,7 @@ static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
  * certain software (e.g. Netscape) has problems with them.
  */
 
-static unsigned long global_mask = 0xFFFFFFFFL;
+static unsigned long global_mask = B_ASN1_UTF8STRING;
 
 void ASN1_STRING_set_default_mask(unsigned long mask)
 {
diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c
index 072e23659233..bbdc9b3222ab 100644
--- a/crypto/openssl/crypto/asn1/a_utctm.c
+++ b/crypto/openssl/crypto/asn1/a_utctm.c
@@ -196,24 +196,29 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 	struct tm *ts;
 	struct tm data;
 	size_t len = 20;
+	int free_s = 0;
 
 	if (s == NULL)
+		{
+		free_s = 1;
 		s=M_ASN1_UTCTIME_new();
+		}
 	if (s == NULL)
-		return(NULL);
+		goto err;
+
 
 	ts=OPENSSL_gmtime(&t, &data);
 	if (ts == NULL)
-		return(NULL);
+		goto err;
 
 	if (offset_day || offset_sec)
 		{ 
 		if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec))
-			return NULL;
+			goto err;
 		}
 
 	if((ts->tm_year < 50) || (ts->tm_year >= 150))
-		return NULL;
+		goto err;
 
 	p=(char *)s->data;
 	if ((p == NULL) || ((size_t)s->length < len))
@@ -222,7 +227,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 		if (p == NULL)
 			{
 			ASN1err(ASN1_F_ASN1_UTCTIME_ADJ,ERR_R_MALLOC_FAILURE);
-			return(NULL);
+			goto err;
 			}
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
@@ -237,6 +242,10 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 	ebcdic2ascii(s->data, s->data, s->length);
 #endif
 	return(s);
+	err:
+	if (free_s && s)
+		M_ASN1_UTCTIME_free(s);
+	return NULL;
 	}
 
 
@@ -261,6 +270,11 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	t -= offset*60; /* FIXME: may overflow in extreme cases */
 
 	tm = OPENSSL_gmtime(&t, &data);
+	/* NB: -1, 0, 1 already valid return values so use -2 to
+	 * indicate error.
+	 */
+	if (tm == NULL)
+		return -2;
 	
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
 	year = g2(s->data);
diff --git a/crypto/openssl/crypto/asn1/ameth_lib.c b/crypto/openssl/crypto/asn1/ameth_lib.c
index a19e058fca69..ef153d461599 100644
--- a/crypto/openssl/crypto/asn1/ameth_lib.c
+++ b/crypto/openssl/crypto/asn1/ameth_lib.c
@@ -258,7 +258,12 @@ int EVP_PKEY_asn1_add_alias(int to, int from)
 	if (!ameth)
 		return 0;
 	ameth->pkey_base_id = to;
-	return EVP_PKEY_asn1_add0(ameth);
+	if (!EVP_PKEY_asn1_add0(ameth))
+		{
+		EVP_PKEY_asn1_free(ameth);
+		return 0;
+		}
+	return 1;
 	}
 
 int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *ppkey_base_id, int *ppkey_flags,
diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h
index 623ca14e6929..3c45d5d03f09 100644
--- a/crypto/openssl/crypto/asn1/asn1.h
+++ b/crypto/openssl/crypto/asn1/asn1.h
@@ -1379,6 +1379,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE			 218
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159
diff --git a/crypto/openssl/crypto/asn1/asn1_err.c b/crypto/openssl/crypto/asn1/asn1_err.c
index eaf02998e0f1..568a8416b811 100644
--- a/crypto/openssl/crypto/asn1/asn1_err.c
+++ b/crypto/openssl/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -296,6 +296,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
@@ -306,7 +307,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
 {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_TAG)          ,"unknown tag"},
-{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unkown format"},
+{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unknown format"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c
index 1bcb44aee203..fa04b08ed6e4 100644
--- a/crypto/openssl/crypto/asn1/asn1_lib.c
+++ b/crypto/openssl/crypto/asn1/asn1_lib.c
@@ -131,6 +131,9 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 	*pclass=xclass;
 	if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err;
 
+	if (inf && !(ret & V_ASN1_CONSTRUCTED))
+		goto err;
+
 #if 0
 	fprintf(stderr,"p=%d + *plength=%ld > omax=%ld + *pp=%d  (%d > %d)\n", 
 		(int)p,*plength,omax,(int)*pp,(int)(p+ *plength),
diff --git a/crypto/openssl/crypto/asn1/asn_mime.c b/crypto/openssl/crypto/asn1/asn_mime.c
index 54a704a969ea..13d003bce3cd 100644
--- a/crypto/openssl/crypto/asn1/asn_mime.c
+++ b/crypto/openssl/crypto/asn1/asn_mime.c
@@ -667,6 +667,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
 	int len, state, save_state = 0;
 
 	headers = sk_MIME_HEADER_new(mime_hdr_cmp);
+	if (!headers)
+		return NULL;
 	while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
 	/* If whitespace at line start then continuation line */
 	if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
diff --git a/crypto/openssl/crypto/asn1/asn_pack.c b/crypto/openssl/crypto/asn1/asn_pack.c
index ad738217d778..00dbf5ad3c0a 100644
--- a/crypto/openssl/crypto/asn1/asn_pack.c
+++ b/crypto/openssl/crypto/asn1/asn_pack.c
@@ -134,15 +134,23 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct)
 		
 	if (!(octmp->length = i2d(obj, NULL))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
-		return NULL;
+		goto err;
 	}
 	if (!(p = OPENSSL_malloc (octmp->length))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	octmp->data = p;
 	i2d (obj, &p);
 	return octmp;
+	err:
+	if (!oct || !*oct)
+		{
+		ASN1_STRING_free(octmp);
+		if (oct)
+			*oct = NULL;
+		}
+	return NULL;
 }
 
 #endif
diff --git a/crypto/openssl/crypto/asn1/bio_asn1.c b/crypto/openssl/crypto/asn1/bio_asn1.c
index dc7efd551c05..bca4eebf6d3f 100644
--- a/crypto/openssl/crypto/asn1/bio_asn1.c
+++ b/crypto/openssl/crypto/asn1/bio_asn1.c
@@ -154,7 +154,10 @@ static int asn1_bio_new(BIO *b)
 	if (!ctx)
 		return 0;
 	if (!asn1_bio_init(ctx, DEFAULT_ASN1_BUF_SIZE))
+		{
+		OPENSSL_free(ctx);
 		return 0;
+		}
 	b->init = 1;
 	b->ptr = (char *)ctx;
 	b->flags = 0;
diff --git a/crypto/openssl/crypto/asn1/charmap.pl b/crypto/openssl/crypto/asn1/charmap.pl
index 2875c5986728..25ebf2c205d0 100644
--- a/crypto/openssl/crypto/asn1/charmap.pl
+++ b/crypto/openssl/crypto/asn1/charmap.pl
@@ -1,5 +1,8 @@
 #!/usr/local/bin/perl -w
 
+# Written by Dr Stephen N Henson (steve@openssl.org).
+# Licensed under the terms of the OpenSSL license.
+
 use strict;
 
 my ($i, @arr);
diff --git a/crypto/openssl/crypto/asn1/evp_asn1.c b/crypto/openssl/crypto/asn1/evp_asn1.c
index f3d9804860ec..1b9445973e49 100644
--- a/crypto/openssl/crypto/asn1/evp_asn1.c
+++ b/crypto/openssl/crypto/asn1/evp_asn1.c
@@ -66,7 +66,11 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len)
 	ASN1_STRING *os;
 
 	if ((os=M_ASN1_OCTET_STRING_new()) == NULL) return(0);
-	if (!M_ASN1_OCTET_STRING_set(os,data,len)) return(0);
+	if (!M_ASN1_OCTET_STRING_set(os,data,len))
+		{
+		M_ASN1_OCTET_STRING_free(os);
+		return 0;
+		}
 	ASN1_TYPE_set(a,V_ASN1_OCTET_STRING,os);
 	return(1);
 	}
diff --git a/crypto/openssl/crypto/asn1/t_x509.c b/crypto/openssl/crypto/asn1/t_x509.c
index edbb39a02f7a..8e961f5e7d59 100644
--- a/crypto/openssl/crypto/asn1/t_x509.c
+++ b/crypto/openssl/crypto/asn1/t_x509.c
@@ -475,6 +475,8 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
 	l=80-2-obase;
 
 	b=X509_NAME_oneline(name,NULL,0);
+	if (!b)
+		return 0;
 	if (!*b)
 		{
 		OPENSSL_free(b);
diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c
index 87d7dfdf5c37..2cbfa8147596 100644
--- a/crypto/openssl/crypto/asn1/tasn_dec.c
+++ b/crypto/openssl/crypto/asn1/tasn_dec.c
@@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		}
 	else if (cst)
 		{
+		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+			|| utype == V_ASN1_ENUMERATED)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_PRIMITIVE);
+			return 0;
+			}
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;
diff --git a/crypto/openssl/crypto/asn1/tasn_enc.c b/crypto/openssl/crypto/asn1/tasn_enc.c
index 936ad1f767c6..1390e5e6aef7 100644
--- a/crypto/openssl/crypto/asn1/tasn_enc.c
+++ b/crypto/openssl/crypto/asn1/tasn_enc.c
@@ -453,9 +453,14 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
 			{
 			derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk)
 						* sizeof(*derlst));
+			if (!derlst)
+				return 0;
 			tmpdat = OPENSSL_malloc(skcontlen);
-			if (!derlst || !tmpdat)
+			if (!tmpdat)
+				{
+				OPENSSL_free(derlst);
 				return 0;
+				}
 			}
 		}
 	/* If not sorting just output each item */
diff --git a/crypto/openssl/crypto/asn1/x_crl.c b/crypto/openssl/crypto/asn1/x_crl.c
index c51c690ba9d3..3f03efbe6047 100644
--- a/crypto/openssl/crypto/asn1/x_crl.c
+++ b/crypto/openssl/crypto/asn1/x_crl.c
@@ -270,6 +270,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 				{
 				/* We handle IDP and deltas */
 				if ((nid == NID_issuing_distribution_point)
+					|| (nid == NID_authority_key_identifier)
 					|| (nid == NID_delta_crl))
 					break;;
 				crl->flags |= EXFLAG_CRITICAL;
diff --git a/crypto/openssl/crypto/asn1/x_name.c b/crypto/openssl/crypto/asn1/x_name.c
index d7c2318693f5..22da57040e89 100644
--- a/crypto/openssl/crypto/asn1/x_name.c
+++ b/crypto/openssl/crypto/asn1/x_name.c
@@ -350,6 +350,8 @@ static int x509_name_canon(X509_NAME *a)
 			set = entry->set;
 			}
 		tmpentry = X509_NAME_ENTRY_new();
+		if (!tmpentry)
+			goto err;
 		tmpentry->object = OBJ_dup(entry->object);
 		if (!asn1_string_canon(tmpentry->value, entry->value))
 			goto err;
diff --git a/crypto/openssl/crypto/bio/bio.h b/crypto/openssl/crypto/bio/bio.h
index 05699ab21210..32eba7148056 100644
--- a/crypto/openssl/crypto/bio/bio.h
+++ b/crypto/openssl/crypto/bio/bio.h
@@ -175,6 +175,8 @@ extern "C" {
 #define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT   45 /* Next DTLS handshake timeout to
                                               * adjust socket timeouts */
 
+#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD   49
+
 #ifndef OPENSSL_NO_SCTP
 /* SCTP stuff */
 #define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE	50
@@ -607,6 +609,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
 #define BIO_dgram_set_peer(b,peer) \
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
+#define BIO_dgram_get_mtu_overhead(b) \
+         (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)
 
 /* These two aren't currently implemented */
 /* int BIO_get_ex_num(BIO *bio); */
diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c
index 9c9646afa8a2..4793a453e4af 100644
--- a/crypto/openssl/crypto/bio/bio_lib.c
+++ b/crypto/openssl/crypto/bio/bio_lib.c
@@ -132,8 +132,8 @@ int BIO_free(BIO *a)
 
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
-	if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
-	a->method->destroy(a);
+	if ((a->method != NULL) && (a->method->destroy != NULL))
+		a->method->destroy(a);
 	OPENSSL_free(a);
 	return(1);
 	}
diff --git a/crypto/openssl/crypto/bio/bss_dgram.c b/crypto/openssl/crypto/bio/bss_dgram.c
index 9d9e9a51d100..0decf9449b3d 100644
--- a/crypto/openssl/crypto/bio/bss_dgram.c
+++ b/crypto/openssl/crypto/bio/bss_dgram.c
@@ -454,6 +454,36 @@ static int dgram_write(BIO *b, const char *in, int inl)
 	return(ret);
 	}
 
+static long dgram_get_mtu_overhead(bio_dgram_data *data)
+	{
+	long ret;
+
+	switch (data->peer.sa.sa_family)
+		{
+		case AF_INET:
+			/* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+			ret = 28;
+			break;
+#if OPENSSL_USE_IPV6
+		case AF_INET6:
+#ifdef IN6_IS_ADDR_V4MAPPED
+			if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+				/* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+				ret = 28;
+			else
+#endif
+				/* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */
+				ret = 48;
+			break;
+#endif
+		default:
+			/* We don't know. Go with the historical default */
+			ret = 28;
+			break;
+		}
+	return ret;
+	}
+
 static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 	{
 	long ret=1;
@@ -630,23 +660,24 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 #endif
 		break;
 	case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
+		ret = -dgram_get_mtu_overhead(data);
 		switch (data->peer.sa.sa_family)
 			{
 			case AF_INET:
-				ret = 576 - 20 - 8;
+				ret += 576;
 				break;
 #if OPENSSL_USE_IPV6
 			case AF_INET6:
 #ifdef IN6_IS_ADDR_V4MAPPED
 				if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
-					ret = 576 - 20 - 8;
+					ret += 576;
 				else
 #endif
-					ret = 1280 - 40 - 8;
+					ret += 1280;
 				break;
 #endif
 			default:
-				ret = 576 - 20 - 8;
+				ret += 576;
 				break;
 			}
 		break;
@@ -847,6 +878,9 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret = 0;
 		break;
 #endif
+	case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
+		ret = dgram_get_mtu_overhead(data);
+		break;
 	default:
 		ret=0;
 		break;
@@ -893,10 +927,18 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	/* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
 	auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 	auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	/* Test if activation was successful. When using accept(),
 	 * SCTP-AUTH has to be activated for the listening socket
@@ -905,9 +947,15 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	authchunks = OPENSSL_malloc(sockopt_len);
 	memset(authchunks, 0, sizeof(sockopt_len));
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
-	
-	for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
+
+	if (ret < 0)
+		{
+		OPENSSL_free(authchunks);
+		BIO_vfree(bio);
+		return(NULL);
+		}
+
+	for (p = (unsigned char*) authchunks->gauth_chunks;
 	     p < (unsigned char*) authchunks + sockopt_len;
 	     p += sizeof(uint8_t))
 		{
@@ -927,16 +975,28 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	event.se_type = SCTP_AUTHENTICATION_EVENT;
 	event.se_on = 1;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #else
 	sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	event.sctp_authentication_event = 1;
 
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #endif
 #endif
 
@@ -944,7 +1004,11 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	 * larger than the max record size of 2^14 + 2048 + 13
 	 */
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	return(bio);
 	}
@@ -1039,6 +1103,13 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			msg.msg_flags = 0;
 			n = recvmsg(b->num, &msg, 0);
 
+			if (n <= 0)
+				{
+				if (n < 0)
+					ret = n;
+				break;
+				}
+
 			if (msg.msg_controllen > 0)
 				{
 				for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg))
@@ -1078,13 +1149,6 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 					}
 				}
 
-			if (n <= 0)
-				{
-				if (n < 0)
-					ret = n;
-				break;
-				}
-
 			if (msg.msg_flags & MSG_NOTIFICATION)
 				{
 				snp = (union sctp_notification*) out;
@@ -1115,16 +1179,28 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 					event.se_type = SCTP_SENDER_DRY_EVENT;
 					event.se_on = 0;
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #else
 					eventsize = sizeof(struct sctp_event_subscribe);
 					i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 
 					event.sctp_sender_dry_event = 0;
 
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #endif
 					}
 
@@ -1157,8 +1233,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			 */
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Test if SCTP doesn't partially deliver below
 			 * max record size (2^14 + 2048 + 13)
@@ -1166,8 +1242,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
 			                 &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Partially delivered notification??? Probably a bug.... */
 			OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
@@ -1201,15 +1277,15 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			authchunks = OPENSSL_malloc(optlen);
 			memset(authchunks, 0, sizeof(optlen));
 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
-			OPENSSL_assert(ii >= 0);
 
-			for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
-				 p < (unsigned char*) authchunks + optlen;
-				 p += sizeof(uint8_t))
-				{
-				if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
-				if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
-				}
+			if (ii >= 0)
+				for (p = (unsigned char*) authchunks->gauth_chunks;
+				     p < (unsigned char*) authchunks + optlen;
+				     p += sizeof(uint8_t))
+					{
+					if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
+					if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
+					}
 
 			OPENSSL_free(authchunks);
 
@@ -1341,7 +1417,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 	bio_dgram_sctp_data *data = NULL;
 	socklen_t sockopt_len = 0;
 	struct sctp_authkeyid authkeyid;
-	struct sctp_authkey *authkey;
+	struct sctp_authkey *authkey = NULL;
 
 	data = (bio_dgram_sctp_data *)b->ptr;
 
@@ -1375,6 +1451,10 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 		 * Returns always 1.
 		 */
 		break;
+	case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
+		/* We allow transport protocol fragmentation so this is irrelevant */
+		ret = 0;
+		break;
 	case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
 		if (num > 0)
 			data->in_handshake = 1;
@@ -1396,6 +1476,11 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 		/* Add new key */
 		sockopt_len = sizeof(struct sctp_authkey) + 64 * sizeof(uint8_t);
 		authkey = OPENSSL_malloc(sockopt_len);
+		if (authkey == NULL)
+			{
+			ret = -1;
+			break;
+			}
 		memset(authkey, 0x00, sockopt_len);
 		authkey->sca_keynumber = authkeyid.scact_keynumber + 1;
 #ifndef __FreeBSD__
@@ -1407,6 +1492,8 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 		memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
 
 		ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
+		OPENSSL_free(authkey);
+		authkey = NULL;
 		if (ret < 0) break;
 
 		/* Reset active key */
diff --git a/crypto/openssl/crypto/bio/bss_log.c b/crypto/openssl/crypto/bio/bss_log.c
index b7dce5c1a27b..2227b2b52d47 100644
--- a/crypto/openssl/crypto/bio/bss_log.c
+++ b/crypto/openssl/crypto/bio/bss_log.c
@@ -245,7 +245,7 @@ static int MS_CALLBACK slg_puts(BIO *bp, const char *str)
 
 static void xopenlog(BIO* bp, char* name, int level)
 {
-	if (GetVersion() < 0x80000000)
+	if (check_winnt())
 		bp->ptr = RegisterEventSourceA(NULL,name);
 	else
 		bp->ptr = NULL;
diff --git a/crypto/openssl/crypto/bn/Makefile b/crypto/openssl/crypto/bn/Makefile
index 672773454cfd..6dd136be5d6b 100644
--- a/crypto/openssl/crypto/bn/Makefile
+++ b/crypto/openssl/crypto/bn/Makefile
@@ -125,7 +125,9 @@ ppc-mont.s:	asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@
 ppc64-mont.s:	asm/ppc64-mont.pl;$(PERL) asm/ppc64-mont.pl $(PERLASM_SCHEME) $@
 
 alpha-mont.s:	asm/alpha-mont.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) asm/alpha-mont.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
 
 # GNU make "catch all"
 %-mont.s:	asm/%-mont.pl;	$(PERL) $< $(PERLASM_SCHEME) $@
diff --git a/crypto/openssl/crypto/bn/asm/mips-mont.pl b/crypto/openssl/crypto/bn/asm/mips-mont.pl
index b944a12b8e29..caae04ed3a86 100755
--- a/crypto/openssl/crypto/bn/asm/mips-mont.pl
+++ b/crypto/openssl/crypto/bn/asm/mips-mont.pl
@@ -133,7 +133,7 @@ $code.=<<___;
 	bnez	$at,1f
 	li	$t0,0
 	slt	$at,$num,17	# on in-order CPU
-	bnezl	$at,bn_mul_mont_internal
+	bnez	$at,bn_mul_mont_internal
 	nop
 1:	jr	$ra
 	li	$a0,0
diff --git a/crypto/openssl/crypto/bn/asm/mips.pl b/crypto/openssl/crypto/bn/asm/mips.pl
index 8c71b0de7b8f..215c9a748325 100755
--- a/crypto/openssl/crypto/bn/asm/mips.pl
+++ b/crypto/openssl/crypto/bn/asm/mips.pl
@@ -140,10 +140,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$ta0,$a2,$minus4
-	$LD	$t0,0($a1)
 	beqz	$ta0,.L_bn_mul_add_words_tail
 
 .L_bn_mul_add_words_loop:
+	$LD	$t0,0($a1)
 	$MULTU	$t0,$a3
 	$LD	$t1,0($a0)
 	$LD	$t2,$BNSZ($a1)
@@ -200,10 +200,9 @@ $code.=<<___;
 	$ADDU	$v0,$ta2
 	sltu	$at,$ta3,$at
 	$ST	$ta3,-$BNSZ($a0)
-	$ADDU	$v0,$at
 	.set	noreorder
-	bgtzl	$ta0,.L_bn_mul_add_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$ta0,.L_bn_mul_add_words_loop
+	$ADDU	$v0,$at
 
 	beqz	$a2,.L_bn_mul_add_words_return
 	nop
@@ -300,10 +299,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$ta0,$a2,$minus4
-	$LD	$t0,0($a1)
 	beqz	$ta0,.L_bn_mul_words_tail
 
 .L_bn_mul_words_loop:
+	$LD	$t0,0($a1)
 	$MULTU	$t0,$a3
 	$LD	$t2,$BNSZ($a1)
 	$LD	$ta0,2*$BNSZ($a1)
@@ -341,10 +340,9 @@ $code.=<<___;
 	$ADDU	$v0,$at
 	sltu	$ta3,$v0,$at
 	$ST	$v0,-$BNSZ($a0)
-	$ADDU	$v0,$ta3,$ta2
 	.set	noreorder
-	bgtzl	$ta0,.L_bn_mul_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$ta0,.L_bn_mul_words_loop
+	$ADDU	$v0,$ta3,$ta2
 
 	beqz	$a2,.L_bn_mul_words_return
 	nop
@@ -429,10 +427,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$ta0,$a2,$minus4
-	$LD	$t0,0($a1)
 	beqz	$ta0,.L_bn_sqr_words_tail
 
 .L_bn_sqr_words_loop:
+	$LD	$t0,0($a1)
 	$MULTU	$t0,$t0
 	$LD	$t2,$BNSZ($a1)
 	$LD	$ta0,2*$BNSZ($a1)
@@ -463,11 +461,10 @@ $code.=<<___;
 	mflo	$ta3
 	mfhi	$ta2
 	$ST	$ta3,-2*$BNSZ($a0)
-	$ST	$ta2,-$BNSZ($a0)
 
 	.set	noreorder
-	bgtzl	$ta0,.L_bn_sqr_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$ta0,.L_bn_sqr_words_loop
+	$ST	$ta2,-$BNSZ($a0)
 
 	beqz	$a2,.L_bn_sqr_words_return
 	nop
@@ -547,10 +544,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$at,$a3,$minus4
-	$LD	$t0,0($a1)
 	beqz	$at,.L_bn_add_words_tail
 
 .L_bn_add_words_loop:
+	$LD	$t0,0($a1)
 	$LD	$ta0,0($a2)
 	subu	$a3,4
 	$LD	$t1,$BNSZ($a1)
@@ -589,11 +586,10 @@ $code.=<<___;
 	$ADDU	$t3,$ta3,$v0
 	sltu	$v0,$t3,$ta3
 	$ST	$t3,-$BNSZ($a0)
-	$ADDU	$v0,$t9
 	
 	.set	noreorder
-	bgtzl	$at,.L_bn_add_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$at,.L_bn_add_words_loop
+	$ADDU	$v0,$t9
 
 	beqz	$a3,.L_bn_add_words_return
 	nop
@@ -679,10 +675,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$at,$a3,$minus4
-	$LD	$t0,0($a1)
 	beqz	$at,.L_bn_sub_words_tail
 
 .L_bn_sub_words_loop:
+	$LD	$t0,0($a1)
 	$LD	$ta0,0($a2)
 	subu	$a3,4
 	$LD	$t1,$BNSZ($a1)
@@ -722,11 +718,10 @@ $code.=<<___;
 	$SUBU	$t3,$ta3,$v0
 	sgtu	$v0,$t3,$ta3
 	$ST	$t3,-$BNSZ($a0)
-	$ADDU	$v0,$t9
 
 	.set	noreorder
-	bgtzl	$at,.L_bn_sub_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$at,.L_bn_sub_words_loop
+	$ADDU	$v0,$t9
 
 	beqz	$a3,.L_bn_sub_words_return
 	nop
@@ -840,8 +835,9 @@ $code.=<<___;
 	sltu	$ta0,$a1,$a2
 	or	$t8,$ta0
 	.set	noreorder
-	beqzl	$at,.L_bn_div_3_words_inner_loop
+	beqz	$at,.L_bn_div_3_words_inner_loop
 	$SUBU	$v0,1
+	$ADDU	$v0,1
 	.set	reorder
 .L_bn_div_3_words_inner_loop_done:
 	.set	noreorder
@@ -902,7 +898,8 @@ $code.=<<___;
 	and	$t2,$a0
 	$SRL	$at,$a1,$t1
 	.set	noreorder
-	bnezl	$t2,.+8
+	beqz	$t2,.+12
+	nop
 	break	6		# signal overflow
 	.set	reorder
 	$SLL	$a0,$t9
@@ -917,7 +914,8 @@ $code.=<<___;
 	$SRL	$DH,$a2,4*$BNSZ	# bits
 	sgeu	$at,$a0,$a2
 	.set	noreorder
-	bnezl	$at,.+8
+	beqz	$at,.+12
+	nop
 	$SUBU	$a0,$a2
 	.set	reorder
 
diff --git a/crypto/openssl/crypto/bn/asm/mips3.s b/crypto/openssl/crypto/bn/asm/mips3.s
deleted file mode 100644
index dca4105c7db1..000000000000
--- a/crypto/openssl/crypto/bn/asm/mips3.s
+++ /dev/null
@@ -1,2201 +0,0 @@
-.rdata
-.asciiz	"mips3.s, Version 1.1"
-.asciiz	"MIPS III/IV ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
-
-/*
- * ====================================================================
- * Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
- * project.
- *
- * Rights for redistribution and usage in source and binary forms are
- * granted according to the OpenSSL license. Warranty of any kind is
- * disclaimed.
- * ====================================================================
- */
-
-/*
- * This is my modest contributon to the OpenSSL project (see
- * http://www.openssl.org/ for more information about it) and is
- * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c
- * module. For updates see http://fy.chalmers.se/~appro/hpe/.
- *
- * The module is designed to work with either of the "new" MIPS ABI(5),
- * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under
- * IRIX 5.x not only because it doesn't support new ABIs but also
- * because 5.x kernels put R4x00 CPU into 32-bit mode and all those
- * 64-bit instructions (daddu, dmultu, etc.) found below gonna only
- * cause illegal instruction exception:-(
- *
- * In addition the code depends on preprocessor flags set up by MIPSpro
- * compiler driver (either as or cc) and therefore (probably?) can't be
- * compiled by the GNU assembler. GNU C driver manages fine though...
- * I mean as long as -mmips-as is specified or is the default option,
- * because then it simply invokes /usr/bin/as which in turn takes
- * perfect care of the preprocessor definitions. Another neat feature
- * offered by the MIPSpro assembler is an optimization pass. This gave
- * me the opportunity to have the code looking more regular as all those
- * architecture dependent instruction rescheduling details were left to
- * the assembler. Cool, huh?
- *
- * Performance improvement is astonishing! 'apps/openssl speed rsa dsa'
- * goes way over 3 times faster!
- *
- *					<appro@fy.chalmers.se>
- */
-#include <asm.h>
-#include <regdef.h>
-
-#if _MIPS_ISA>=4
-#define	MOVNZ(cond,dst,src)	\
-	movn	dst,src,cond
-#else
-#define	MOVNZ(cond,dst,src)	\
-	.set	noreorder;	\
-	bnezl	cond,.+8;	\
-	move	dst,src;	\
-	.set	reorder
-#endif
-
-.text
-
-.set	noat
-.set	reorder
-
-#define	MINUS4	v1
-
-.align	5
-LEAF(bn_mul_add_words)
-	.set	noreorder
-	bgtzl	a2,.L_bn_mul_add_words_proceed
-	ld	t0,0(a1)
-	jr	ra
-	move	v0,zero
-	.set	reorder
-
-.L_bn_mul_add_words_proceed:
-	li	MINUS4,-4
-	and	ta0,a2,MINUS4
-	move	v0,zero
-	beqz	ta0,.L_bn_mul_add_words_tail
-
-.L_bn_mul_add_words_loop:
-	dmultu	t0,a3
-	ld	t1,0(a0)
-	ld	t2,8(a1)
-	ld	t3,8(a0)
-	ld	ta0,16(a1)
-	ld	ta1,16(a0)
-	daddu	t1,v0
-	sltu	v0,t1,v0	/* All manuals say it "compares 32-bit
-				 * values", but it seems to work fine
-				 * even on 64-bit registers. */
-	mflo	AT
-	mfhi	t0
-	daddu	t1,AT
-	daddu	v0,t0
-	sltu	AT,t1,AT
-	sd	t1,0(a0)
-	daddu	v0,AT
-
-	dmultu	t2,a3
-	ld	ta2,24(a1)
-	ld	ta3,24(a0)
-	daddu	t3,v0
-	sltu	v0,t3,v0
-	mflo	AT
-	mfhi	t2
-	daddu	t3,AT
-	daddu	v0,t2
-	sltu	AT,t3,AT
-	sd	t3,8(a0)
-	daddu	v0,AT
-
-	dmultu	ta0,a3
-	subu	a2,4
-	PTR_ADD	a0,32
-	PTR_ADD	a1,32
-	daddu	ta1,v0
-	sltu	v0,ta1,v0
-	mflo	AT
-	mfhi	ta0
-	daddu	ta1,AT
-	daddu	v0,ta0
-	sltu	AT,ta1,AT
-	sd	ta1,-16(a0)
-	daddu	v0,AT
-
-
-	dmultu	ta2,a3
-	and	ta0,a2,MINUS4
-	daddu	ta3,v0
-	sltu	v0,ta3,v0
-	mflo	AT
-	mfhi	ta2
-	daddu	ta3,AT
-	daddu	v0,ta2
-	sltu	AT,ta3,AT
-	sd	ta3,-8(a0)
-	daddu	v0,AT
-	.set	noreorder
-	bgtzl	ta0,.L_bn_mul_add_words_loop
-	ld	t0,0(a1)
-
-	bnezl	a2,.L_bn_mul_add_words_tail
-	ld	t0,0(a1)
-	.set	reorder
-
-.L_bn_mul_add_words_return:
-	jr	ra
-
-.L_bn_mul_add_words_tail:
-	dmultu	t0,a3
-	ld	t1,0(a0)
-	subu	a2,1
-	daddu	t1,v0
-	sltu	v0,t1,v0
-	mflo	AT
-	mfhi	t0
-	daddu	t1,AT
-	daddu	v0,t0
-	sltu	AT,t1,AT
-	sd	t1,0(a0)
-	daddu	v0,AT
-	beqz	a2,.L_bn_mul_add_words_return
-
-	ld	t0,8(a1)
-	dmultu	t0,a3
-	ld	t1,8(a0)
-	subu	a2,1
-	daddu	t1,v0
-	sltu	v0,t1,v0
-	mflo	AT
-	mfhi	t0
-	daddu	t1,AT
-	daddu	v0,t0
-	sltu	AT,t1,AT
-	sd	t1,8(a0)
-	daddu	v0,AT
-	beqz	a2,.L_bn_mul_add_words_return
-
-	ld	t0,16(a1)
-	dmultu	t0,a3
-	ld	t1,16(a0)
-	daddu	t1,v0
-	sltu	v0,t1,v0
-	mflo	AT
-	mfhi	t0
-	daddu	t1,AT
-	daddu	v0,t0
-	sltu	AT,t1,AT
-	sd	t1,16(a0)
-	daddu	v0,AT
-	jr	ra
-END(bn_mul_add_words)
-
-.align	5
-LEAF(bn_mul_words)
-	.set	noreorder
-	bgtzl	a2,.L_bn_mul_words_proceed
-	ld	t0,0(a1)
-	jr	ra
-	move	v0,zero
-	.set	reorder
-
-.L_bn_mul_words_proceed:
-	li	MINUS4,-4
-	and	ta0,a2,MINUS4
-	move	v0,zero
-	beqz	ta0,.L_bn_mul_words_tail
-
-.L_bn_mul_words_loop:
-	dmultu	t0,a3
-	ld	t2,8(a1)
-	ld	ta0,16(a1)
-	ld	ta2,24(a1)
-	mflo	AT
-	mfhi	t0
-	daddu	v0,AT
-	sltu	t1,v0,AT
-	sd	v0,0(a0)
-	daddu	v0,t1,t0
-
-	dmultu	t2,a3
-	subu	a2,4
-	PTR_ADD	a0,32
-	PTR_ADD	a1,32
-	mflo	AT
-	mfhi	t2
-	daddu	v0,AT
-	sltu	t3,v0,AT
-	sd	v0,-24(a0)
-	daddu	v0,t3,t2
-
-	dmultu	ta0,a3
-	mflo	AT
-	mfhi	ta0
-	daddu	v0,AT
-	sltu	ta1,v0,AT
-	sd	v0,-16(a0)
-	daddu	v0,ta1,ta0
-
-
-	dmultu	ta2,a3
-	and	ta0,a2,MINUS4
-	mflo	AT
-	mfhi	ta2
-	daddu	v0,AT
-	sltu	ta3,v0,AT
-	sd	v0,-8(a0)
-	daddu	v0,ta3,ta2
-	.set	noreorder
-	bgtzl	ta0,.L_bn_mul_words_loop
-	ld	t0,0(a1)
-
-	bnezl	a2,.L_bn_mul_words_tail
-	ld	t0,0(a1)
-	.set	reorder
-
-.L_bn_mul_words_return:
-	jr	ra
-
-.L_bn_mul_words_tail:
-	dmultu	t0,a3
-	subu	a2,1
-	mflo	AT
-	mfhi	t0
-	daddu	v0,AT
-	sltu	t1,v0,AT
-	sd	v0,0(a0)
-	daddu	v0,t1,t0
-	beqz	a2,.L_bn_mul_words_return
-
-	ld	t0,8(a1)
-	dmultu	t0,a3
-	subu	a2,1
-	mflo	AT
-	mfhi	t0
-	daddu	v0,AT
-	sltu	t1,v0,AT
-	sd	v0,8(a0)
-	daddu	v0,t1,t0
-	beqz	a2,.L_bn_mul_words_return
-
-	ld	t0,16(a1)
-	dmultu	t0,a3
-	mflo	AT
-	mfhi	t0
-	daddu	v0,AT
-	sltu	t1,v0,AT
-	sd	v0,16(a0)
-	daddu	v0,t1,t0
-	jr	ra
-END(bn_mul_words)
-
-.align	5
-LEAF(bn_sqr_words)
-	.set	noreorder
-	bgtzl	a2,.L_bn_sqr_words_proceed
-	ld	t0,0(a1)
-	jr	ra
-	move	v0,zero
-	.set	reorder
-
-.L_bn_sqr_words_proceed:
-	li	MINUS4,-4
-	and	ta0,a2,MINUS4
-	move	v0,zero
-	beqz	ta0,.L_bn_sqr_words_tail
-
-.L_bn_sqr_words_loop:
-	dmultu	t0,t0
-	ld	t2,8(a1)
-	ld	ta0,16(a1)
-	ld	ta2,24(a1)
-	mflo	t1
-	mfhi	t0
-	sd	t1,0(a0)
-	sd	t0,8(a0)
-
-	dmultu	t2,t2
-	subu	a2,4
-	PTR_ADD	a0,64
-	PTR_ADD	a1,32
-	mflo	t3
-	mfhi	t2
-	sd	t3,-48(a0)
-	sd	t2,-40(a0)
-
-	dmultu	ta0,ta0
-	mflo	ta1
-	mfhi	ta0
-	sd	ta1,-32(a0)
-	sd	ta0,-24(a0)
-
-
-	dmultu	ta2,ta2
-	and	ta0,a2,MINUS4
-	mflo	ta3
-	mfhi	ta2
-	sd	ta3,-16(a0)
-	sd	ta2,-8(a0)
-
-	.set	noreorder
-	bgtzl	ta0,.L_bn_sqr_words_loop
-	ld	t0,0(a1)
-
-	bnezl	a2,.L_bn_sqr_words_tail
-	ld	t0,0(a1)
-	.set	reorder
-
-.L_bn_sqr_words_return:
-	move	v0,zero
-	jr	ra
-
-.L_bn_sqr_words_tail:
-	dmultu	t0,t0
-	subu	a2,1
-	mflo	t1
-	mfhi	t0
-	sd	t1,0(a0)
-	sd	t0,8(a0)
-	beqz	a2,.L_bn_sqr_words_return
-
-	ld	t0,8(a1)
-	dmultu	t0,t0
-	subu	a2,1
-	mflo	t1
-	mfhi	t0
-	sd	t1,16(a0)
-	sd	t0,24(a0)
-	beqz	a2,.L_bn_sqr_words_return
-
-	ld	t0,16(a1)
-	dmultu	t0,t0
-	mflo	t1
-	mfhi	t0
-	sd	t1,32(a0)
-	sd	t0,40(a0)
-	jr	ra
-END(bn_sqr_words)
-
-.align	5
-LEAF(bn_add_words)
-	.set	noreorder
-	bgtzl	a3,.L_bn_add_words_proceed
-	ld	t0,0(a1)
-	jr	ra
-	move	v0,zero
-	.set	reorder
-
-.L_bn_add_words_proceed:
-	li	MINUS4,-4
-	and	AT,a3,MINUS4
-	move	v0,zero
-	beqz	AT,.L_bn_add_words_tail
-
-.L_bn_add_words_loop:
-	ld	ta0,0(a2)
-	subu	a3,4
-	ld	t1,8(a1)
-	and	AT,a3,MINUS4
-	ld	t2,16(a1)
-	PTR_ADD	a2,32
-	ld	t3,24(a1)
-	PTR_ADD	a0,32
-	ld	ta1,-24(a2)
-	PTR_ADD	a1,32
-	ld	ta2,-16(a2)
-	ld	ta3,-8(a2)
-	daddu	ta0,t0
-	sltu	t8,ta0,t0
-	daddu	t0,ta0,v0
-	sltu	v0,t0,ta0
-	sd	t0,-32(a0)
-	daddu	v0,t8
-
-	daddu	ta1,t1
-	sltu	t9,ta1,t1
-	daddu	t1,ta1,v0
-	sltu	v0,t1,ta1
-	sd	t1,-24(a0)
-	daddu	v0,t9
-
-	daddu	ta2,t2
-	sltu	t8,ta2,t2
-	daddu	t2,ta2,v0
-	sltu	v0,t2,ta2
-	sd	t2,-16(a0)
-	daddu	v0,t8
-	
-	daddu	ta3,t3
-	sltu	t9,ta3,t3
-	daddu	t3,ta3,v0
-	sltu	v0,t3,ta3
-	sd	t3,-8(a0)
-	daddu	v0,t9
-	
-	.set	noreorder
-	bgtzl	AT,.L_bn_add_words_loop
-	ld	t0,0(a1)
-
-	bnezl	a3,.L_bn_add_words_tail
-	ld	t0,0(a1)
-	.set	reorder
-
-.L_bn_add_words_return:
-	jr	ra
-
-.L_bn_add_words_tail:
-	ld	ta0,0(a2)
-	daddu	ta0,t0
-	subu	a3,1
-	sltu	t8,ta0,t0
-	daddu	t0,ta0,v0
-	sltu	v0,t0,ta0
-	sd	t0,0(a0)
-	daddu	v0,t8
-	beqz	a3,.L_bn_add_words_return
-
-	ld	t1,8(a1)
-	ld	ta1,8(a2)
-	daddu	ta1,t1
-	subu	a3,1
-	sltu	t9,ta1,t1
-	daddu	t1,ta1,v0
-	sltu	v0,t1,ta1
-	sd	t1,8(a0)
-	daddu	v0,t9
-	beqz	a3,.L_bn_add_words_return
-
-	ld	t2,16(a1)
-	ld	ta2,16(a2)
-	daddu	ta2,t2
-	sltu	t8,ta2,t2
-	daddu	t2,ta2,v0
-	sltu	v0,t2,ta2
-	sd	t2,16(a0)
-	daddu	v0,t8
-	jr	ra
-END(bn_add_words)
-
-.align	5
-LEAF(bn_sub_words)
-	.set	noreorder
-	bgtzl	a3,.L_bn_sub_words_proceed
-	ld	t0,0(a1)
-	jr	ra
-	move	v0,zero
-	.set	reorder
-
-.L_bn_sub_words_proceed:
-	li	MINUS4,-4
-	and	AT,a3,MINUS4
-	move	v0,zero
-	beqz	AT,.L_bn_sub_words_tail
-
-.L_bn_sub_words_loop:
-	ld	ta0,0(a2)
-	subu	a3,4
-	ld	t1,8(a1)
-	and	AT,a3,MINUS4
-	ld	t2,16(a1)
-	PTR_ADD	a2,32
-	ld	t3,24(a1)
-	PTR_ADD	a0,32
-	ld	ta1,-24(a2)
-	PTR_ADD	a1,32
-	ld	ta2,-16(a2)
-	ld	ta3,-8(a2)
-	sltu	t8,t0,ta0
-	dsubu	t0,ta0
-	dsubu	ta0,t0,v0
-	sd	ta0,-32(a0)
-	MOVNZ	(t0,v0,t8)
-
-	sltu	t9,t1,ta1
-	dsubu	t1,ta1
-	dsubu	ta1,t1,v0
-	sd	ta1,-24(a0)
-	MOVNZ	(t1,v0,t9)
-
-
-	sltu	t8,t2,ta2
-	dsubu	t2,ta2
-	dsubu	ta2,t2,v0
-	sd	ta2,-16(a0)
-	MOVNZ	(t2,v0,t8)
-
-	sltu	t9,t3,ta3
-	dsubu	t3,ta3
-	dsubu	ta3,t3,v0
-	sd	ta3,-8(a0)
-	MOVNZ	(t3,v0,t9)
-
-	.set	noreorder
-	bgtzl	AT,.L_bn_sub_words_loop
-	ld	t0,0(a1)
-
-	bnezl	a3,.L_bn_sub_words_tail
-	ld	t0,0(a1)
-	.set	reorder
-
-.L_bn_sub_words_return:
-	jr	ra
-
-.L_bn_sub_words_tail:
-	ld	ta0,0(a2)
-	subu	a3,1
-	sltu	t8,t0,ta0
-	dsubu	t0,ta0
-	dsubu	ta0,t0,v0
-	MOVNZ	(t0,v0,t8)
-	sd	ta0,0(a0)
-	beqz	a3,.L_bn_sub_words_return
-
-	ld	t1,8(a1)
-	subu	a3,1
-	ld	ta1,8(a2)
-	sltu	t9,t1,ta1
-	dsubu	t1,ta1
-	dsubu	ta1,t1,v0
-	MOVNZ	(t1,v0,t9)
-	sd	ta1,8(a0)
-	beqz	a3,.L_bn_sub_words_return
-
-	ld	t2,16(a1)
-	ld	ta2,16(a2)
-	sltu	t8,t2,ta2
-	dsubu	t2,ta2
-	dsubu	ta2,t2,v0
-	MOVNZ	(t2,v0,t8)
-	sd	ta2,16(a0)
-	jr	ra
-END(bn_sub_words)
-
-#undef	MINUS4
-
-.align 5
-LEAF(bn_div_3_words)
-	.set	reorder
-	move	a3,a0		/* we know that bn_div_words doesn't
-				 * touch a3, ta2, ta3 and preserves a2
-				 * so that we can save two arguments
-				 * and return address in registers
-				 * instead of stack:-)
-				 */
-	ld	a0,(a3)
-	move	ta2,a1
-	ld	a1,-8(a3)
-	bne	a0,a2,.L_bn_div_3_words_proceed
-	li	v0,-1
-	jr	ra
-.L_bn_div_3_words_proceed:
-	move	ta3,ra
-	bal	bn_div_words
-	move	ra,ta3
-	dmultu	ta2,v0
-	ld	t2,-16(a3)
-	move	ta0,zero
-	mfhi	t1
-	mflo	t0
-	sltu	t8,t1,v1
-.L_bn_div_3_words_inner_loop:
-	bnez	t8,.L_bn_div_3_words_inner_loop_done
-	sgeu	AT,t2,t0
-	seq	t9,t1,v1
-	and	AT,t9
-	sltu	t3,t0,ta2
-	daddu	v1,a2
-	dsubu	t1,t3
-	dsubu	t0,ta2
-	sltu	t8,t1,v1
-	sltu	ta0,v1,a2
-	or	t8,ta0
-	.set	noreorder
-	beqzl	AT,.L_bn_div_3_words_inner_loop
-	dsubu	v0,1
-	.set	reorder
-.L_bn_div_3_words_inner_loop_done:
-	jr	ra
-END(bn_div_3_words)
-
-.align	5
-LEAF(bn_div_words)
-	.set	noreorder
-	bnezl	a2,.L_bn_div_words_proceed
-	move	v1,zero
-	jr	ra
-	li	v0,-1		/* I'd rather signal div-by-zero
-				 * which can be done with 'break 7' */
-
-.L_bn_div_words_proceed:
-	bltz	a2,.L_bn_div_words_body
-	move	t9,v1
-	dsll	a2,1
-	bgtz	a2,.-4
-	addu	t9,1
-
-	.set	reorder
-	negu	t1,t9
-	li	t2,-1
-	dsll	t2,t1
-	and	t2,a0
-	dsrl	AT,a1,t1
-	.set	noreorder
-	bnezl	t2,.+8
-	break	6		/* signal overflow */
-	.set	reorder
-	dsll	a0,t9
-	dsll	a1,t9
-	or	a0,AT
-
-#define	QT	ta0
-#define	HH	ta1
-#define	DH	v1
-.L_bn_div_words_body:
-	dsrl	DH,a2,32
-	sgeu	AT,a0,a2
-	.set	noreorder
-	bnezl	AT,.+8
-	dsubu	a0,a2
-	.set	reorder
-
-	li	QT,-1
-	dsrl	HH,a0,32
-	dsrl	QT,32	/* q=0xffffffff */
-	beq	DH,HH,.L_bn_div_words_skip_div1
-	ddivu	zero,a0,DH
-	mflo	QT
-.L_bn_div_words_skip_div1:
-	dmultu	a2,QT
-	dsll	t3,a0,32
-	dsrl	AT,a1,32
-	or	t3,AT
-	mflo	t0
-	mfhi	t1
-.L_bn_div_words_inner_loop1:
-	sltu	t2,t3,t0
-	seq	t8,HH,t1
-	sltu	AT,HH,t1
-	and	t2,t8
-	sltu	v0,t0,a2
-	or	AT,t2
-	.set	noreorder
-	beqz	AT,.L_bn_div_words_inner_loop1_done
-	dsubu	t1,v0
-	dsubu	t0,a2
-	b	.L_bn_div_words_inner_loop1
-	dsubu	QT,1
-	.set	reorder
-.L_bn_div_words_inner_loop1_done:
-
-	dsll	a1,32
-	dsubu	a0,t3,t0
-	dsll	v0,QT,32
-
-	li	QT,-1
-	dsrl	HH,a0,32
-	dsrl	QT,32	/* q=0xffffffff */
-	beq	DH,HH,.L_bn_div_words_skip_div2
-	ddivu	zero,a0,DH
-	mflo	QT
-.L_bn_div_words_skip_div2:
-#undef	DH
-	dmultu	a2,QT
-	dsll	t3,a0,32
-	dsrl	AT,a1,32
-	or	t3,AT
-	mflo	t0
-	mfhi	t1
-.L_bn_div_words_inner_loop2:
-	sltu	t2,t3,t0
-	seq	t8,HH,t1
-	sltu	AT,HH,t1
-	and	t2,t8
-	sltu	v1,t0,a2
-	or	AT,t2
-	.set	noreorder
-	beqz	AT,.L_bn_div_words_inner_loop2_done
-	dsubu	t1,v1
-	dsubu	t0,a2
-	b	.L_bn_div_words_inner_loop2
-	dsubu	QT,1
-	.set	reorder
-.L_bn_div_words_inner_loop2_done:	
-#undef	HH
-
-	dsubu	a0,t3,t0
-	or	v0,QT
-	dsrl	v1,a0,t9	/* v1 contains remainder if anybody wants it */
-	dsrl	a2,t9		/* restore a2 */
-	jr	ra
-#undef	QT
-END(bn_div_words)
-
-#define	a_0	t0
-#define	a_1	t1
-#define	a_2	t2
-#define	a_3	t3
-#define	b_0	ta0
-#define	b_1	ta1
-#define	b_2	ta2
-#define	b_3	ta3
-
-#define	a_4	s0
-#define	a_5	s2
-#define	a_6	s4
-#define	a_7	a1	/* once we load a[7] we don't need a anymore */
-#define	b_4	s1
-#define	b_5	s3
-#define	b_6	s5
-#define	b_7	a2	/* once we load b[7] we don't need b anymore */
-
-#define	t_1	t8
-#define	t_2	t9
-
-#define	c_1	v0
-#define	c_2	v1
-#define	c_3	a3
-
-#define	FRAME_SIZE	48
-
-.align	5
-LEAF(bn_mul_comba8)
-	.set	noreorder
-	PTR_SUB	sp,FRAME_SIZE
-	.frame	sp,64,ra
-	.set	reorder
-	ld	a_0,0(a1)	/* If compiled with -mips3 option on
-				 * R5000 box assembler barks on this
-				 * line with "shouldn't have mult/div
-				 * as last instruction in bb (R10K
-				 * bug)" warning. If anybody out there
-				 * has a clue about how to circumvent
-				 * this do send me a note.
-				 *		<appro@fy.chalmers.se>
-				 */
-	ld	b_0,0(a2)
-	ld	a_1,8(a1)
-	ld	a_2,16(a1)
-	ld	a_3,24(a1)
-	ld	b_1,8(a2)
-	ld	b_2,16(a2)
-	ld	b_3,24(a2)
-	dmultu	a_0,b_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
-	sd	s0,0(sp)
-	sd	s1,8(sp)
-	sd	s2,16(sp)
-	sd	s3,24(sp)
-	sd	s4,32(sp)
-	sd	s5,40(sp)
-	mflo	c_1
-	mfhi	c_2
-
-	dmultu	a_0,b_1		/* mul_add_c(a[0],b[1],c2,c3,c1); */
-	ld	a_4,32(a1)
-	ld	a_5,40(a1)
-	ld	a_6,48(a1)
-	ld	a_7,56(a1)
-	ld	b_4,32(a2)
-	ld	b_5,40(a2)
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	c_3,t_2,AT
-	dmultu	a_1,b_0		/* mul_add_c(a[1],b[0],c2,c3,c1); */
-	ld	b_6,48(a2)
-	ld	b_7,56(a2)
-	sd	c_1,0(a0)	/* r[0]=c1; */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	sd	c_2,8(a0)	/* r[1]=c2; */
-
-	dmultu	a_2,b_0		/* mul_add_c(a[2],b[0],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	dmultu	a_1,b_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	c_2,c_1,t_2
-	dmultu	a_0,b_2		/* mul_add_c(a[0],b[2],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,16(a0)	/* r[2]=c3; */
-
-	dmultu	a_0,b_3		/* mul_add_c(a[0],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	c_3,c_2,t_2
-	dmultu	a_1,b_2		/* mul_add_c(a[1],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_2,b_1		/* mul_add_c(a[2],b[1],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_3,b_0		/* mul_add_c(a[3],b[0],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,24(a0)	/* r[3]=c1; */
-
-	dmultu	a_4,b_0		/* mul_add_c(a[4],b[0],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	dmultu	a_3,b_1		/* mul_add_c(a[3],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_2,b_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_1,b_3		/* mul_add_c(a[1],b[3],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_0,b_4		/* mul_add_c(a[0],b[4],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,32(a0)	/* r[4]=c2; */
-
-	dmultu	a_0,b_5		/* mul_add_c(a[0],b[5],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	c_2,c_1,t_2
-	dmultu	a_1,b_4		/* mul_add_c(a[1],b[4],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_2,b_3		/* mul_add_c(a[2],b[3],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_3,b_2		/* mul_add_c(a[3],b[2],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_4,b_1		/* mul_add_c(a[4],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_5,b_0		/* mul_add_c(a[5],b[0],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,40(a0)	/* r[5]=c3; */
-
-	dmultu	a_6,b_0		/* mul_add_c(a[6],b[0],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	c_3,c_2,t_2
-	dmultu	a_5,b_1		/* mul_add_c(a[5],b[1],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_4,b_2		/* mul_add_c(a[4],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_3,b_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_2,b_4		/* mul_add_c(a[2],b[4],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_1,b_5		/* mul_add_c(a[1],b[5],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_0,b_6		/* mul_add_c(a[0],b[6],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,48(a0)	/* r[6]=c1; */
-
-	dmultu	a_0,b_7		/* mul_add_c(a[0],b[7],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	dmultu	a_1,b_6		/* mul_add_c(a[1],b[6],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_2,b_5		/* mul_add_c(a[2],b[5],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_3,b_4		/* mul_add_c(a[3],b[4],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_4,b_3		/* mul_add_c(a[4],b[3],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_5,b_2		/* mul_add_c(a[5],b[2],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_6,b_1		/* mul_add_c(a[6],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_7,b_0		/* mul_add_c(a[7],b[0],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,56(a0)	/* r[7]=c2; */
-
-	dmultu	a_7,b_1		/* mul_add_c(a[7],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	c_2,c_1,t_2
-	dmultu	a_6,b_2		/* mul_add_c(a[6],b[2],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_5,b_3		/* mul_add_c(a[5],b[3],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_4,b_4		/* mul_add_c(a[4],b[4],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_3,b_5		/* mul_add_c(a[3],b[5],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_2,b_6		/* mul_add_c(a[2],b[6],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_1,b_7		/* mul_add_c(a[1],b[7],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,64(a0)	/* r[8]=c3; */
-
-	dmultu	a_2,b_7		/* mul_add_c(a[2],b[7],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	c_3,c_2,t_2
-	dmultu	a_3,b_6		/* mul_add_c(a[3],b[6],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_4,b_5		/* mul_add_c(a[4],b[5],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_5,b_4		/* mul_add_c(a[5],b[4],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_6,b_3		/* mul_add_c(a[6],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_7,b_2		/* mul_add_c(a[7],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,72(a0)	/* r[9]=c1; */
-
-	dmultu	a_7,b_3		/* mul_add_c(a[7],b[3],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	dmultu	a_6,b_4		/* mul_add_c(a[6],b[4],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_5,b_5		/* mul_add_c(a[5],b[5],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_4,b_6		/* mul_add_c(a[4],b[6],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_3,b_7		/* mul_add_c(a[3],b[7],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,80(a0)	/* r[10]=c2; */
-
-	dmultu	a_4,b_7		/* mul_add_c(a[4],b[7],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	c_2,c_1,t_2
-	dmultu	a_5,b_6		/* mul_add_c(a[5],b[6],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_6,b_5		/* mul_add_c(a[6],b[5],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_7,b_4		/* mul_add_c(a[7],b[4],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,88(a0)	/* r[11]=c3; */
-
-	dmultu	a_7,b_5		/* mul_add_c(a[7],b[5],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	c_3,c_2,t_2
-	dmultu	a_6,b_6		/* mul_add_c(a[6],b[6],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_5,b_7		/* mul_add_c(a[5],b[7],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,96(a0)	/* r[12]=c1; */
-
-	dmultu	a_6,b_7		/* mul_add_c(a[6],b[7],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	dmultu	a_7,b_6		/* mul_add_c(a[7],b[6],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,104(a0)	/* r[13]=c2; */
-
-	dmultu	a_7,b_7		/* mul_add_c(a[7],b[7],c3,c1,c2); */
-	ld	s0,0(sp)
-	ld	s1,8(sp)
-	ld	s2,16(sp)
-	ld	s3,24(sp)
-	ld	s4,32(sp)
-	ld	s5,40(sp)
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sd	c_3,112(a0)	/* r[14]=c3; */
-	sd	c_1,120(a0)	/* r[15]=c1; */
-
-	PTR_ADD	sp,FRAME_SIZE
-
-	jr	ra
-END(bn_mul_comba8)
-
-.align	5
-LEAF(bn_mul_comba4)
-	.set	reorder
-	ld	a_0,0(a1)
-	ld	b_0,0(a2)
-	ld	a_1,8(a1)
-	ld	a_2,16(a1)
-	dmultu	a_0,b_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
-	ld	a_3,24(a1)
-	ld	b_1,8(a2)
-	ld	b_2,16(a2)
-	ld	b_3,24(a2)
-	mflo	c_1
-	mfhi	c_2
-	sd	c_1,0(a0)
-
-	dmultu	a_0,b_1		/* mul_add_c(a[0],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	c_3,t_2,AT
-	dmultu	a_1,b_0		/* mul_add_c(a[1],b[0],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	sd	c_2,8(a0)
-
-	dmultu	a_2,b_0		/* mul_add_c(a[2],b[0],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	dmultu	a_1,b_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	c_2,c_1,t_2
-	dmultu	a_0,b_2		/* mul_add_c(a[0],b[2],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,16(a0)
-
-	dmultu	a_0,b_3		/* mul_add_c(a[0],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	c_3,c_2,t_2
-	dmultu	a_1,b_2		/* mul_add_c(a[1],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_2,b_1		/* mul_add_c(a[2],b[1],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_3,b_0		/* mul_add_c(a[3],b[0],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,24(a0)
-
-	dmultu	a_3,b_1		/* mul_add_c(a[3],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	c_1,c_3,t_2
-	dmultu	a_2,b_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_1,b_3		/* mul_add_c(a[1],b[3],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,32(a0)
-
-	dmultu	a_2,b_3		/* mul_add_c(a[2],b[3],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	c_2,c_1,t_2
-	dmultu	a_3,b_2		/* mul_add_c(a[3],b[2],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,40(a0)
-
-	dmultu	a_3,b_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sd	c_1,48(a0)
-	sd	c_2,56(a0)
-
-	jr	ra
-END(bn_mul_comba4)
-
-#undef	a_4
-#undef	a_5
-#undef	a_6
-#undef	a_7
-#define	a_4	b_0
-#define	a_5	b_1
-#define	a_6	b_2
-#define	a_7	b_3
-
-.align	5
-LEAF(bn_sqr_comba8)
-	.set	reorder
-	ld	a_0,0(a1)
-	ld	a_1,8(a1)
-	ld	a_2,16(a1)
-	ld	a_3,24(a1)
-
-	dmultu	a_0,a_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
-	ld	a_4,32(a1)
-	ld	a_5,40(a1)
-	ld	a_6,48(a1)
-	ld	a_7,56(a1)
-	mflo	c_1
-	mfhi	c_2
-	sd	c_1,0(a0)
-
-	dmultu	a_0,a_1		/* mul_add_c2(a[0],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	c_3,t_2,AT
-	sd	c_2,8(a0)
-
-	dmultu	a_2,a_0		/* mul_add_c2(a[2],b[0],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_1,a_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,16(a0)
-
-	dmultu	a_0,a_3		/* mul_add_c2(a[0],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_1,a_2		/* mul_add_c2(a[1],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,24(a0)
-
-	dmultu	a_4,a_0		/* mul_add_c2(a[4],b[0],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_3,a_1		/* mul_add_c2(a[3],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_2,a_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,32(a0)
-
-	dmultu	a_0,a_5		/* mul_add_c2(a[0],b[5],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_1,a_4		/* mul_add_c2(a[1],b[4],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_2,a_3		/* mul_add_c2(a[2],b[3],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,40(a0)
-
-	dmultu	a_6,a_0		/* mul_add_c2(a[6],b[0],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_5,a_1		/* mul_add_c2(a[5],b[1],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_4,a_2		/* mul_add_c2(a[4],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_3,a_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,48(a0)
-
-	dmultu	a_0,a_7		/* mul_add_c2(a[0],b[7],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_1,a_6		/* mul_add_c2(a[1],b[6],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_2,a_5		/* mul_add_c2(a[2],b[5],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_3,a_4		/* mul_add_c2(a[3],b[4],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,56(a0)
-
-	dmultu	a_7,a_1		/* mul_add_c2(a[7],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_6,a_2		/* mul_add_c2(a[6],b[2],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_5,a_3		/* mul_add_c2(a[5],b[3],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_4,a_4		/* mul_add_c(a[4],b[4],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,64(a0)
-
-	dmultu	a_2,a_7		/* mul_add_c2(a[2],b[7],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_3,a_6		/* mul_add_c2(a[3],b[6],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_4,a_5		/* mul_add_c2(a[4],b[5],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,72(a0)
-
-	dmultu	a_7,a_3		/* mul_add_c2(a[7],b[3],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_6,a_4		/* mul_add_c2(a[6],b[4],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_5,a_5		/* mul_add_c(a[5],b[5],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,80(a0)
-
-	dmultu	a_4,a_7		/* mul_add_c2(a[4],b[7],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_5,a_6		/* mul_add_c2(a[5],b[6],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,88(a0)
-
-	dmultu	a_7,a_5		/* mul_add_c2(a[7],b[5],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_6,a_6		/* mul_add_c(a[6],b[6],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,96(a0)
-
-	dmultu	a_6,a_7		/* mul_add_c2(a[6],b[7],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,104(a0)
-
-	dmultu	a_7,a_7		/* mul_add_c(a[7],b[7],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sd	c_3,112(a0)
-	sd	c_1,120(a0)
-
-	jr	ra
-END(bn_sqr_comba8)
-
-.align	5
-LEAF(bn_sqr_comba4)
-	.set	reorder
-	ld	a_0,0(a1)
-	ld	a_1,8(a1)
-	ld	a_2,16(a1)
-	ld	a_3,24(a1)
-	dmultu	a_0,a_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
-	mflo	c_1
-	mfhi	c_2
-	sd	c_1,0(a0)
-
-	dmultu	a_0,a_1		/* mul_add_c2(a[0],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	c_3,t_2,AT
-	sd	c_2,8(a0)
-
-	dmultu	a_2,a_0		/* mul_add_c2(a[2],b[0],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	dmultu	a_1,a_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,16(a0)
-
-	dmultu	a_0,a_3		/* mul_add_c2(a[0],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	dmultu	a_1,a_2		/* mul_add_c(a2[1],b[2],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
-	sd	c_1,24(a0)
-
-	dmultu	a_3,a_1		/* mul_add_c2(a[3],b[1],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	dmultu	a_2,a_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_2,t_1
-	sltu	AT,c_2,t_1
-	daddu	t_2,AT
-	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
-	sd	c_2,32(a0)
-
-	dmultu	a_2,a_3		/* mul_add_c2(a[2],b[3],c3,c1,c2); */
-	mflo	t_1
-	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
-	daddu	c_3,t_1
-	sltu	AT,c_3,t_1
-	daddu	t_2,AT
-	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
-	sd	c_3,40(a0)
-
-	dmultu	a_3,a_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
-	mflo	t_1
-	mfhi	t_2
-	daddu	c_1,t_1
-	sltu	AT,c_1,t_1
-	daddu	t_2,AT
-	daddu	c_2,t_2
-	sd	c_1,48(a0)
-	sd	c_2,56(a0)
-
-	jr	ra
-END(bn_sqr_comba4)
diff --git a/crypto/openssl/crypto/bn/asm/parisc-mont.pl b/crypto/openssl/crypto/bn/asm/parisc-mont.pl
index 4a766a87fb2e..c02ef6f01466 100755
--- a/crypto/openssl/crypto/bn/asm/parisc-mont.pl
+++ b/crypto/openssl/crypto/bn/asm/parisc-mont.pl
@@ -40,7 +40,7 @@
 # of arithmetic operations, most notably multiplications. It requires
 # more memory references, most notably to tp[num], but this doesn't
 # seem to exhaust memory port capacity. And indeed, dedicated PA-RISC
-# 2.0 code path, provides virtually same performance as pa-risc2[W].s:
+# 2.0 code path provides virtually same performance as pa-risc2[W].s:
 # it's ~10% better for shortest key length and ~10% worse for longest
 # one.
 #
@@ -988,6 +988,8 @@ foreach (split("\n",$code)) {
 	# assemble 2.0 instructions in 32-bit mode...
 	s/^\s+([a-z]+)([\S]*)\s+([\S]*)/&assemble($1,$2,$3)/e if ($BN_SZ==4);
 
+	s/\bbv\b/bve/gm	if ($SIZE_T==8);
+
 	print $_,"\n";
 }
 close STDOUT;
diff --git a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
index a65d24595365..2d39407f499e 100644
--- a/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
@@ -189,7 +189,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
 
 	if (n <= 0) return 0;
 
-	asm (
+	asm volatile (
 	"	subq	%2,%2		\n"
 	".p2align 4			\n"
 	"1:	movq	(%4,%2,8),%0	\n"
@@ -200,7 +200,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
 	"	sbbq	%0,%0		\n"
 		: "=&a"(ret),"+c"(n),"=&r"(i)
 		: "r"(rp),"r"(ap),"r"(bp)
-		: "cc"
+		: "cc", "memory"
 	);
 
   return ret&1;
@@ -212,7 +212,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
 
 	if (n <= 0) return 0;
 
-	asm (
+	asm volatile (
 	"	subq	%2,%2		\n"
 	".p2align 4			\n"
 	"1:	movq	(%4,%2,8),%0	\n"
@@ -223,7 +223,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
 	"	sbbq	%0,%0		\n"
 		: "=&a"(ret),"+c"(n),"=&r"(i)
 		: "r"(rp),"r"(ap),"r"(bp)
-		: "cc"
+		: "cc", "memory"
 	);
 
   return ret&1;
diff --git a/crypto/openssl/crypto/bn/asm/x86_64-gf2m.pl b/crypto/openssl/crypto/bn/asm/x86_64-gf2m.pl
index a30d4ef02958..226c66c35e35 100755
--- a/crypto/openssl/crypto/bn/asm/x86_64-gf2m.pl
+++ b/crypto/openssl/crypto/bn/asm/x86_64-gf2m.pl
@@ -31,7 +31,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| \"$^X\" $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 ($lo,$hi)=("%rax","%rdx");	$a=$lo;
 ($i0,$i1)=("%rsi","%rdi");
diff --git a/crypto/openssl/crypto/bn/asm/x86_64-mont5.pl b/crypto/openssl/crypto/bn/asm/x86_64-mont5.pl
index 8f8dc5a59798..dae0fe245318 100755
--- a/crypto/openssl/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/openssl/crypto/bn/asm/x86_64-mont5.pl
@@ -901,8 +901,8 @@ $code.=<<___;
 	jnz	.Lgather
 ___
 $code.=<<___ if ($win64);
-	movaps	%xmm6,(%rsp)
-	movaps	%xmm7,0x10(%rsp)
+	movaps	(%rsp),%xmm6
+	movaps	0x10(%rsp),%xmm7
 	lea	0x28(%rsp),%rsp
 ___
 $code.=<<___;
diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h
index 21a1a3fe35c0..c4d618522e26 100644
--- a/crypto/openssl/crypto/bn/bn.h
+++ b/crypto/openssl/crypto/bn/bn.h
@@ -780,7 +780,9 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
 #define bn_wcheck_size(bn, words) \
 	do { \
 		const BIGNUM *_bnum2 = (bn); \
-		assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
+		assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+		/* avoid unused variable warning with NDEBUG */ \
+		(void)(_bnum2); \
 	} while(0)
 
 #else /* !BN_DEBUG */
diff --git a/crypto/openssl/crypto/bn/bn_ctx.c b/crypto/openssl/crypto/bn/bn_ctx.c
index 3f2256f67575..90aa3aeb9f75 100644
--- a/crypto/openssl/crypto/bn/bn_ctx.c
+++ b/crypto/openssl/crypto/bn/bn_ctx.c
@@ -158,7 +158,7 @@ static void ctxdbg(BN_CTX *ctx)
 	unsigned int bnidx = 0, fpidx = 0;
 	BN_POOL_ITEM *item = ctx->pool.head;
 	BN_STACK *stack = &ctx->stack;
-	fprintf(stderr,"(%08x): ", (unsigned int)ctx);
+	fprintf(stderr,"(%16p): ", ctx);
 	while(bnidx < ctx->used)
 		{
 		fprintf(stderr,"%03x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c
index 7b2403185e62..0ec90e805c47 100644
--- a/crypto/openssl/crypto/bn/bn_div.c
+++ b/crypto/openssl/crypto/bn/bn_div.c
@@ -189,15 +189,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	int no_branch=0;
 
 	/* Invalid zero-padding would have particularly bad consequences
-	 * in the case of 'num', so don't just rely on bn_check_top() for this one
+	 * so don't just rely on bn_check_top() here
 	 * (bn_check_top() works only for BN_DEBUG builds) */
-	if (num->top > 0 && num->d[num->top - 1] == 0)
+	if ((num->top > 0 && num->d[num->top - 1] == 0) ||
+		(divisor->top > 0 && divisor->d[divisor->top - 1] == 0))
 		{
 		BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
 		return 0;
 		}
 
 	bn_check_top(num);
+	bn_check_top(divisor);
 
 	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
 		{
@@ -207,7 +209,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	bn_check_top(dv);
 	bn_check_top(rm);
 	/* bn_check_top(num); */ /* 'num' has been checked already */
-	bn_check_top(divisor);
+	/* bn_check_top(divisor); */ /* 'divisor' has been checked already */
 
 	if (BN_is_zero(divisor))
 		{
diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c
index 2abf6fd67871..611fa3262bed 100644
--- a/crypto/openssl/crypto/bn/bn_exp.c
+++ b/crypto/openssl/crypto/bn/bn_exp.c
@@ -680,7 +680,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
     /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
      * 512-bit RSA is hardly relevant, we omit it to spare size... */ 
-    if (window==5)
+    if (window==5 && top>1)
 	{
 	void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap,
 			const void *table,const BN_ULONG *np,
@@ -874,7 +874,14 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 	bits = BN_num_bits(p);
 	if (bits == 0)
 		{
-		ret = BN_one(rr);
+		/* x**0 mod 1 is still zero. */
+		if (BN_is_one(m))
+			{
+			ret = 1;
+			BN_zero(rr);
+			}
+		else
+			ret = BN_one(rr);
 		return ret;
 		}
 	if (a == 0)
diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c
index 5461e6ee7dbe..d5a211e288b6 100644
--- a/crypto/openssl/crypto/bn/bn_lib.c
+++ b/crypto/openssl/crypto/bn/bn_lib.c
@@ -320,6 +320,15 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 		BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
+#ifdef PURIFY
+	/* Valgrind complains in BN_consttime_swap because we process the whole
+	 * array even if it's not initialised yet. This doesn't matter in that
+	 * function - what's important is constant time operation (we're not
+	 * actually going to use the data)
+	*/
+	memset(a, 0, sizeof(BN_ULONG)*words);
+#endif
+
 #if 1
 	B=b->d;
 	/* Check if the previous number needs to be copied */
diff --git a/crypto/openssl/crypto/bn/bn_mont.c b/crypto/openssl/crypto/bn/bn_mont.c
index 427b5cf4df95..ee8532c7dc33 100644
--- a/crypto/openssl/crypto/bn/bn_mont.c
+++ b/crypto/openssl/crypto/bn/bn_mont.c
@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
 					const BIGNUM *mod, BN_CTX *ctx)
 	{
-	int got_write_lock = 0;
 	BN_MONT_CTX *ret;
 
 	CRYPTO_r_lock(lock);
-	if (!*pmont)
+	ret = *pmont;
+	CRYPTO_r_unlock(lock);
+	if (ret)
+		return ret;
+
+	/* We don't want to serialise globally while doing our lazy-init math in
+	 * BN_MONT_CTX_set. That punishes threads that are doing independent
+	 * things. Instead, punish the case where more than one thread tries to
+	 * lazy-init the same 'pmont', by having each do the lazy-init math work
+	 * independently and only use the one from the thread that wins the race
+	 * (the losers throw away the work they've done). */
+	ret = BN_MONT_CTX_new();
+	if (!ret)
+		return NULL;
+	if (!BN_MONT_CTX_set(ret, mod, ctx))
 		{
-		CRYPTO_r_unlock(lock);
-		CRYPTO_w_lock(lock);
-		got_write_lock = 1;
+		BN_MONT_CTX_free(ret);
+		return NULL;
+		}
 
-		if (!*pmont)
-			{
-			ret = BN_MONT_CTX_new();
-			if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
-				BN_MONT_CTX_free(ret);
-			else
-				*pmont = ret;
-			}
+	/* The locked compare-and-set, after the local work is done. */
+	CRYPTO_w_lock(lock);
+	if (*pmont)
+		{
+		BN_MONT_CTX_free(ret);
+		ret = *pmont;
 		}
-	
-	ret = *pmont;
-	
-	if (got_write_lock)
-		CRYPTO_w_unlock(lock);
 	else
-		CRYPTO_r_unlock(lock);
-		
+		*pmont = ret;
+	CRYPTO_w_unlock(lock);
 	return ret;
 	}
diff --git a/crypto/openssl/crypto/bn/bn_nist.c b/crypto/openssl/crypto/bn/bn_nist.c
index 43caee477031..abb1570853ec 100644
--- a/crypto/openssl/crypto/bn/bn_nist.c
+++ b/crypto/openssl/crypto/bn/bn_nist.c
@@ -286,26 +286,25 @@ const BIGNUM *BN_get0_nist_prime_521(void)
 	}
 
 
-static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
+static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
 	{
 	int i;
-	BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
 
 #ifdef BN_DEBUG
 	OPENSSL_assert(top <= max);
 #endif
-	for (i = (top); i != 0; i--)
-		*_tmp1++ = *_tmp2++;
-	for (i = (max) - (top); i != 0; i--)
-		*_tmp1++ = (BN_ULONG) 0;
+	for (i = 0; i < top; i++)
+		dst[i] = src[i];
+	for (; i < max; i++)
+		dst[i] = 0;
 	}
 
-static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
+static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
 	{ 
 	int i;
-	BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-	for (i = (top); i != 0; i--)
-		*_tmp1++ = *_tmp2++;
+
+	for (i = 0; i < top; i++)
+		dst[i] = src[i];
 	}
 
 #if BN_BITS2 == 64
@@ -451,8 +450,9 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	 */
 	mask  = 0-(PTR_SIZE_INT)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
+	res   = c_d;
 	res   = (BN_ULONG *)
-	 (((PTR_SIZE_INT)c_d&~mask) | ((PTR_SIZE_INT)r_d&mask));
+	 (((PTR_SIZE_INT)res&~mask) | ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_192_TOP);
 	r->top = BN_NIST_192_TOP;
 	bn_correct_top(r);
@@ -479,8 +479,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	int	top = a->top, i;
 	int	carry;
 	BN_ULONG *r_d, *a_d = a->d;
-	BN_ULONG buf[BN_NIST_224_TOP],
-		 c_d[BN_NIST_224_TOP],
+	union	{
+		BN_ULONG	bn[BN_NIST_224_TOP];
+		unsigned int	ui[BN_NIST_224_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
+		} buf;
+	BN_ULONG c_d[BN_NIST_224_TOP],
 		*res;
 	PTR_SIZE_INT mask;
 	union { bn_addsub_f f; PTR_SIZE_INT p; } u;
@@ -519,18 +522,18 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	/* copy upper 256 bits of 448 bit number ... */
 	nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
 	/* ... and right shift by 32 to obtain upper 224 bits */
-	nist_set_224(buf, c_d, 14, 13, 12, 11, 10, 9, 8);
+	nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8);
 	/* truncate lower part to 224 bits too */
 	r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
 #else
-	nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
+	nist_cp_bn_0(buf.bn, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
 #endif
 
 #if defined(NIST_INT64) && BN_BITS2!=64
 	{
 	NIST_INT64		acc;	/* accumulator */
 	unsigned int		*rp=(unsigned int *)r_d;
-	const unsigned int	*bp=(const unsigned int *)buf;
+	const unsigned int	*bp=(const unsigned int *)buf.ui;
 
 	acc  = rp[0];	acc -= bp[7-7];
 			acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc >>= 32;
@@ -565,13 +568,13 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	{
 	BN_ULONG t_d[BN_NIST_224_TOP];
 
-	nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
+	nist_set_224(t_d, buf.bn, 10, 9, 8, 7, 0, 0, 0);
 	carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-	nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
+	nist_set_224(t_d, buf.bn, 0, 13, 12, 11, 0, 0, 0);
 	carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-	nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
+	nist_set_224(t_d, buf.bn, 13, 12, 11, 10, 9, 8, 7);
 	carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-	nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
+	nist_set_224(t_d, buf.bn, 0, 0, 0, 0, 13, 12, 11);
 	carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
 
 #if BN_BITS2==64
@@ -606,7 +609,8 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	/* otherwise it's effectively same as in BN_nist_mod_192... */
 	mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
-	res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+	res   = c_d;
+	res   = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_224_TOP);
 	r->top = BN_NIST_224_TOP;
@@ -805,7 +809,8 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
-	res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+	res   = c_d;
+	res   = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_256_TOP);
 	r->top = BN_NIST_256_TOP;
@@ -1026,7 +1031,8 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
-	res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+	res   = c_d;
+	res   = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_384_TOP);
 	r->top = BN_NIST_384_TOP;
@@ -1082,9 +1088,9 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	/* ... and right shift */
 	for (val=t_d[0],i=0; i<BN_NIST_521_TOP-1; i++)
 		{
-		tmp = val>>BN_NIST_521_RSHIFT;
-		val = t_d[i+1];
-		t_d[i] = (tmp | val<<BN_NIST_521_LSHIFT) & BN_MASK2;
+		t_d[i] = ( val>>BN_NIST_521_RSHIFT |
+			  (tmp=t_d[i+1])<<BN_NIST_521_LSHIFT ) & BN_MASK2;
+		val=tmp;
 		}
 	t_d[i] = val>>BN_NIST_521_RSHIFT;
 	/* lower 521 bits */
@@ -1092,7 +1098,8 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
 	mask = 0-(PTR_SIZE_INT)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
-	res  = (BN_ULONG *)(((PTR_SIZE_INT)t_d&~mask) |
+	res  = t_d;
+	res  = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d,res,BN_NIST_521_TOP);
 	r->top = BN_NIST_521_TOP;
diff --git a/crypto/openssl/crypto/bn/bn_sqr.c b/crypto/openssl/crypto/bn/bn_sqr.c
index 270d0cd348b9..65bbf165d0e2 100644
--- a/crypto/openssl/crypto/bn/bn_sqr.c
+++ b/crypto/openssl/crypto/bn/bn_sqr.c
@@ -77,6 +77,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 	if (al <= 0)
 		{
 		r->top=0;
+		r->neg = 0;
 		return 1;
 		}
 
diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c
index 0f0c33ac1b7e..48bc63384c92 100644
--- a/crypto/openssl/crypto/bn/bntest.c
+++ b/crypto/openssl/crypto/bn/bntest.c
@@ -107,6 +107,7 @@ int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
 int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_gf2m_add(BIO *bp);
 int test_gf2m_mod(BIO *bp);
@@ -249,6 +250,7 @@ int main(int argc, char *argv[])
 
 	message(out,"BN_mod_exp_mont_consttime");
 	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	if (!test_mod_exp_mont5(out,ctx)) goto err;
 	(void)BIO_flush(out);
 
 	message(out,"BN_exp");
@@ -1066,6 +1068,80 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+/* Test constant-time modular exponentiation with 1024-bit inputs,
+ * which on x86_64 cause a different code branch to be taken.
+ */
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*p,*m,*d,*e;
+
+	BN_MONT_CTX *mont;
+
+	a=BN_new();
+	p=BN_new();
+	m=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	mont = BN_MONT_CTX_new();
+
+	BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */
+	/* Zero exponent */
+	BN_bntest_rand(a,1024,0,0);
+	BN_zero(p);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_one(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Zero input */
+	BN_bntest_rand(p,1024,0,0);
+	BN_zero(a);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_zero(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Craft an input whose Montgomery representation is 1,
+	 * i.e., shorter than the modulus m, in order to test
+	 * the const time precomputation scattering/gathering.
+	 */
+	BN_one(a);
+	BN_MONT_CTX_set(mont,m,ctx);
+	if(!BN_from_montgomery(e,a,mont,ctx))
+		return 0;
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Finally, some regular test vectors. */
+	BN_bntest_rand(e,1024,0,0);
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	BN_free(a);
+	BN_free(p);
+	BN_free(m);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;
diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c
index 074a8e882a8e..5fa02a1229e8 100644
--- a/crypto/openssl/crypto/bn/exptest.c
+++ b/crypto/openssl/crypto/bn/exptest.c
@@ -71,6 +71,43 @@
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
+/* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */
+static int test_exp_mod_zero() {
+	BIGNUM a, p, m;
+	BIGNUM r;
+	BN_CTX *ctx = BN_CTX_new();
+	int ret = 1;
+
+	BN_init(&m);
+	BN_one(&m);
+
+	BN_init(&a);
+	BN_one(&a);
+
+	BN_init(&p);
+	BN_zero(&p);
+
+	BN_init(&r);
+	BN_mod_exp(&r, &a, &p, &m, ctx);
+	BN_CTX_free(ctx);
+
+	if (BN_is_zero(&r))
+		ret = 0;
+	else
+		{
+		printf("1**0 mod 1 = ");
+		BN_print_fp(stdout, &r);
+		printf(", should be 0\n");
+		}
+
+	BN_free(&r);
+	BN_free(&a);
+	BN_free(&p);
+	BN_free(&m);
+
+	return ret;
+}
+
 int main(int argc, char *argv[])
 	{
 	BN_CTX *ctx;
@@ -190,7 +227,13 @@ int main(int argc, char *argv[])
 	ERR_remove_thread_state(NULL);
 	CRYPTO_mem_leaks(out);
 	BIO_free(out);
-	printf(" done\n");
+	printf("\n");
+
+	if (test_exp_mod_zero() != 0)
+		goto err;
+
+	printf("done\n");
+
 	EXIT(0);
 err:
 	ERR_load_crypto_strings();
diff --git a/crypto/openssl/crypto/buffer/buffer.c b/crypto/openssl/crypto/buffer/buffer.c
index d7aa79ad7f0a..d4a4ce43b3f2 100644
--- a/crypto/openssl/crypto/buffer/buffer.c
+++ b/crypto/openssl/crypto/buffer/buffer.c
@@ -179,14 +179,14 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
 	return(len);
 	}
 
-void BUF_reverse(unsigned char *out, unsigned char *in, size_t size)
+void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size)
 	{
 	size_t i;
 	if (in)
 		{
 		out += size - 1;
 		for (i = 0; i < size; i++)
-			*in++ = *out--;
+			*out-- = *in++;
 		}
 	else
 		{
diff --git a/crypto/openssl/crypto/buffer/buffer.h b/crypto/openssl/crypto/buffer/buffer.h
index 178e418282b2..f8da32b48507 100644
--- a/crypto/openssl/crypto/buffer/buffer.h
+++ b/crypto/openssl/crypto/buffer/buffer.h
@@ -88,7 +88,7 @@ int	BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 char *	BUF_strdup(const char *str);
 char *	BUF_strndup(const char *str, size_t siz);
 void *	BUF_memdup(const void *data, size_t siz);
-void	BUF_reverse(unsigned char *out, unsigned char *in, size_t siz);
+void	BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
 
 /* safe string functions */
 size_t BUF_strlcpy(char *dst,const char *src,size_t siz);
diff --git a/crypto/openssl/crypto/cms/cms_env.c b/crypto/openssl/crypto/cms/cms_env.c
index be20b1c024cf..add00bf99cf7 100644
--- a/crypto/openssl/crypto/cms/cms_env.c
+++ b/crypto/openssl/crypto/cms/cms_env.c
@@ -185,6 +185,8 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
 	if (flags & CMS_USE_KEYID)
 		{
 		ktri->version = 2;
+		if (env->version < 2)
+			env->version = 2;
 		type = CMS_RECIPINFO_KEYIDENTIFIER;
 		}
 	else
diff --git a/crypto/openssl/crypto/cms/cms_lib.c b/crypto/openssl/crypto/cms/cms_lib.c
index b62d1bfac02b..ba08279a0461 100644
--- a/crypto/openssl/crypto/cms/cms_lib.c
+++ b/crypto/openssl/crypto/cms/cms_lib.c
@@ -465,8 +465,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
 	pcerts = cms_get0_certificate_choices(cms);
 	if (!pcerts)
 		return 0;
-	if (!pcerts)
-		return 0;
 	for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
 		{
 		cch = sk_CMS_CertificateChoices_value(*pcerts, i);
diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c
index b79612a12df4..71f2ddb49695 100644
--- a/crypto/openssl/crypto/cms/cms_pwri.c
+++ b/crypto/openssl/crypto/cms/cms_pwri.c
@@ -93,9 +93,10 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
 	X509_ALGOR *encalg = NULL;
 	unsigned char iv[EVP_MAX_IV_LENGTH];
 	int ivlen;
+
 	env = cms_get0_enveloped(cms);
 	if (!env)
-		goto err;
+		return NULL;
 
 	if (wrap_nid <= 0)
 		wrap_nid = NID_id_alg_PWRI_KEK;
diff --git a/crypto/openssl/crypto/cms/cms_sd.c b/crypto/openssl/crypto/cms/cms_sd.c
index 77fbd1359679..51dd33a1c323 100644
--- a/crypto/openssl/crypto/cms/cms_sd.c
+++ b/crypto/openssl/crypto/cms/cms_sd.c
@@ -158,8 +158,8 @@ static void cms_sd_set_version(CMS_SignedData *sd)
 			if (sd->version < 3)
 				sd->version = 3;
 			}
-		else
-			sd->version = 1;
+		else if (si->version < 1)
+			si->version = 1;
 		}
 
 	if (sd->version < 1)
diff --git a/crypto/openssl/crypto/cms/cms_smime.c b/crypto/openssl/crypto/cms/cms_smime.c
index 8c56e3a8520d..1af9f3a60f8b 100644
--- a/crypto/openssl/crypto/cms/cms_smime.c
+++ b/crypto/openssl/crypto/cms/cms_smime.c
@@ -611,7 +611,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 	STACK_OF(CMS_RecipientInfo) *ris;
 	CMS_RecipientInfo *ri;
 	int i, r;
-	int debug = 0;
+	int debug = 0, ri_match = 0;
 	ris = CMS_get0_RecipientInfos(cms);
 	if (ris)
 		debug = cms->d.envelopedData->encryptedContentInfo->debug;
@@ -620,6 +620,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 		ri = sk_CMS_RecipientInfo_value(ris, i);
 		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
 				continue;
+		ri_match = 1;
 		/* If we have a cert try matching RecipientInfo
 		 * otherwise try them all.
 		 */
@@ -655,7 +656,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 			}
 		}
 	/* If no cert and not debugging always return success */
-	if (!cert && !debug)
+	if (ri_match && !cert && !debug)
 		{
 		ERR_clear_error();
 		return 1;
diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c
index cf951320af8e..f0b27687395f 100644
--- a/crypto/openssl/crypto/conf/conf_def.c
+++ b/crypto/openssl/crypto/conf/conf_def.c
@@ -321,7 +321,7 @@ again:
 			p=eat_ws(conf, end);
 			if (*p != ']')
 				{
-				if (*p != '\0')
+				if (*p != '\0' && ss != p)
 					{
 					ss=p;
 					goto again;
diff --git a/crypto/openssl/crypto/constant_time_locl.h b/crypto/openssl/crypto/constant_time_locl.h
new file mode 100644
index 000000000000..8af98c168329
--- /dev/null
+++ b/crypto/openssl/crypto/constant_time_locl.h
@@ -0,0 +1,206 @@
+/* crypto/constant_time_locl.h */
+/*
+ * Utilities for constant-time cryptography.
+ *
+ * Author: Emilia Kasper (emilia@openssl.org)
+ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
+ * (Google).
+ * ====================================================================
+ * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_CONSTANT_TIME_LOCL_H
+#define HEADER_CONSTANT_TIME_LOCL_H
+
+#include "e_os.h"  /* For 'inline' */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * The boolean methods return a bitmask of all ones (0xff...f) for true
+ * and 0 for false. This is useful for choosing a value based on the result
+ * of a conditional in constant time. For example,
+ *
+ * if (a < b) {
+ *   c = a;
+ * } else {
+ *   c = b;
+ * }
+ *
+ * can be written as
+ *
+ * unsigned int lt = constant_time_lt(a, b);
+ * c = constant_time_select(lt, a, b);
+ */
+
+/*
+ * Returns the given value with the MSB copied to all the other
+ * bits. Uses the fact that arithmetic shift shifts-in the sign bit.
+ * However, this is not ensured by the C standard so you may need to
+ * replace this with something else on odd CPUs.
+ */
+static inline unsigned int constant_time_msb(unsigned int a);
+
+/*
+ * Returns 0xff..f if a < b and 0 otherwise.
+ */
+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b);
+
+/*
+ * Returns 0xff..f if a >= b and 0 otherwise.
+ */
+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b);
+
+/*
+ * Returns 0xff..f if a == 0 and 0 otherwise.
+ */
+static inline unsigned int constant_time_is_zero(unsigned int a);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_is_zero_8(unsigned int a);
+
+
+/*
+ * Returns 0xff..f if a == b and 0 otherwise.
+ */
+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b);
+/* Signed integers. */
+static inline unsigned int constant_time_eq_int(int a, int b);
+/* Convenience method for getting an 8-bit mask. */
+static inline unsigned char constant_time_eq_int_8(int a, int b);
+
+
+/*
+ * Returns (mask & a) | (~mask & b).
+ *
+ * When |mask| is all 1s or all 0s (as returned by the methods above),
+ * the select methods return either |a| (if |mask| is nonzero) or |b|
+ * (if |mask| is zero).
+ */
+static inline unsigned int constant_time_select(unsigned int mask,
+	unsigned int a, unsigned int b);
+/* Convenience method for unsigned chars. */
+static inline unsigned char constant_time_select_8(unsigned char mask,
+	unsigned char a, unsigned char b);
+/* Convenience method for signed integers. */
+static inline int constant_time_select_int(unsigned int mask, int a, int b);
+
+static inline unsigned int constant_time_msb(unsigned int a)
+	{
+	return 0-(a >> (sizeof(a) * 8 - 1));
+	}
+
+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b)
+	{
+	return constant_time_msb(a^((a^b)|((a-b)^b)));
+	}
+
+static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
+	{
+	return (unsigned char)(constant_time_lt(a, b));
+	}
+
+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b)
+	{
+	return ~constant_time_lt(a, b);
+	}
+
+static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b)
+	{
+	return (unsigned char)(constant_time_ge(a, b));
+	}
+
+static inline unsigned int constant_time_is_zero(unsigned int a)
+	{
+	return constant_time_msb(~a & (a - 1));
+	}
+
+static inline unsigned char constant_time_is_zero_8(unsigned int a)
+	{
+	return (unsigned char)(constant_time_is_zero(a));
+	}
+
+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b)
+	{
+	return constant_time_is_zero(a ^ b);
+	}
+
+static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b)
+	{
+	return (unsigned char)(constant_time_eq(a, b));
+	}
+
+static inline unsigned int constant_time_eq_int(int a, int b)
+	{
+	return constant_time_eq((unsigned)(a), (unsigned)(b));
+	}
+
+static inline unsigned char constant_time_eq_int_8(int a, int b)
+	{
+	return constant_time_eq_8((unsigned)(a), (unsigned)(b));
+	}
+
+static inline unsigned int constant_time_select(unsigned int mask,
+	unsigned int a, unsigned int b)
+	{
+	return (mask & a) | (~mask & b);
+	}
+
+static inline unsigned char constant_time_select_8(unsigned char mask,
+	unsigned char a, unsigned char b)
+	{
+	return (unsigned char)(constant_time_select(mask, a, b));
+	}
+
+static inline int constant_time_select_int(unsigned int mask, int a, int b)
+	{
+	return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
+	}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* HEADER_CONSTANT_TIME_LOCL_H */
diff --git a/crypto/openssl/crypto/constant_time_test.c b/crypto/openssl/crypto/constant_time_test.c
new file mode 100644
index 000000000000..d9c6a44aed05
--- /dev/null
+++ b/crypto/openssl/crypto/constant_time_test.c
@@ -0,0 +1,330 @@
+/* crypto/constant_time_test.c */
+/*
+ * Utilities for constant-time cryptography.
+ *
+ * Author: Emilia Kasper (emilia@openssl.org)
+ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
+ * (Google).
+ * ====================================================================
+ * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "../crypto/constant_time_locl.h"
+
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+static const unsigned int CONSTTIME_TRUE = (unsigned)(~0);
+static const unsigned int CONSTTIME_FALSE = 0;
+static const unsigned char CONSTTIME_TRUE_8 = 0xff;
+static const unsigned char CONSTTIME_FALSE_8 = 0;
+
+static int test_binary_op(unsigned int (*op)(unsigned int a, unsigned int b),
+	const char* op_name, unsigned int a, unsigned int b, int is_true)
+	{
+	unsigned c = op(a, b);
+	if (is_true && c != CONSTTIME_TRUE)
+		{
+		fprintf(stderr, "Test failed for %s(%du, %du): expected %du "
+			"(TRUE), got %du\n", op_name, a, b, CONSTTIME_TRUE, c);
+		return 1;
+		}
+	else if (!is_true && c != CONSTTIME_FALSE)
+		{
+		fprintf(stderr, "Test failed for  %s(%du, %du): expected %du "
+			"(FALSE), got %du\n", op_name, a, b, CONSTTIME_FALSE,
+			c);
+		return 1;
+		}
+        return 0;
+	}
+
+static int test_binary_op_8(unsigned char (*op)(unsigned int a, unsigned int b),
+	const char* op_name, unsigned int a, unsigned int b, int is_true)
+	{
+	unsigned char c = op(a, b);
+	if (is_true && c != CONSTTIME_TRUE_8)
+		{
+		fprintf(stderr, "Test failed for %s(%du, %du): expected %u "
+			"(TRUE), got %u\n", op_name, a, b, CONSTTIME_TRUE_8, c);
+		return 1;
+		}
+	else if (!is_true && c != CONSTTIME_FALSE_8)
+		{
+		fprintf(stderr, "Test failed for  %s(%du, %du): expected %u "
+			"(FALSE), got %u\n", op_name, a, b, CONSTTIME_FALSE_8,
+			c);
+		return 1;
+		}
+        return 0;
+	}
+
+static int test_is_zero(unsigned int a)
+	{
+	unsigned int c = constant_time_is_zero(a);
+	if (a == 0 && c != CONSTTIME_TRUE)
+		{
+		fprintf(stderr, "Test failed for constant_time_is_zero(%du): "
+			"expected %du (TRUE), got %du\n", a, CONSTTIME_TRUE, c);
+		return 1;
+		}
+	else if (a != 0 && c != CONSTTIME_FALSE)
+		{
+		fprintf(stderr, "Test failed for constant_time_is_zero(%du): "
+			"expected %du (FALSE), got %du\n", a, CONSTTIME_FALSE,
+			c);
+		return 1;
+		}
+        return 0;
+	}
+
+static int test_is_zero_8(unsigned int a)
+	{
+	unsigned char c = constant_time_is_zero_8(a);
+	if (a == 0 && c != CONSTTIME_TRUE_8)
+		{
+		fprintf(stderr, "Test failed for constant_time_is_zero(%du): "
+			"expected %u (TRUE), got %u\n", a, CONSTTIME_TRUE_8, c);
+		return 1;
+		}
+	else if (a != 0 && c != CONSTTIME_FALSE)
+		{
+		fprintf(stderr, "Test failed for constant_time_is_zero(%du): "
+			"expected %u (FALSE), got %u\n", a, CONSTTIME_FALSE_8,
+			c);
+		return 1;
+		}
+        return 0;
+	}
+
+static int test_select(unsigned int a, unsigned int b)
+	{
+	unsigned int selected = constant_time_select(CONSTTIME_TRUE, a, b);
+	if (selected != a)
+		{
+		fprintf(stderr, "Test failed for constant_time_select(%du, %du,"
+			"%du): expected %du(first value), got %du\n",
+			CONSTTIME_TRUE, a, b, a, selected);
+		return 1;
+		}
+	selected = constant_time_select(CONSTTIME_FALSE, a, b);
+	if (selected != b)
+		{
+		fprintf(stderr, "Test failed for constant_time_select(%du, %du,"
+			"%du): expected %du(second value), got %du\n",
+			CONSTTIME_FALSE, a, b, b, selected);
+		return 1;
+		}
+	return 0;
+	}
+
+static int test_select_8(unsigned char a, unsigned char b)
+	{
+	unsigned char selected = constant_time_select_8(CONSTTIME_TRUE_8, a, b);
+	if (selected != a)
+		{
+		fprintf(stderr, "Test failed for constant_time_select(%u, %u,"
+			"%u): expected %u(first value), got %u\n",
+			CONSTTIME_TRUE, a, b, a, selected);
+		return 1;
+		}
+	selected = constant_time_select_8(CONSTTIME_FALSE_8, a, b);
+	if (selected != b)
+		{
+		fprintf(stderr, "Test failed for constant_time_select(%u, %u,"
+			"%u): expected %u(second value), got %u\n",
+			CONSTTIME_FALSE, a, b, b, selected);
+		return 1;
+		}
+	return 0;
+	}
+
+static int test_select_int(int a, int b)
+	{
+	int selected = constant_time_select_int(CONSTTIME_TRUE, a, b);
+	if (selected != a)
+		{
+		fprintf(stderr, "Test failed for constant_time_select(%du, %d,"
+			"%d): expected %d(first value), got %d\n",
+			CONSTTIME_TRUE, a, b, a, selected);
+		return 1;
+		}
+	selected = constant_time_select_int(CONSTTIME_FALSE, a, b);
+	if (selected != b)
+		{
+		fprintf(stderr, "Test failed for constant_time_select(%du, %d,"
+			"%d): expected %d(second value), got %d\n",
+			CONSTTIME_FALSE, a, b, b, selected);
+		return 1;
+		}
+	return 0;
+	}
+
+static int test_eq_int(int a, int b)
+	{
+	unsigned int equal = constant_time_eq_int(a, b);
+	if (a == b && equal != CONSTTIME_TRUE)
+		{
+		fprintf(stderr, "Test failed for constant_time_eq_int(%d, %d): "
+			"expected %du(TRUE), got %du\n",
+			a, b, CONSTTIME_TRUE, equal);
+		return 1;
+		}
+	else if (a != b && equal != CONSTTIME_FALSE)
+		{
+		fprintf(stderr, "Test failed for constant_time_eq_int(%d, %d): "
+			"expected %du(FALSE), got %du\n",
+			a, b, CONSTTIME_FALSE, equal);
+		return 1;
+		}
+	return 0;
+	}
+
+static int test_eq_int_8(int a, int b)
+	{
+	unsigned char equal = constant_time_eq_int_8(a, b);
+	if (a == b && equal != CONSTTIME_TRUE_8)
+		{
+		fprintf(stderr, "Test failed for constant_time_eq_int_8(%d, %d): "
+			"expected %u(TRUE), got %u\n",
+			a, b, CONSTTIME_TRUE_8, equal);
+		return 1;
+		}
+	else if (a != b && equal != CONSTTIME_FALSE_8)
+		{
+		fprintf(stderr, "Test failed for constant_time_eq_int_8(%d, %d): "
+			"expected %u(FALSE), got %u\n",
+			a, b, CONSTTIME_FALSE_8, equal);
+		return 1;
+		}
+	return 0;
+	}
+
+static unsigned int test_values[] = {0, 1, 1024, 12345, 32000, UINT_MAX/2-1,
+                                     UINT_MAX/2, UINT_MAX/2+1, UINT_MAX-1,
+                                     UINT_MAX};
+
+static unsigned char test_values_8[] = {0, 1, 2, 20, 32, 127, 128, 129, 255};
+
+static int signed_test_values[] = {0, 1, -1, 1024, -1024, 12345, -12345,
+				   32000, -32000, INT_MAX, INT_MIN, INT_MAX-1,
+				   INT_MIN+1};
+
+
+int main(int argc, char *argv[])
+	{
+	unsigned int a, b, i, j;
+	int c, d;
+	unsigned char e, f;
+	int num_failed = 0, num_all = 0;
+	fprintf(stdout, "Testing constant time operations...\n");
+
+	for (i = 0; i < sizeof(test_values)/sizeof(int); ++i)
+		{
+		a = test_values[i];
+		num_failed += test_is_zero(a);
+		num_failed += test_is_zero_8(a);
+		num_all += 2;
+		for (j = 0; j < sizeof(test_values)/sizeof(int); ++j)
+			{
+			b = test_values[j];
+			num_failed += test_binary_op(&constant_time_lt,
+				"constant_time_lt", a, b, a < b);
+			num_failed += test_binary_op_8(&constant_time_lt_8,
+				"constant_time_lt_8", a, b, a < b);
+			num_failed += test_binary_op(&constant_time_lt,
+				"constant_time_lt_8", b, a, b < a);
+			num_failed += test_binary_op_8(&constant_time_lt_8,
+				"constant_time_lt_8", b, a, b < a);
+			num_failed += test_binary_op(&constant_time_ge,
+				"constant_time_ge", a, b, a >= b);
+			num_failed += test_binary_op_8(&constant_time_ge_8,
+				"constant_time_ge_8", a, b, a >= b);
+			num_failed += test_binary_op(&constant_time_ge,
+				"constant_time_ge", b, a, b >= a);
+			num_failed += test_binary_op_8(&constant_time_ge_8,
+				"constant_time_ge_8", b, a, b >= a);
+			num_failed += test_binary_op(&constant_time_eq,
+				"constant_time_eq", a, b, a == b);
+			num_failed += test_binary_op_8(&constant_time_eq_8,
+				"constant_time_eq_8", a, b, a == b);
+			num_failed += test_binary_op(&constant_time_eq,
+				"constant_time_eq", b, a, b == a);
+			num_failed += test_binary_op_8(&constant_time_eq_8,
+				"constant_time_eq_8", b, a, b == a);
+			num_failed += test_select(a, b);
+			num_all += 13;
+			}
+		}
+
+	for (i = 0; i < sizeof(signed_test_values)/sizeof(int); ++i)
+		{
+		c = signed_test_values[i];
+		for (j = 0; j < sizeof(signed_test_values)/sizeof(int); ++j)
+			{
+			d = signed_test_values[j];
+			num_failed += test_select_int(c, d);
+			num_failed += test_eq_int(c, d);
+			num_failed += test_eq_int_8(c, d);
+			num_all += 3;
+			}
+		}
+
+	for (i = 0; i < sizeof(test_values_8); ++i)
+		{
+		e = test_values_8[i];
+		for (j = 0; j < sizeof(test_values_8); ++j)
+			{
+			f = test_values_8[j];
+			num_failed += test_select_8(e, f);
+			num_all += 1;
+			}
+		}
+
+	if (!num_failed)
+		{
+		fprintf(stdout, "ok (ran %d tests)\n", num_all);
+		return EXIT_SUCCESS;
+		}
+	else
+		{
+		fprintf(stdout, "%d of %d tests failed!\n", num_failed, num_all);
+		return EXIT_FAILURE;
+		}
+	}
diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c
index 304c6b70627b..0b77d8b7d0e0 100644
--- a/crypto/openssl/crypto/cryptlib.c
+++ b/crypto/openssl/crypto/cryptlib.c
@@ -889,7 +889,7 @@ void OPENSSL_showfatal (const char *fmta,...)
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
     /* this -------------v--- guards NT-specific calls */
-    if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0)
+    if (check_winnt() && OPENSSL_isservice() > 0)
     {	HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
 	const TCHAR *pmsg=buf;
 	ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
diff --git a/crypto/openssl/crypto/cversion.c b/crypto/openssl/crypto/cversion.c
index ea9f25fd1666..881957e8923e 100644
--- a/crypto/openssl/crypto/cversion.c
+++ b/crypto/openssl/crypto/cversion.c
@@ -69,10 +69,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_BUILT_ON)
 		{
 #ifdef DATE
-		static char buf[sizeof(DATE)+11];
-
-		BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
-		return(buf);
+		return(DATE);
 #else
 		return("built on: date not available");
 #endif
@@ -80,10 +77,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_CFLAGS)
 		{
 #ifdef CFLAGS
-		static char buf[sizeof(CFLAGS)+11];
-
-		BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
-		return(buf);
+		return(CFLAGS);
 #else
 		return("compiler: information not available");
 #endif
@@ -91,10 +85,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_PLATFORM)
 		{
 #ifdef PLATFORM
-		static char buf[sizeof(PLATFORM)+11];
-
-		BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
-		return(buf);
+		return(PLATFORM);
 #else
 		return("platform: information not available");
 #endif
diff --git a/crypto/openssl/crypto/dsa/dsa_ameth.c b/crypto/openssl/crypto/dsa/dsa_ameth.c
index 376156ec5ef3..5af76eade59a 100644
--- a/crypto/openssl/crypto/dsa/dsa_ameth.c
+++ b/crypto/openssl/crypto/dsa/dsa_ameth.c
@@ -307,6 +307,12 @@ static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 	unsigned char *dp = NULL;
 	int dplen;
 
+	if (!pkey->pkey.dsa || !pkey->pkey.dsa->priv_key)
+		{
+		DSAerr(DSA_F_DSA_PRIV_ENCODE,DSA_R_MISSING_PARAMETERS);
+		goto err;
+		}
+
 	params = ASN1_STRING_new();
 
 	if (!params)
@@ -701,4 +707,3 @@ const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] =
 		old_dsa_priv_encode
 		}
 	};
-
diff --git a/crypto/openssl/crypto/dso/dso_dlfcn.c b/crypto/openssl/crypto/dso/dso_dlfcn.c
index 5f2254806ca9..faa9d76b4270 100644
--- a/crypto/openssl/crypto/dso/dso_dlfcn.c
+++ b/crypto/openssl/crypto/dso/dso_dlfcn.c
@@ -60,10 +60,8 @@
    that handle _GNU_SOURCE and other similar macros.  Defining it later
    is simply too late, because those headers are protected from re-
    inclusion.  */
-#ifdef __linux
-# ifndef _GNU_SOURCE
-#  define _GNU_SOURCE	/* make sure dladdr is declared */
-# endif
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE	/* make sure dladdr is declared */
 #endif
 
 #include <stdio.h>
@@ -464,7 +462,7 @@ static int dlfcn_pathbyaddr(void *addr,char *path,int sz)
 		return len;
 		}
 
-	ERR_add_error_data(4, "dlfcn_pathbyaddr(): ", dlerror());
+	ERR_add_error_data(2, "dlfcn_pathbyaddr(): ", dlerror());
 #endif
 	return -1;
 	}
diff --git a/crypto/openssl/crypto/ebcdic.h b/crypto/openssl/crypto/ebcdic.h
index 6d65afcf9e75..85f3cf7f66b9 100644
--- a/crypto/openssl/crypto/ebcdic.h
+++ b/crypto/openssl/crypto/ebcdic.h
@@ -5,6 +5,10 @@
 
 #include <sys/types.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 /* Avoid name clashes with other applications */
 #define os_toascii   _openssl_os_toascii
 #define os_toebcdic  _openssl_os_toebcdic
@@ -16,4 +20,7 @@ extern const unsigned char os_toebcdic[256];
 void *ebcdic2ascii(void *dest, const void *srce, size_t count);
 void *ascii2ebcdic(void *dest, const void *srce, size_t count);
 
+#ifdef  __cplusplus
+}
+#endif
 #endif
diff --git a/crypto/openssl/crypto/ec/ec.h b/crypto/openssl/crypto/ec/ec.h
index dfe8710d3309..572111f16cd1 100644
--- a/crypto/openssl/crypto/ec/ec.h
+++ b/crypto/openssl/crypto/ec/ec.h
@@ -629,7 +629,7 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN
 int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
 int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
 
-/** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
+/** Computes r = generator * n sum_{i=0}^{num-1} p[i] * m[i]
  *  \param  group  underlying EC_GROUP object
  *  \param  r      EC_POINT object for the result
  *  \param  n      BIGNUM with the multiplier for the group generator (optional)
diff --git a/crypto/openssl/crypto/ec/ec2_smpl.c b/crypto/openssl/crypto/ec/ec2_smpl.c
index e0e59c7d8299..62223cbb01f2 100644
--- a/crypto/openssl/crypto/ec/ec2_smpl.c
+++ b/crypto/openssl/crypto/ec/ec2_smpl.c
@@ -80,9 +80,6 @@
 
 const EC_METHOD *EC_GF2m_simple_method(void)
 	{
-#ifdef OPENSSL_FIPS
-	return fips_ec_gf2m_simple_method();
-#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_characteristic_two_field,
@@ -125,8 +122,12 @@ const EC_METHOD *EC_GF2m_simple_method(void)
 		0 /* field_decode */,
 		0 /* field_set_to_one */ };
 
-	return &ret;
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+		return fips_ec_gf2m_simple_method();
 #endif
+
+	return &ret;
 	}
 
 
diff --git a/crypto/openssl/crypto/ec/ec_ameth.c b/crypto/openssl/crypto/ec/ec_ameth.c
index 83909c185359..11283769b939 100644
--- a/crypto/openssl/crypto/ec/ec_ameth.c
+++ b/crypto/openssl/crypto/ec/ec_ameth.c
@@ -88,7 +88,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 		if (!pstr)
 			return 0;
 		pstr->length = i2d_ECParameters(ec_key, &pstr->data);
-		if (pstr->length < 0)
+		if (pstr->length <= 0)
 			{
 			ASN1_STRING_free(pstr);
 			ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
@@ -352,6 +352,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
 		EC_KEY_set_enc_flags(ec_key, old_flags);
 		OPENSSL_free(ep);
 		ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
+		return 0;
 	}
 	/* restore old encoding flags */
 	EC_KEY_set_enc_flags(ec_key, old_flags);
@@ -452,14 +453,16 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype)
 	if (ktype > 0)
 		{
 		public_key = EC_KEY_get0_public_key(x);
-		if ((pub_key = EC_POINT_point2bn(group, public_key,
-			EC_KEY_get_conv_form(x), NULL, ctx)) == NULL)
+		if (public_key != NULL)
 			{
-			reason = ERR_R_EC_LIB;
-			goto err;
-			}
-		if (pub_key)
+			if ((pub_key = EC_POINT_point2bn(group, public_key,
+				EC_KEY_get_conv_form(x), NULL, ctx)) == NULL)
+				{
+				reason = ERR_R_EC_LIB;
+				goto err;
+				}
 			buf_len = (size_t)BN_num_bytes(pub_key);
+			}
 		}
 
 	if (ktype == 2)
diff --git a/crypto/openssl/crypto/ec/ec_asn1.c b/crypto/openssl/crypto/ec/ec_asn1.c
index 175eec53428b..52d31c2f9642 100644
--- a/crypto/openssl/crypto/ec/ec_asn1.c
+++ b/crypto/openssl/crypto/ec/ec_asn1.c
@@ -89,7 +89,8 @@ int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
 	if (group == NULL)
 		return 0;
 
-	if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+	    NID_X9_62_characteristic_two_field
 	    || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0)))
 		{
 		ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -107,7 +108,8 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
 	if (group == NULL)
 		return 0;
 
-	if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+	    NID_X9_62_characteristic_two_field
 	    || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0)))
 		{
 		ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -1181,29 +1183,46 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
 		goto err;
 		}
 
+	if (ret->pub_key)
+		EC_POINT_clear_free(ret->pub_key);
+	ret->pub_key = EC_POINT_new(ret->group);
+	if (ret->pub_key == NULL)
+		{
+		ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+		goto err;
+		}
+
 	if (priv_key->publicKey)
 		{
 		const unsigned char *pub_oct;
-		size_t pub_oct_len;
+		int pub_oct_len;
 
-		if (ret->pub_key)
-			EC_POINT_clear_free(ret->pub_key);
-		ret->pub_key = EC_POINT_new(ret->group);
-		if (ret->pub_key == NULL)
+		pub_oct     = M_ASN1_STRING_data(priv_key->publicKey);
+		pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey);
+		/* The first byte - point conversion form - must be present. */
+                if (pub_oct_len <= 0)
 			{
-			ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+			ECerr(EC_F_D2I_ECPRIVATEKEY, EC_R_BUFFER_TOO_SMALL);
 			goto err;
 			}
-		pub_oct     = M_ASN1_STRING_data(priv_key->publicKey);
-		pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey);
-		/* save the point conversion form */
+		/* Save the point conversion form. */
 		ret->conv_form = (point_conversion_form_t)(pub_oct[0] & ~0x01);
 		if (!EC_POINT_oct2point(ret->group, ret->pub_key,
-			pub_oct, pub_oct_len, NULL))
+					pub_oct, (size_t)(pub_oct_len), NULL))
+			{
+			ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+			goto err;
+			}
+		}
+	else
+		{
+		if (!EC_POINT_mul(ret->group, ret->pub_key, ret->priv_key, NULL, NULL, NULL))
 			{
 			ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
 			goto err;
 			}
+		/* Remember the original private-key-only encoding. */
+		ret->enc_flag |= EC_PKEY_NO_PUBKEY;
 		}
 
 	ok = 1;
@@ -1228,7 +1247,8 @@ int	i2d_ECPrivateKey(EC_KEY *a, unsigned char **out)
 	size_t          buf_len=0, tmp_len;
 	EC_PRIVATEKEY   *priv_key=NULL;
 
-	if (a == NULL || a->group == NULL || a->priv_key == NULL)
+	if (a == NULL || a->group == NULL || a->priv_key == NULL ||
+	    (!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key == NULL))
 		{
 		ECerr(EC_F_I2D_ECPRIVATEKEY,
                       ERR_R_PASSED_NULL_PARAMETER);
@@ -1433,8 +1453,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned char **out)
 				*out, buf_len, NULL))
 		{
 		ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
-		OPENSSL_free(*out);
-		*out = NULL;
+		if (new_buffer)
+			{
+			OPENSSL_free(*out);
+			*out = NULL;
+			}
 		return 0;
 		}
 	if (!new_buffer)
diff --git a/crypto/openssl/crypto/ec/ec_lcl.h b/crypto/openssl/crypto/ec/ec_lcl.h
index da7967df38a3..b0d48b6b5cc7 100644
--- a/crypto/openssl/crypto/ec/ec_lcl.h
+++ b/crypto/openssl/crypto/ec/ec_lcl.h
@@ -404,7 +404,7 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
 
-#ifndef OPENSSL_EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 /* method functions in ecp_nistp224.c */
 int ec_GFp_nistp224_group_init(EC_GROUP *group);
 int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
diff --git a/crypto/openssl/crypto/ec/ec_lib.c b/crypto/openssl/crypto/ec/ec_lib.c
index 25247b580332..0992c393b0f4 100644
--- a/crypto/openssl/crypto/ec/ec_lib.c
+++ b/crypto/openssl/crypto/ec/ec_lib.c
@@ -68,7 +68,7 @@
 
 #include "ec_lcl.h"
 
-static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
 
 
 /* functions for EC_GROUP objects */
@@ -480,10 +480,10 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
 	if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) !=
 	    EC_METHOD_get_field_type(EC_GROUP_method_of(b)))
 		return 1;
-	/* compare the curve name (if present) */
+	/* compare the curve name (if present in both) */
 	if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
-	    EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b))
-		return 0;
+	    EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b))
+		return 1;
 
 	if (!ctx)
 		ctx_new = ctx = BN_CTX_new();
@@ -942,7 +942,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *
 
 int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
 	{
-	if (group->meth->dbl == 0)
+	if (group->meth->invert == 0)
 		{
 		ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return 0;
@@ -993,12 +993,12 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN
 	if (group->meth->point_cmp == 0)
 		{
 		ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-		return 0;
+		return -1;
 		}
 	if ((group->meth != a->meth) || (a->meth != b->meth))
 		{
 		ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
-		return 0;
+		return -1;
 		}
 	return group->meth->point_cmp(group, a, b, ctx);
 	}
diff --git a/crypto/openssl/crypto/ec/ec_mult.c b/crypto/openssl/crypto/ec/ec_mult.c
index 19f21675fbd8..e81200b25535 100644
--- a/crypto/openssl/crypto/ec/ec_mult.c
+++ b/crypto/openssl/crypto/ec/ec_mult.c
@@ -445,15 +445,16 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
 	wNAF     = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space for pivot */
 	val_sub  = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
-		 
+
+	/* Ensure wNAF is initialised in case we end up going to err */
+	if (wNAF) wNAF[0] = NULL;	/* preliminary pivot */
+
 	if (!wsize || !wNAF_len || !wNAF || !val_sub)
 		{
 		ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 
-	wNAF[0] = NULL;	/* preliminary pivot */
-
 	/* num_val will be the total number of temporarily precomputed points */
 	num_val = 0;
 
diff --git a/crypto/openssl/crypto/ec/ec_pmeth.c b/crypto/openssl/crypto/ec/ec_pmeth.c
index 66ee397d86c4..b62b532cf869 100644
--- a/crypto/openssl/crypto/ec/ec_pmeth.c
+++ b/crypto/openssl/crypto/ec/ec_pmeth.c
@@ -167,6 +167,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_ECDH
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	{
 	int ret;
@@ -200,6 +201,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	*keylen = ret;
 	return 1;
 	}
+#endif
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
@@ -333,7 +335,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
+#ifndef OPENSSL_NO_ECDH
 	pkey_ec_derive,
+#else
+	0,
+#endif
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
diff --git a/crypto/openssl/crypto/ec/ecp_mont.c b/crypto/openssl/crypto/ec/ecp_mont.c
index f04f132c7ad6..3c5ec1965ac8 100644
--- a/crypto/openssl/crypto/ec/ecp_mont.c
+++ b/crypto/openssl/crypto/ec/ecp_mont.c
@@ -72,9 +72,6 @@
 
 const EC_METHOD *EC_GFp_mont_method(void)
 	{
-#ifdef OPENSSL_FIPS
-	return fips_ec_gfp_mont_method();
-#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_prime_field,
@@ -114,8 +111,12 @@ const EC_METHOD *EC_GFp_mont_method(void)
 		ec_GFp_mont_field_decode,
 		ec_GFp_mont_field_set_to_one };
 
-	return &ret;
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+		return fips_ec_gfp_mont_method();
 #endif
+
+	return &ret;
 	}
 
 
diff --git a/crypto/openssl/crypto/ec/ecp_nist.c b/crypto/openssl/crypto/ec/ecp_nist.c
index aad2d5f44389..db3b99e06a5f 100644
--- a/crypto/openssl/crypto/ec/ecp_nist.c
+++ b/crypto/openssl/crypto/ec/ecp_nist.c
@@ -73,9 +73,6 @@
 
 const EC_METHOD *EC_GFp_nist_method(void)
 	{
-#ifdef OPENSSL_FIPS
-	return fips_ec_gfp_nist_method();
-#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_prime_field,
@@ -115,8 +112,12 @@ const EC_METHOD *EC_GFp_nist_method(void)
 		0 /* field_decode */,
 		0 /* field_set_to_one */ };
 
-	return &ret;
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+		return fips_ec_gfp_nist_method();
 #endif
+
+	return &ret;
 	}
 
 int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
diff --git a/crypto/openssl/crypto/ec/ecp_nistp256.c b/crypto/openssl/crypto/ec/ecp_nistp256.c
index 4bc0f5dce022..b884f73d31c0 100644
--- a/crypto/openssl/crypto/ec/ecp_nistp256.c
+++ b/crypto/openssl/crypto/ec/ecp_nistp256.c
@@ -113,7 +113,6 @@ typedef u64 smallfelem[NLIMBS];
 
 /* This is the value of the prime as four 64-bit words, little-endian. */
 static const u64 kPrime[4] = { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul };
-static const limb bottom32bits = 0xffffffff;
 static const u64 bottom63bits = 0x7ffffffffffffffful;
 
 /* bin32_to_felem takes a little-endian byte array and converts it into felem
diff --git a/crypto/openssl/crypto/ec/ecp_smpl.c b/crypto/openssl/crypto/ec/ecp_smpl.c
index 7cbb321f9aae..2d1f35768623 100644
--- a/crypto/openssl/crypto/ec/ecp_smpl.c
+++ b/crypto/openssl/crypto/ec/ecp_smpl.c
@@ -73,9 +73,6 @@
 
 const EC_METHOD *EC_GFp_simple_method(void)
 	{
-#ifdef OPENSSL_FIPS
-	return fips_ec_gfp_simple_method();
-#else
 	static const EC_METHOD ret = {
 		EC_FLAGS_DEFAULT_OCT,
 		NID_X9_62_prime_field,
@@ -115,8 +112,12 @@ const EC_METHOD *EC_GFp_simple_method(void)
 		0 /* field_decode */,
 		0 /* field_set_to_one */ };
 
-	return &ret;
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+		return fips_ec_gfp_simple_method();
 #endif
+
+	return &ret;
 	}
 
 
@@ -1181,9 +1182,8 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ct
 int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
 	{
 	BN_CTX *new_ctx = NULL;
-	BIGNUM *tmp0, *tmp1;
-	size_t pow2 = 0;
-	BIGNUM **heap = NULL;
+	BIGNUM *tmp, *tmp_Z;
+	BIGNUM **prod_Z = NULL;
 	size_t i;
 	int ret = 0;
 
@@ -1198,124 +1198,104 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT
 		}
 
 	BN_CTX_start(ctx);
-	tmp0 = BN_CTX_get(ctx);
-	tmp1 = BN_CTX_get(ctx);
-	if (tmp0  == NULL || tmp1 == NULL) goto err;
+	tmp = BN_CTX_get(ctx);
+	tmp_Z = BN_CTX_get(ctx);
+	if (tmp == NULL || tmp_Z == NULL) goto err;
 
-	/* Before converting the individual points, compute inverses of all Z values.
-	 * Modular inversion is rather slow, but luckily we can do with a single
-	 * explicit inversion, plus about 3 multiplications per input value.
-	 */
+	prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]);
+	if (prod_Z == NULL) goto err;
+	for (i = 0; i < num; i++)
+		{
+		prod_Z[i] = BN_new();
+		if (prod_Z[i] == NULL) goto err;
+		}
 
-	pow2 = 1;
-	while (num > pow2)
-		pow2 <<= 1;
-	/* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
-	 * We need twice that. */
-	pow2 <<= 1;
+	/* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
+	 * skipping any zero-valued inputs (pretend that they're 1). */
 
-	heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
-	if (heap == NULL) goto err;
-	
-	/* The array is used as a binary tree, exactly as in heapsort:
-	 *
-	 *                               heap[1]
-	 *                 heap[2]                     heap[3]
-	 *          heap[4]       heap[5]       heap[6]       heap[7]
-	 *   heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
-	 *
-	 * We put the Z's in the last line;
-	 * then we set each other node to the product of its two child-nodes (where
-	 * empty or 0 entries are treated as ones);
-	 * then we invert heap[1];
-	 * then we invert each other node by replacing it by the product of its
-	 * parent (after inversion) and its sibling (before inversion).
-	 */
-	heap[0] = NULL;
-	for (i = pow2/2 - 1; i > 0; i--)
-		heap[i] = NULL;
-	for (i = 0; i < num; i++)
-		heap[pow2/2 + i] = &points[i]->Z;
-	for (i = pow2/2 + num; i < pow2; i++)
-		heap[i] = NULL;
-	
-	/* set each node to the product of its children */
-	for (i = pow2/2 - 1; i > 0; i--)
+	if (!BN_is_zero(&points[0]->Z))
 		{
-		heap[i] = BN_new();
-		if (heap[i] == NULL) goto err;
-		
-		if (heap[2*i] != NULL)
+		if (!BN_copy(prod_Z[0], &points[0]->Z)) goto err;
+		}
+	else
+		{
+		if (group->meth->field_set_to_one != 0)
 			{
-			if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
-				{
-				if (!BN_copy(heap[i], heap[2*i])) goto err;
-				}
-			else
-				{
-				if (BN_is_zero(heap[2*i]))
-					{
-					if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
-					}
-				else
-					{
-					if (!group->meth->field_mul(group, heap[i],
-						heap[2*i], heap[2*i + 1], ctx)) goto err;
-					}
-				}
+			if (!group->meth->field_set_to_one(group, prod_Z[0], ctx)) goto err;
+			}
+		else
+			{
+			if (!BN_one(prod_Z[0])) goto err;
 			}
 		}
 
-	/* invert heap[1] */
-	if (!BN_is_zero(heap[1]))
+	for (i = 1; i < num; i++)
 		{
-		if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
+		if (!BN_is_zero(&points[i]->Z))
 			{
-			ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
-			goto err;
+			if (!group->meth->field_mul(group, prod_Z[i], prod_Z[i - 1], &points[i]->Z, ctx)) goto err;
+			}
+		else
+			{
+			if (!BN_copy(prod_Z[i], prod_Z[i - 1])) goto err;
 			}
 		}
+
+	/* Now use a single explicit inversion to replace every
+	 * non-zero points[i]->Z by its inverse. */
+
+	if (!BN_mod_inverse(tmp, prod_Z[num - 1], &group->field, ctx))
+		{
+		ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
+		goto err;
+		}
 	if (group->meth->field_encode != 0)
 		{
-		/* in the Montgomery case, we just turned  R*H  (representing H)
+		/* In the Montgomery case, we just turned  R*H  (representing H)
 		 * into  1/(R*H),  but we need  R*(1/H)  (representing 1/H);
-		 * i.e. we have need to multiply by the Montgomery factor twice */
-		if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
-		if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+		 * i.e. we need to multiply by the Montgomery factor twice. */
+		if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err;
+		if (!group->meth->field_encode(group, tmp, tmp, ctx)) goto err;
 		}
 
-	/* set other heap[i]'s to their inverses */
-	for (i = 2; i < pow2/2 + num; i += 2)
+	for (i = num - 1; i > 0; --i)
 		{
-		/* i is even */
-		if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
-			{
-			if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
-			if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
-			if (!BN_copy(heap[i], tmp0)) goto err;
-			if (!BN_copy(heap[i + 1], tmp1)) goto err;
-			}
-		else
+		/* Loop invariant: tmp is the product of the inverses of
+		 * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */
+		if (!BN_is_zero(&points[i]->Z))
 			{
-			if (!BN_copy(heap[i], heap[i/2])) goto err;
+			/* Set tmp_Z to the inverse of points[i]->Z (as product
+			 * of Z inverses 0 .. i, Z values 0 .. i - 1). */
+			if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx)) goto err;
+			/* Update tmp to satisfy the loop invariant for i - 1. */
+			if (!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx)) goto err;
+			/* Replace points[i]->Z by its inverse. */
+			if (!BN_copy(&points[i]->Z, tmp_Z)) goto err;
 			}
 		}
 
-	/* we have replaced all non-zero Z's by their inverses, now fix up all the points */
+	if (!BN_is_zero(&points[0]->Z))
+		{
+		/* Replace points[0]->Z by its inverse. */
+		if (!BN_copy(&points[0]->Z, tmp)) goto err;
+		}
+
+	/* Finally, fix up the X and Y coordinates for all points. */
+
 	for (i = 0; i < num; i++)
 		{
 		EC_POINT *p = points[i];
-		
+
 		if (!BN_is_zero(&p->Z))
 			{
 			/* turn  (X, Y, 1/Z)  into  (X/Z^2, Y/Z^3, 1) */
 
-			if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
-			if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
+			if (!group->meth->field_sqr(group, tmp, &p->Z, ctx)) goto err;
+			if (!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx)) goto err;
+
+			if (!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx)) goto err;
+			if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp, ctx)) goto err;
 
-			if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
-			if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
-		
 			if (group->meth->field_set_to_one != 0)
 				{
 				if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
@@ -1329,20 +1309,19 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT
 		}
 
 	ret = 1;
-		
+
  err:
 	BN_CTX_end(ctx);
 	if (new_ctx != NULL)
 		BN_CTX_free(new_ctx);
-	if (heap != NULL)
+	if (prod_Z != NULL)
 		{
-		/* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
-		for (i = pow2/2 - 1; i > 0; i--)
+		for (i = 0; i < num; i++)
 			{
-			if (heap[i] != NULL)
-				BN_clear_free(heap[i]);
+			if (prod_Z[i] == NULL) break;
+			BN_clear_free(prod_Z[i]);
 			}
-		OPENSSL_free(heap);
+		OPENSSL_free(prod_Z);
 		}
 	return ret;
 	}
diff --git a/crypto/openssl/crypto/ec/ectest.c b/crypto/openssl/crypto/ec/ectest.c
index 102eaa9b2326..8e4154d86549 100644
--- a/crypto/openssl/crypto/ec/ectest.c
+++ b/crypto/openssl/crypto/ec/ectest.c
@@ -199,6 +199,7 @@ static void group_order_tests(EC_GROUP *group)
 	EC_POINT *P = EC_POINT_new(group);
 	EC_POINT *Q = EC_POINT_new(group);
 	BN_CTX *ctx = BN_CTX_new();
+	int i;
 
 	n1 = BN_new(); n2 = BN_new(); order = BN_new();
 	fprintf(stdout, "verify group order ...");
@@ -212,21 +213,56 @@ static void group_order_tests(EC_GROUP *group)
 	if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
 	if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
 	fprintf(stdout, " ok\n");
-	fprintf(stdout, "long/negative scalar tests ... ");
-	if (!BN_one(n1)) ABORT;
-	/* n1 = 1 - order */
-	if (!BN_sub(n1, n1, order)) ABORT;
-	if(!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
-	if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
-	/* n2 = 1 + order */
-	if (!BN_add(n2, order, BN_value_one())) ABORT;
-	if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
-	if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
-	/* n2 = (1 - order) * (1 + order) */
-	if (!BN_mul(n2, n1, n2, ctx)) ABORT;
-	if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
-	if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
+	fprintf(stdout, "long/negative scalar tests ");
+        for (i = 1; i <= 2; i++)
+		{
+		const BIGNUM *scalars[6];
+		const EC_POINT *points[6];
+
+		fprintf(stdout, i == 1 ?
+			"allowing precomputation ... " :
+			"without precomputation ... ");
+		if (!BN_set_word(n1, i)) ABORT;
+		/* If i == 1, P will be the predefined generator for which
+		 * EC_GROUP_precompute_mult has set up precomputation. */
+		if (!EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) ABORT;
+
+		if (!BN_one(n1)) ABORT;
+		/* n1 = 1 - order */
+		if (!BN_sub(n1, n1, order)) ABORT;
+		if (!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
+		if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
+
+		/* n2 = 1 + order */
+		if (!BN_add(n2, order, BN_value_one())) ABORT;
+		if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
+		if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
+
+		/* n2 = (1 - order) * (1 + order) = 1 - order^2 */
+		if (!BN_mul(n2, n1, n2, ctx)) ABORT;
+		if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
+		if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
+
+		/* n2 = order^2 - 1 */
+		BN_set_negative(n2, 0);
+		if (!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
+		/* Add P to verify the result. */
+		if (!EC_POINT_add(group, Q, Q, P, ctx)) ABORT;
+		if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+
+		/* Exercise EC_POINTs_mul, including corner cases. */
+		if (EC_POINT_is_at_infinity(group, P)) ABORT;
+		scalars[0] = n1; points[0] = Q; /* => infinity */
+		scalars[1] = n2; points[1] = P; /* => -P */
+		scalars[2] = n1; points[2] = Q; /* => infinity */
+		scalars[3] = n2; points[3] = Q; /* => infinity */
+		scalars[4] = n1; points[4] = P; /* => P */
+		scalars[5] = n2; points[5] = Q; /* => infinity */
+		if (!EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) ABORT;
+		if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+		}
 	fprintf(stdout, "ok\n");
+
 	EC_POINT_free(P);
 	EC_POINT_free(Q);
 	BN_free(n1);
@@ -1330,7 +1366,7 @@ static const struct nistp_test_params nistp_tests_params[] =
 		},
 	};
 
-void nistp_single_test(const struct nistp_test_params *test)
+static void nistp_single_test(const struct nistp_test_params *test)
 	{
 	BN_CTX *ctx;
 	BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
@@ -1433,7 +1469,7 @@ void nistp_single_test(const struct nistp_test_params *test)
 	BN_CTX_free(ctx);
 	}
 
-void nistp_tests()
+static void nistp_tests()
 	{
 	unsigned i;
 
diff --git a/crypto/openssl/crypto/ecdsa/ecs_vrf.c b/crypto/openssl/crypto/ecdsa/ecs_vrf.c
index 2836efe5eff2..188b9d57b40c 100644
--- a/crypto/openssl/crypto/ecdsa/ecs_vrf.c
+++ b/crypto/openssl/crypto/ecdsa/ecs_vrf.c
@@ -57,7 +57,7 @@
  */
 
 #include "ecs_locl.h"
-#include "cryptlib.h"
+#include <string.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
diff --git a/crypto/openssl/crypto/engine/eng_dyn.c b/crypto/openssl/crypto/engine/eng_dyn.c
index 807da7a5eb84..01db4556aaa0 100644
--- a/crypto/openssl/crypto/engine/eng_dyn.c
+++ b/crypto/openssl/crypto/engine/eng_dyn.c
@@ -114,9 +114,6 @@ static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
 		ENGINE_CMD_FLAG_NO_INPUT},
 	{0, NULL, NULL, 0}
 	};
-static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
-	{0, NULL, NULL, 0}
-	};
 
 /* Loading code stores state inside the ENGINE structure via the "ex_data"
  * element. We load all our state into a single structure and use that as a
diff --git a/crypto/openssl/crypto/engine/eng_list.c b/crypto/openssl/crypto/engine/eng_list.c
index 27846edb1e9a..95c858960b81 100644
--- a/crypto/openssl/crypto/engine/eng_list.c
+++ b/crypto/openssl/crypto/engine/eng_list.c
@@ -408,6 +408,7 @@ ENGINE *ENGINE_by_id(const char *id)
 				!ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
 				!ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
 					load_dir, 0) ||
+				!ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) ||
 				!ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
 				goto notfound;
 		return iterator;
diff --git a/crypto/openssl/crypto/engine/eng_rdrand.c b/crypto/openssl/crypto/engine/eng_rdrand.c
index a9ba5ae6f9ff..4e9e91d54b13 100644
--- a/crypto/openssl/crypto/engine/eng_rdrand.c
+++ b/crypto/openssl/crypto/engine/eng_rdrand.c
@@ -104,6 +104,7 @@ static int bind_helper(ENGINE *e)
 	{
 	if (!ENGINE_set_id(e, engine_e_rdrand_id) ||
 	    !ENGINE_set_name(e, engine_e_rdrand_name) ||
+            !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) ||
 	    !ENGINE_set_init_function(e, rdrand_init) ||
 	    !ENGINE_set_RAND(e, &rdrand_meth) )
 		return 0;
diff --git a/crypto/openssl/crypto/evp/Makefile b/crypto/openssl/crypto/evp/Makefile
index 1e46cebf5e76..5d0c6b7db4c9 100644
--- a/crypto/openssl/crypto/evp/Makefile
+++ b/crypto/openssl/crypto/evp/Makefile
@@ -67,7 +67,7 @@ files:
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	[ ! -f $(TESTDATA) ] || cp $(TESTDATA) ../../test
+	@[ -f $(TESTDATA) ] && cp $(TESTDATA) ../../test && echo "$(TESTDATA) -> ../../test/$(TESTDATA)"
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
diff --git a/crypto/openssl/crypto/evp/bio_b64.c b/crypto/openssl/crypto/evp/bio_b64.c
index 72a2a67277a3..16863fe23f0e 100644
--- a/crypto/openssl/crypto/evp/bio_b64.c
+++ b/crypto/openssl/crypto/evp/bio_b64.c
@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl)
 		else if (ctx->start)
 			{
 			q=p=(unsigned char *)ctx->tmp;
+			num = 0;
 			for (j=0; j<i; j++)
 				{
 				if (*(q++) != '\n') continue;
@@ -264,7 +265,7 @@ static int b64_read(BIO *b, char *out, int outl)
 				}
 
 			/* we fell off the end without starting */
-			if (j == i)
+			if ((j == i) && (num == 0))
 				{
 				/* Is this is one long chunk?, if so, keep on
 				 * reading until a new line. */
diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c
index 6fc469f9c452..d14e8e48d5af 100644
--- a/crypto/openssl/crypto/evp/digest.c
+++ b/crypto/openssl/crypto/evp/digest.c
@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
 
 void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
 	{
-	EVP_MD_CTX_cleanup(ctx);
-	OPENSSL_free(ctx);
+	if (ctx)
+		{
+		EVP_MD_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+		}
 	}
 
 /* This call frees resources associated with the context */
diff --git a/crypto/openssl/crypto/evp/e_aes.c b/crypto/openssl/crypto/evp/e_aes.c
index 1bfb5d92b340..dc3c2a162a5e 100644
--- a/crypto/openssl/crypto/evp/e_aes.c
+++ b/crypto/openssl/crypto/evp/e_aes.c
@@ -166,7 +166,7 @@ extern unsigned int OPENSSL_ia32cap_P[2];
 #define VPAES_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(41-32)))
 #endif
 #ifdef BSAES_ASM
-#define BSAES_CAPABLE	VPAES_CAPABLE
+#define BSAES_CAPABLE	(OPENSSL_ia32cap_P[1]&(1<<(41-32)))
 #endif
 /*
  * AES-NI section
@@ -808,6 +808,28 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 		/* Extra padding: tag appended to record */
 		return EVP_GCM_TLS_TAG_LEN;
 
+	case EVP_CTRL_COPY:
+		{
+			EVP_CIPHER_CTX *out = ptr;
+			EVP_AES_GCM_CTX *gctx_out = out->cipher_data;
+			if (gctx->gcm.key)
+				{
+				if (gctx->gcm.key != &gctx->ks)
+					return 0;
+				gctx_out->gcm.key = &gctx_out->ks;
+				}
+			if (gctx->iv == c->iv)
+				gctx_out->iv = out->iv;
+			else
+			{
+				gctx_out->iv = OPENSSL_malloc(gctx->ivlen);
+				if (!gctx_out->iv)
+					return 0;
+				memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
+			}
+			return 1;
+		}
+
 	default:
 		return -1;
 
@@ -842,7 +864,10 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			gctx->ctr = NULL;
 			break;
 			}
+		else
 #endif
+		(void)0;	/* terminate potentially open 'else' */
+
 		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
 #ifdef AES_CTR_ASM
@@ -1029,7 +1054,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 #define CUSTOM_FLAGS	(EVP_CIPH_FLAG_DEFAULT_ASN1 \
 		| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
-		| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
+		| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
+		| EVP_CIPH_CUSTOM_COPY)
 
 BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
 		EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
@@ -1041,7 +1067,25 @@ BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 	{
 	EVP_AES_XTS_CTX *xctx = c->cipher_data;
-	if (type != EVP_CTRL_INIT)
+	if (type == EVP_CTRL_COPY)
+		{
+		EVP_CIPHER_CTX *out = ptr;
+		EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
+		if (xctx->xts.key1)
+			{
+			if (xctx->xts.key1 != &xctx->ks1)
+				return 0;
+			xctx_out->xts.key1 = &xctx_out->ks1;
+			}
+		if (xctx->xts.key2)
+			{
+			if (xctx->xts.key2 != &xctx->ks2)
+				return 0;
+			xctx_out->xts.key2 = &xctx_out->ks2;
+			}
+		return 1;
+		}
+	else if (type != EVP_CTRL_INIT)
 		return -1;
 	/* key1 and key2 are used as an indicator both key and IV are set */
 	xctx->xts.key1 = NULL;
@@ -1083,14 +1127,17 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			xctx->xts.block1 = (block128_f)vpaes_decrypt;
 			}
 
-		vpaes_set_encrypt_key(key + ctx->key_len/2,
+		    vpaes_set_encrypt_key(key + ctx->key_len/2,
 						ctx->key_len * 4, &xctx->ks2);
-		xctx->xts.block2 = (block128_f)vpaes_encrypt;
+		    xctx->xts.block2 = (block128_f)vpaes_encrypt;
 
-		xctx->xts.key1 = &xctx->ks1;
-		break;
-		}
+		    xctx->xts.key1 = &xctx->ks1;
+		    break;
+		    }
+		else
 #endif
+		(void)0;	/* terminate potentially open 'else' */
+
 		if (enc)
 			{
 			AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
@@ -1147,7 +1194,8 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #define aes_xts_cleanup NULL
 
 #define XTS_FLAGS	(EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
-			 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
+			 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
+			 | EVP_CIPH_CUSTOM_COPY)
 
 BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
 BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
@@ -1197,6 +1245,19 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 		cctx->len_set = 0;
 		return 1;
 
+	case EVP_CTRL_COPY:
+		{
+			EVP_CIPHER_CTX *out = ptr;
+			EVP_AES_CCM_CTX *cctx_out = out->cipher_data;
+			if (cctx->ccm.key)
+				{
+				if (cctx->ccm.key != &cctx->ks)
+					return 0;
+				cctx_out->ccm.key = &cctx_out->ks;
+				}
+			return 1;
+		}
+
 	default:
 		return -1;
 
diff --git a/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
index 483e04b605b7..fb2c884a7860 100644
--- a/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 				if (res!=SHA_CBLOCK) continue;
 
-				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+				/* j is not incremented yet */
+				mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
 				data->u[SHA_LBLOCK-1] |= bitlen&mask;
 				sha1_block_data_order(&key->md,data,1);
-				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+				mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
 				pmac->u[0] |= key->md.h0 & mask;
 				pmac->u[1] |= key->md.h1 & mask;
 				pmac->u[2] |= key->md.h2 & mask;
diff --git a/crypto/openssl/crypto/evp/e_des3.c b/crypto/openssl/crypto/evp/e_des3.c
index 1e699726627d..7e1e8b309caa 100644
--- a/crypto/openssl/crypto/evp/e_des3.c
+++ b/crypto/openssl/crypto/evp/e_des3.c
@@ -101,7 +101,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			      const unsigned char *in, size_t inl)
 {
-	if (inl>=EVP_MAXCHUNK)
+	while (inl>=EVP_MAXCHUNK)
 		{
 		DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
 			       &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -124,15 +124,14 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        char *cp;
-	printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
-	printf("\t iv= ");
+	fprintf(stderr,"des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx, ctx->buf_len);
+	fprintf(stderr,"\t iv= ");
         for(i=0;i<8;i++)
-                printf("%02X",ctx->iv[i]);
-	printf("\n");
+                fprintf(stderr,"%02X",ctx->iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif    /* KSSL_DEBUG */
-	if (inl>=EVP_MAXCHUNK)
+	while (inl>=EVP_MAXCHUNK)
 		{
 		DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
 			     &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -151,7 +150,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			      const unsigned char *in, size_t inl)
 {
-	if (inl>=EVP_MAXCHUNK)
+	while (inl>=EVP_MAXCHUNK)
 		{
 		DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, 
 			       &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -260,11 +259,14 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        printf("des_ede3_init_key(ctx=%lx)\n", ctx);
-	printf("\tKEY= ");
-        for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
-	printf("\t IV= ");
-        for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
+        fprintf(stderr,"des_ede3_init_key(ctx=%p)\n", ctx);
+	fprintf(stderr,"\tKEY= ");
+        for(i=0;i<24;i++) fprintf(stderr,"%02X",key[i]); fprintf(stderr,"\n");
+	if (iv) 
+		{
+		fprintf(stderr,"\t IV= ");
+		for(i=0;i<8;i++) fprintf(stderr,"%02X",iv[i]); fprintf(stderr,"\n");
+		}
 	}
 #endif	/* KSSL_DEBUG */
 
diff --git a/crypto/openssl/crypto/evp/encode.c b/crypto/openssl/crypto/evp/encode.c
index 28546a84bc2b..4654bdc61a64 100644
--- a/crypto/openssl/crypto/evp/encode.c
+++ b/crypto/openssl/crypto/evp/encode.c
@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 				v=EVP_DecodeBlock(out,d,n);
 				n=0;
 				if (v < 0) { rv=0; goto end; }
+				if (eof > v) { rv=-1; goto end; }
 				ret+=(v-eof);
 				}
 			else
diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index 0c54f05e6ef5..2e863ac54204 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c
@@ -533,6 +533,11 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
+
+		/*
+		 * The following assumes that the ciphertext has been authenticated.
+		 * Otherwise it provides a padding oracle.
+		 */
 		n=ctx->final[b-1];
 		if (n == 0 || n > (int)b)
 			{
@@ -678,4 +683,3 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
 		return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
 	return 1;
 	}
-
diff --git a/crypto/openssl/crypto/evp/evp_pbe.c b/crypto/openssl/crypto/evp/evp_pbe.c
index f8c32d825e79..596969594863 100644
--- a/crypto/openssl/crypto/evp/evp_pbe.c
+++ b/crypto/openssl/crypto/evp/evp_pbe.c
@@ -259,7 +259,7 @@ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
 	{
 	int cipher_nid, md_nid;
 	if (cipher)
-		cipher_nid = EVP_CIPHER_type(cipher);
+		cipher_nid = EVP_CIPHER_nid(cipher);
 	else
 		cipher_nid = -1;
 	if (md)
diff --git a/crypto/openssl/crypto/evp/p5_crpt2.c b/crypto/openssl/crypto/evp/p5_crpt2.c
index 975d004df473..fe3c6c8813cb 100644
--- a/crypto/openssl/crypto/evp/p5_crpt2.c
+++ b/crypto/openssl/crypto/evp/p5_crpt2.c
@@ -85,19 +85,24 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
 	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
 	int cplen, j, k, tkeylen, mdlen;
 	unsigned long i = 1;
-	HMAC_CTX hctx;
+	HMAC_CTX hctx_tpl, hctx;
 
 	mdlen = EVP_MD_size(digest);
 	if (mdlen < 0)
 		return 0;
 
-	HMAC_CTX_init(&hctx);
+	HMAC_CTX_init(&hctx_tpl);
 	p = out;
 	tkeylen = keylen;
 	if(!pass)
 		passlen = 0;
 	else if(passlen == -1)
 		passlen = strlen(pass);
+	if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL))
+		{
+		HMAC_CTX_cleanup(&hctx_tpl);
+		return 0;
+		}
 	while(tkeylen)
 		{
 		if(tkeylen > mdlen)
@@ -111,19 +116,36 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
 		itmp[1] = (unsigned char)((i >> 16) & 0xff);
 		itmp[2] = (unsigned char)((i >> 8) & 0xff);
 		itmp[3] = (unsigned char)(i & 0xff);
-		if (!HMAC_Init_ex(&hctx, pass, passlen, digest, NULL)
-			|| !HMAC_Update(&hctx, salt, saltlen)
-			|| !HMAC_Update(&hctx, itmp, 4)
-			|| !HMAC_Final(&hctx, digtmp, NULL))
+		if (!HMAC_CTX_copy(&hctx, &hctx_tpl))
 			{
+			HMAC_CTX_cleanup(&hctx_tpl);
+			return 0;
+			}
+		if (!HMAC_Update(&hctx, salt, saltlen)
+		    || !HMAC_Update(&hctx, itmp, 4)
+		    || !HMAC_Final(&hctx, digtmp, NULL))
+			{
+			HMAC_CTX_cleanup(&hctx_tpl);
 			HMAC_CTX_cleanup(&hctx);
 			return 0;
 			}
+		HMAC_CTX_cleanup(&hctx);
 		memcpy(p, digtmp, cplen);
 		for(j = 1; j < iter; j++)
 			{
-			HMAC(digest, pass, passlen,
-				 digtmp, mdlen, digtmp, NULL);
+			if (!HMAC_CTX_copy(&hctx, &hctx_tpl))
+				{
+				HMAC_CTX_cleanup(&hctx_tpl);
+				return 0;
+				}
+			if (!HMAC_Update(&hctx, digtmp, mdlen)
+			    || !HMAC_Final(&hctx, digtmp, NULL))
+				{
+				HMAC_CTX_cleanup(&hctx_tpl);
+				HMAC_CTX_cleanup(&hctx);
+				return 0;
+				}
+			HMAC_CTX_cleanup(&hctx);
 			for(k = 0; k < cplen; k++)
 				p[k] ^= digtmp[k];
 			}
@@ -131,7 +153,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
 		i++;
 		p+= cplen;
 		}
-	HMAC_CTX_cleanup(&hctx);
+	HMAC_CTX_cleanup(&hctx_tpl);
 #ifdef DEBUG_PKCS5V2
 	fprintf(stderr, "Password:\n");
 	h__dump (pass, passlen);
diff --git a/crypto/openssl/crypto/idea/ideatest.c b/crypto/openssl/crypto/idea/ideatest.c
index e6ffc7025e75..d509f8116ede 100644
--- a/crypto/openssl/crypto/idea/ideatest.c
+++ b/crypto/openssl/crypto/idea/ideatest.c
@@ -199,10 +199,10 @@ static int cfb64_test(unsigned char *cfb_cipher)
                 }
         memcpy(cfb_tmp,cfb_iv,8);
         n=0;
-        idea_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,&eks,
+        idea_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)13,&eks,
                 cfb_tmp,&n,IDEA_DECRYPT);
-        idea_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
-                (long)CFB_TEST_SIZE-17,&dks,
+        idea_cfb64_encrypt(&(cfb_buf1[13]),&(cfb_buf2[13]),
+                (long)CFB_TEST_SIZE-13,&eks,
                 cfb_tmp,&n,IDEA_DECRYPT);
         if (memcmp(plain,cfb_buf2,CFB_TEST_SIZE) != 0)
                 {
diff --git a/crypto/openssl/crypto/md32_common.h b/crypto/openssl/crypto/md32_common.h
index bb7381952a22..a75f136ca540 100644
--- a/crypto/openssl/crypto/md32_common.h
+++ b/crypto/openssl/crypto/md32_common.h
@@ -225,8 +225,7 @@
 #define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))<<24),		\
 			 l|=(((unsigned long)(*((c)++)))<<16),		\
 			 l|=(((unsigned long)(*((c)++)))<< 8),		\
-			 l|=(((unsigned long)(*((c)++)))    ),		\
-			 l)
+			 l|=(((unsigned long)(*((c)++)))    )		)
 #endif
 #ifndef HOST_l2c
 #define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff),	\
@@ -262,8 +261,7 @@
 #define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ),		\
 			 l|=(((unsigned long)(*((c)++)))<< 8),		\
 			 l|=(((unsigned long)(*((c)++)))<<16),		\
-			 l|=(((unsigned long)(*((c)++)))<<24),		\
-			 l)
+			 l|=(((unsigned long)(*((c)++)))<<24)		)
 #endif
 #ifndef HOST_l2c
 #define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff),	\
diff --git a/crypto/openssl/crypto/md5/asm/md5-x86_64.pl b/crypto/openssl/crypto/md5/asm/md5-x86_64.pl
index f11224d17220..381bf77e1c6b 100755
--- a/crypto/openssl/crypto/md5/asm/md5-x86_64.pl
+++ b/crypto/openssl/crypto/md5/asm/md5-x86_64.pl
@@ -108,6 +108,7 @@ sub round4_step
 EOF
 }
 
+no warnings qw(uninitialized);
 my $flavour = shift;
 my $output  = shift;
 if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
@@ -119,7 +120,6 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-no warnings qw(uninitialized);
 open OUT,"| \"$^X\" $xlate $flavour $output";
 *STDOUT=*OUT;
 
diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c
index 1cc62eafd122..01052cfa38e9 100644
--- a/crypto/openssl/crypto/mem.c
+++ b/crypto/openssl/crypto/mem.c
@@ -255,10 +255,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
 
 	if (num <= 0) return NULL;
 
-	allow_customize = 0;
+	if(allow_customize)
+		allow_customize = 0;
 	if (malloc_debug_func != NULL)
 		{
-		allow_customize_debug = 0;
+		if(allow_customize_debug)
+			allow_customize_debug = 0;
 		malloc_debug_func(NULL, num, file, line, 0);
 		}
 	ret = malloc_locked_ex_func(num,file,line);
@@ -299,10 +301,12 @@ void *CRYPTO_malloc(int num, const char *file, int line)
 
 	if (num <= 0) return NULL;
 
-	allow_customize = 0;
+	if(allow_customize)
+		allow_customize = 0;
 	if (malloc_debug_func != NULL)
 		{
-		allow_customize_debug = 0;
+		if(allow_customize_debug)
+			allow_customize_debug = 0;
 		malloc_debug_func(NULL, num, file, line, 0);
 		}
 	ret = malloc_ex_func(num,file,line);
diff --git a/crypto/openssl/crypto/modes/Makefile b/crypto/openssl/crypto/modes/Makefile
index c825b12f2585..3d8bafd5716c 100644
--- a/crypto/openssl/crypto/modes/Makefile
+++ b/crypto/openssl/crypto/modes/Makefile
@@ -53,7 +53,10 @@ ghash-x86_64.s:	asm/ghash-x86_64.pl
 ghash-sparcv9.s:	asm/ghash-sparcv9.pl
 	$(PERL) asm/ghash-sparcv9.pl $@ $(CFLAGS)
 ghash-alpha.s:	asm/ghash-alpha.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) asm/ghash-alpha.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
+
 ghash-parisc.s:	asm/ghash-parisc.pl
 	$(PERL) asm/ghash-parisc.pl $(PERLASM_SCHEME) $@
 
diff --git a/crypto/openssl/crypto/modes/asm/ghash-parisc.pl b/crypto/openssl/crypto/modes/asm/ghash-parisc.pl
index 8c7454ee9340..d5ad96b40335 100755
--- a/crypto/openssl/crypto/modes/asm/ghash-parisc.pl
+++ b/crypto/openssl/crypto/modes/asm/ghash-parisc.pl
@@ -724,6 +724,7 @@ foreach (split("\n",$code)) {
 		s/cmpb,\*/comb,/;
 		s/,\*/,/;
 	}
+	s/\bbv\b/bve/	if ($SIZE_T==8);
 	print $_,"\n";
 }
 
diff --git a/crypto/openssl/crypto/modes/cbc128.c b/crypto/openssl/crypto/modes/cbc128.c
index 3d3782cbe118..0e54f75470b2 100644
--- a/crypto/openssl/crypto/modes/cbc128.c
+++ b/crypto/openssl/crypto/modes/cbc128.c
@@ -117,7 +117,7 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
 			unsigned char ivec[16], block128_f block)
 {
 	size_t n;
-	union { size_t align; unsigned char c[16]; } tmp;
+	union { size_t t[16/sizeof(size_t)]; unsigned char c[16]; } tmp;
 
 	assert(in && out && key && ivec);
 
@@ -137,11 +137,13 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
 				out += 16;
 			}
 		}
-		else {
+		else  if (16%sizeof(size_t) == 0) { /* always true */
 			while (len>=16) {
+				size_t *out_t=(size_t *)out, *iv_t=(size_t *)iv;
+
 				(*block)(in, out, key);
-				for(n=0; n<16; n+=sizeof(size_t))
-					*(size_t *)(out+n) ^= *(size_t *)(iv+n);
+				for(n=0; n<16/sizeof(size_t); n++)
+					out_t[n] ^= iv_t[n];
 				iv = in;
 				len -= 16;
 				in  += 16;
@@ -165,15 +167,16 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
 				out += 16;
 			}
 		}
-		else {
-			size_t c;
+		else if (16%sizeof(size_t) == 0) { /* always true */
 			while (len>=16) {
+				size_t c, *out_t=(size_t *)out, *ivec_t=(size_t *)ivec;
+				const size_t *in_t=(const size_t *)in;
+
 				(*block)(in, tmp.c, key);
-				for(n=0; n<16; n+=sizeof(size_t)) {
-					c = *(size_t *)(in+n);
-					*(size_t *)(out+n) =
-					*(size_t *)(tmp.c+n) ^ *(size_t *)(ivec+n);
-					*(size_t *)(ivec+n) = c;
+				for(n=0; n<16/sizeof(size_t); n++) {
+					c = in_t[n];
+					out_t[n] = tmp.t[n] ^ ivec_t[n];
+					ivec_t[n] = c;
 				}
 				len -= 16;
 				in  += 16;
diff --git a/crypto/openssl/crypto/modes/ccm128.c b/crypto/openssl/crypto/modes/ccm128.c
index c9b35e5b35e5..3ce11d0d984c 100644
--- a/crypto/openssl/crypto/modes/ccm128.c
+++ b/crypto/openssl/crypto/modes/ccm128.c
@@ -87,7 +87,7 @@ int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
 		ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
 	}
 	else
-		*(u32*)(&ctx->nonce.c[8]) = 0;
+		ctx->nonce.u[1] = 0;
 
 	ctx->nonce.c[12] = (u8)(mlen>>24);
 	ctx->nonce.c[13] = (u8)(mlen>>16);
diff --git a/crypto/openssl/crypto/modes/cts128.c b/crypto/openssl/crypto/modes/cts128.c
index c0e1f3696c6c..2d583de6f61d 100644
--- a/crypto/openssl/crypto/modes/cts128.c
+++ b/crypto/openssl/crypto/modes/cts128.c
@@ -108,12 +108,8 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
 	(*cbc)(in,out-16,residue,key,ivec,1);
 	memcpy(out,tmp.c,residue);
 #else
-	{
-	size_t n;
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	memcpy(tmp.c,in,residue);
-	}
 	memcpy(out,out-16,residue);
 	(*cbc)(tmp.c,out-16,16,key,ivec,1);
 #endif
@@ -144,12 +140,8 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
 #if defined(CBC_HANDLES_TRUNCATED_IO)
 	(*cbc)(in,out-16+residue,residue,key,ivec,1);
 #else
-	{
-	size_t n;
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	memcpy(tmp.c,in,residue);
-	}
 	(*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
 #endif
 	return len+residue;
@@ -177,8 +169,7 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
 
 	(*block)(in,tmp.c+16,key);
 
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+	memcpy(tmp.c,tmp.c+16,16);
 	memcpy(tmp.c,in+16,residue);
 	(*block)(tmp.c,tmp.c,key);
 
@@ -220,8 +211,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
 
 	(*block)(in+residue,tmp.c+16,key);
 
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+	memcpy(tmp.c,tmp.c+16,16);
 	memcpy(tmp.c,in,residue);
 	(*block)(tmp.c,tmp.c,key);
 
@@ -240,7 +230,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 			size_t len, const void *key,
 			unsigned char ivec[16], cbc128_f cbc)
-{	size_t residue, n;
+{	size_t residue;
 	union { size_t align; unsigned char c[32]; } tmp;
 
 	assert (in && out && key && ivec);
@@ -257,8 +247,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 		out += len;
 	}
 
-	for (n=16; n<32; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	/* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 	(*cbc)(in,tmp.c,16,key,tmp.c+16,0);
 
@@ -275,7 +264,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
 			size_t len, const void *key,
 			unsigned char ivec[16], cbc128_f cbc)
-{	size_t residue, n;
+{	size_t residue;
 	union { size_t align; unsigned char c[32]; } tmp;
 
 	assert (in && out && key && ivec);
@@ -297,8 +286,7 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
 		out += len;
 	}
 
-	for (n=16; n<32; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	/* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 	(*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
 
diff --git a/crypto/openssl/crypto/modes/gcm128.c b/crypto/openssl/crypto/modes/gcm128.c
index 0e6ff8b0a155..e1dc2b0f4760 100644
--- a/crypto/openssl/crypto/modes/gcm128.c
+++ b/crypto/openssl/crypto/modes/gcm128.c
@@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
 		GCM_MUL(ctx,Yi);
 
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 			ctr = GETU32(ctx->Yi.c+12);
+#endif
 		else
 			ctr = ctx->Yi.d[3];
 	}
@@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
 	(*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
 	++ctr;
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 		PUTU32(ctx->Yi.c+12,ctr);
+#endif
 	else
 		ctx->Yi.d[3] = ctr;
 }
@@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -941,15 +953,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 		    size_t j=GHASH_CHUNK;
 
 		    while (j) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i] ^ ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			j   -= 16;
@@ -961,15 +979,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 		    size_t j=i;
 
 		    while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i] ^ ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			len -= 16;
@@ -978,16 +1002,22 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 		}
 #else
 		while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(ctx->Xi.c+i) ^=
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				ctx->Xi.t[i] ^=
+				out_t[i] = in_t[i]^ctx->EKi.t[i];
 			GCM_MUL(ctx,Xi);
 			out += 16;
 			in  += 16;
@@ -998,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 			while (len--) {
@@ -1016,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 		}
@@ -1060,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -1091,15 +1133,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 
 		    GHASH(ctx,in,GHASH_CHUNK);
 		    while (j) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i]^ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			j   -= 16;
@@ -1109,15 +1157,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 		if ((i = (len&(size_t)-16))) {
 		    GHASH(ctx,in,i);
 		    while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i]^ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			len -= 16;
@@ -1125,16 +1179,23 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 		}
 #else
 		while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t)) {
-				size_t c = *(size_t *)(in+i);
-				*(size_t *)(out+i) = c^*(size_t *)(ctx->EKi.c+i);
-				*(size_t *)(ctx->Xi.c+i) ^= c;
+			for (i=0; i<16/sizeof(size_t); ++i) {
+				size_t c = in[i];
+				out[i] = c^ctx->EKi.t[i];
+				ctx->Xi.t[i] ^= c;
 			}
 			GCM_MUL(ctx,Xi);
 			out += 16;
@@ -1146,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 			while (len--) {
@@ -1167,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 		}
@@ -1212,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -1234,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
 		ctr += GHASH_CHUNK/16;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		GHASH(ctx,out,GHASH_CHUNK);
@@ -1249,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,j,key,ctx->Yi.c);
 		ctr += (unsigned int)j;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		in  += i;
@@ -1269,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
 		++ctr;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		while (len--) {
@@ -1311,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -1336,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
 		ctr += GHASH_CHUNK/16;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		out += GHASH_CHUNK;
@@ -1362,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,j,key,ctx->Yi.c);
 		ctr += (unsigned int)j;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		out += i;
@@ -1373,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
 		++ctr;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		while (len--) {
@@ -1669,6 +1770,46 @@ static const u8	IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
 			0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f},
 		T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a};
 
+/* Test Case 19 */
+#define K19 K1
+#define P19 P1
+#define IV19 IV1
+#define C19 C1
+static const u8 A19[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
+			0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
+			0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
+			0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55,
+			0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
+			0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
+			0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
+			0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
+		T19[]= {0x5f,0xea,0x79,0x3a,0x2d,0x6f,0x97,0x4d,0x37,0xe6,0x8e,0x0c,0xb8,0xff,0x94,0x92};
+
+/* Test Case 20 */
+#define K20 K1
+#define A20 A1
+static const u8 IV20[64]={0xff,0xff,0xff,0xff},	/* this results in 0xff in counter LSB */
+		P20[288],
+		C20[]= {0x56,0xb3,0x37,0x3c,0xa9,0xef,0x6e,0x4a,0x2b,0x64,0xfe,0x1e,0x9a,0x17,0xb6,0x14,
+			0x25,0xf1,0x0d,0x47,0xa7,0x5a,0x5f,0xce,0x13,0xef,0xc6,0xbc,0x78,0x4a,0xf2,0x4f,
+			0x41,0x41,0xbd,0xd4,0x8c,0xf7,0xc7,0x70,0x88,0x7a,0xfd,0x57,0x3c,0xca,0x54,0x18,
+			0xa9,0xae,0xff,0xcd,0x7c,0x5c,0xed,0xdf,0xc6,0xa7,0x83,0x97,0xb9,0xa8,0x5b,0x49,
+			0x9d,0xa5,0x58,0x25,0x72,0x67,0xca,0xab,0x2a,0xd0,0xb2,0x3c,0xa4,0x76,0xa5,0x3c,
+			0xb1,0x7f,0xb4,0x1c,0x4b,0x8b,0x47,0x5c,0xb4,0xf3,0xf7,0x16,0x50,0x94,0xc2,0x29,
+			0xc9,0xe8,0xc4,0xdc,0x0a,0x2a,0x5f,0xf1,0x90,0x3e,0x50,0x15,0x11,0x22,0x13,0x76,
+			0xa1,0xcd,0xb8,0x36,0x4c,0x50,0x61,0xa2,0x0c,0xae,0x74,0xbc,0x4a,0xcd,0x76,0xce,
+			0xb0,0xab,0xc9,0xfd,0x32,0x17,0xef,0x9f,0x8c,0x90,0xbe,0x40,0x2d,0xdf,0x6d,0x86,
+			0x97,0xf4,0xf8,0x80,0xdf,0xf1,0x5b,0xfb,0x7a,0x6b,0x28,0x24,0x1e,0xc8,0xfe,0x18,
+			0x3c,0x2d,0x59,0xe3,0xf9,0xdf,0xff,0x65,0x3c,0x71,0x26,0xf0,0xac,0xb9,0xe6,0x42,
+			0x11,0xf4,0x2b,0xae,0x12,0xaf,0x46,0x2b,0x10,0x70,0xbe,0xf1,0xab,0x5e,0x36,0x06,
+			0x87,0x2c,0xa1,0x0d,0xee,0x15,0xb3,0x24,0x9b,0x1a,0x1b,0x95,0x8f,0x23,0x13,0x4c,
+			0x4b,0xcc,0xb7,0xd0,0x32,0x00,0xbc,0xe4,0x20,0xa2,0xf8,0xeb,0x66,0xdc,0xf3,0x64,
+			0x4d,0x14,0x23,0xc1,0xb5,0x69,0x90,0x03,0xc1,0x3e,0xce,0xf4,0xbf,0x38,0xa3,0xb6,
+			0x0e,0xed,0xc3,0x40,0x33,0xba,0xc1,0x90,0x27,0x83,0xdc,0x6d,0x89,0xe2,0xe7,0x74,
+			0x18,0x8a,0x43,0x9c,0x7e,0xbc,0xc0,0x67,0x2d,0xbd,0xa4,0xdd,0xcf,0xb2,0x79,0x46,
+			0x13,0xb0,0xbe,0x41,0x31,0x5e,0xf7,0x78,0x70,0x8a,0x70,0xee,0x7d,0x75,0x16,0x5c},
+		T20[]= {0x8b,0x30,0x7f,0x6b,0x33,0x28,0x6d,0x0a,0xb0,0x26,0xa9,0xed,0x3f,0xe1,0xe8,0x5f};
+
 #define TEST_CASE(n)	do {					\
 	u8 out[sizeof(P##n)];					\
 	AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key);		\
@@ -1713,6 +1854,8 @@ int main()
 	TEST_CASE(16);
 	TEST_CASE(17);
 	TEST_CASE(18);
+	TEST_CASE(19);
+	TEST_CASE(20);
 
 #ifdef OPENSSL_CPUID_OBJ
 	{
@@ -1743,11 +1886,16 @@ int main()
 			ctr_t/(double)sizeof(buf),
 			(gcm_t-ctr_t)/(double)sizeof(buf));
 #ifdef GHASH
-	GHASH(&ctx,buf.c,sizeof(buf));
+	{
+	void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
+				const u8 *inp,size_t len)	= ctx.ghash;
+
+	GHASH((&ctx),buf.c,sizeof(buf));
 	start = OPENSSL_rdtsc();
-	for (i=0;i<100;++i) GHASH(&ctx,buf.c,sizeof(buf));
+	for (i=0;i<100;++i) GHASH((&ctx),buf.c,sizeof(buf));
 	gcm_t = OPENSSL_rdtsc() - start;
 	printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i);
+	}
 #endif
 	}
 #endif
diff --git a/crypto/openssl/crypto/modes/modes.h b/crypto/openssl/crypto/modes/modes.h
index f18215bb2b25..7773c2542e5c 100644
--- a/crypto/openssl/crypto/modes/modes.h
+++ b/crypto/openssl/crypto/modes/modes.h
@@ -7,6 +7,9 @@
 
 #include <stddef.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
 typedef void (*block128_f)(const unsigned char in[16],
 			unsigned char out[16],
 			const void *key);
@@ -133,3 +136,6 @@ typedef struct xts128_context XTS128_CONTEXT;
 
 int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
 	const unsigned char *inp, unsigned char *out, size_t len, int enc);
+#ifdef  __cplusplus
+}
+#endif
diff --git a/crypto/openssl/crypto/modes/modes_lcl.h b/crypto/openssl/crypto/modes/modes_lcl.h
index b6dc3c336fe0..9d83e128444e 100644
--- a/crypto/openssl/crypto/modes/modes_lcl.h
+++ b/crypto/openssl/crypto/modes/modes_lcl.h
@@ -29,10 +29,7 @@ typedef unsigned char u8;
 #if defined(__i386)	|| defined(__i386__)	|| \
     defined(__x86_64)	|| defined(__x86_64__)	|| \
     defined(_M_IX86)	|| defined(_M_AMD64)	|| defined(_M_X64) || \
-    defined(__s390__)	|| defined(__s390x__)	|| \
-    ( (defined(__arm__)	|| defined(__arm)) && \
-      (defined(__ARM_ARCH_7__)	|| defined(__ARM_ARCH_7A__) || \
-       defined(__ARM_ARCH_7R__)	|| defined(__ARM_ARCH_7M__)) )
+    defined(__s390__)	|| defined(__s390x__)
 # undef STRICT_ALIGNMENT
 #endif
 
@@ -101,8 +98,8 @@ typedef struct { u64 hi,lo; } u128;
 
 struct gcm128_context {
 	/* Following 6 names follow names in GCM specification */
-	union { u64 u[2]; u32 d[4]; u8 c[16]; }	Yi,EKi,EK0,len,
-						Xi,H;
+	union { u64 u[2]; u32 d[4]; u8 c[16]; size_t t[16/sizeof(size_t)]; }
+	  Yi,EKi,EK0,len,Xi,H;
 	/* Relative position of Xi, H and pre-computed Htable is used
 	 * in some assembler modules, i.e. don't change the order! */
 #if TABLE_BITS==8
diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h
index d404ad07c981..bc69665bc582 100644
--- a/crypto/openssl/crypto/objects/obj_dat.h
+++ b/crypto/openssl/crypto/objects/obj_dat.h
@@ -67,1908 +67,1901 @@
 #define NUM_LN 913
 #define NUM_OBJ 857
 
-static const unsigned char lvalues[5980]={
-0x00,                                        /* [  0] OBJ_undef */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 14] OBJ_md2 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05,     /* [ 22] OBJ_md5 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04,     /* [ 30] OBJ_rc4 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,/* [ 38] OBJ_rsaEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02,/* [ 47] OBJ_md2WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,/* [ 56] OBJ_md5WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01,/* [ 65] OBJ_pbeWithMD2AndDES_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03,/* [ 74] OBJ_pbeWithMD5AndDES_CBC */
-0x55,                                        /* [ 83] OBJ_X500 */
-0x55,0x04,                                   /* [ 84] OBJ_X509 */
-0x55,0x04,0x03,                              /* [ 86] OBJ_commonName */
-0x55,0x04,0x06,                              /* [ 89] OBJ_countryName */
-0x55,0x04,0x07,                              /* [ 92] OBJ_localityName */
-0x55,0x04,0x08,                              /* [ 95] OBJ_stateOrProvinceName */
-0x55,0x04,0x0A,                              /* [ 98] OBJ_organizationName */
-0x55,0x04,0x0B,                              /* [101] OBJ_organizationalUnitName */
-0x55,0x08,0x01,0x01,                         /* [104] OBJ_rsa */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,     /* [108] OBJ_pkcs7 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01,/* [116] OBJ_pkcs7_data */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02,/* [125] OBJ_pkcs7_signed */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03,/* [134] OBJ_pkcs7_enveloped */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04,/* [143] OBJ_pkcs7_signedAndEnveloped */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05,/* [152] OBJ_pkcs7_digest */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06,/* [161] OBJ_pkcs7_encrypted */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,     /* [170] OBJ_pkcs3 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01,/* [178] OBJ_dhKeyAgreement */
-0x2B,0x0E,0x03,0x02,0x06,                    /* [187] OBJ_des_ecb */
-0x2B,0x0E,0x03,0x02,0x09,                    /* [192] OBJ_des_cfb64 */
-0x2B,0x0E,0x03,0x02,0x07,                    /* [197] OBJ_des_cbc */
-0x2B,0x0E,0x03,0x02,0x11,                    /* [202] OBJ_des_ede_ecb */
-0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [207] OBJ_idea_cbc */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02,     /* [218] OBJ_rc2_cbc */
-0x2B,0x0E,0x03,0x02,0x12,                    /* [226] OBJ_sha */
-0x2B,0x0E,0x03,0x02,0x0F,                    /* [231] OBJ_shaWithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,     /* [236] OBJ_des_ede3_cbc */
-0x2B,0x0E,0x03,0x02,0x08,                    /* [244] OBJ_des_ofb64 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,     /* [249] OBJ_pkcs9 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,/* [257] OBJ_pkcs9_emailAddress */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02,/* [266] OBJ_pkcs9_unstructuredName */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03,/* [275] OBJ_pkcs9_contentType */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04,/* [284] OBJ_pkcs9_messageDigest */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05,/* [293] OBJ_pkcs9_signingTime */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06,/* [302] OBJ_pkcs9_countersignature */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07,/* [311] OBJ_pkcs9_challengePassword */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08,/* [320] OBJ_pkcs9_unstructuredAddress */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09,/* [329] OBJ_pkcs9_extCertAttributes */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,          /* [338] OBJ_netscape */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,     /* [345] OBJ_netscape_cert_extension */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,     /* [353] OBJ_netscape_data_type */
-0x2B,0x0E,0x03,0x02,0x1A,                    /* [361] OBJ_sha1 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,/* [366] OBJ_sha1WithRSAEncryption */
-0x2B,0x0E,0x03,0x02,0x0D,                    /* [375] OBJ_dsaWithSHA */
-0x2B,0x0E,0x03,0x02,0x0C,                    /* [380] OBJ_dsa_2 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B,/* [385] OBJ_pbeWithSHA1AndRC2_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C,/* [394] OBJ_id_pbkdf2 */
-0x2B,0x0E,0x03,0x02,0x1B,                    /* [403] OBJ_dsaWithSHA1_2 */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,/* [408] OBJ_netscape_cert_type */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02,/* [417] OBJ_netscape_base_url */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03,/* [426] OBJ_netscape_revocation_url */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,/* [435] OBJ_netscape_ca_revocation_url */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07,/* [444] OBJ_netscape_renewal_url */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08,/* [453] OBJ_netscape_ca_policy_url */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C,/* [462] OBJ_netscape_ssl_server_name */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,/* [471] OBJ_netscape_comment */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05,/* [480] OBJ_netscape_cert_sequence */
-0x55,0x1D,                                   /* [489] OBJ_id_ce */
-0x55,0x1D,0x0E,                              /* [491] OBJ_subject_key_identifier */
-0x55,0x1D,0x0F,                              /* [494] OBJ_key_usage */
-0x55,0x1D,0x10,                              /* [497] OBJ_private_key_usage_period */
-0x55,0x1D,0x11,                              /* [500] OBJ_subject_alt_name */
-0x55,0x1D,0x12,                              /* [503] OBJ_issuer_alt_name */
-0x55,0x1D,0x13,                              /* [506] OBJ_basic_constraints */
-0x55,0x1D,0x14,                              /* [509] OBJ_crl_number */
-0x55,0x1D,0x20,                              /* [512] OBJ_certificate_policies */
-0x55,0x1D,0x23,                              /* [515] OBJ_authority_key_identifier */
-0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02,/* [518] OBJ_bf_cbc */
-0x55,0x08,0x03,0x65,                         /* [527] OBJ_mdc2 */
-0x55,0x08,0x03,0x64,                         /* [531] OBJ_mdc2WithRSA */
-0x55,0x04,0x2A,                              /* [535] OBJ_givenName */
-0x55,0x04,0x04,                              /* [538] OBJ_surname */
-0x55,0x04,0x2B,                              /* [541] OBJ_initials */
-0x55,0x1D,0x1F,                              /* [544] OBJ_crl_distribution_points */
-0x2B,0x0E,0x03,0x02,0x03,                    /* [547] OBJ_md5WithRSA */
-0x55,0x04,0x05,                              /* [552] OBJ_serialNumber */
-0x55,0x04,0x0C,                              /* [555] OBJ_title */
-0x55,0x04,0x0D,                              /* [558] OBJ_description */
-0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A,/* [561] OBJ_cast5_cbc */
-0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C,/* [570] OBJ_pbeWithMD5AndCast5_CBC */
-0x2A,0x86,0x48,0xCE,0x38,0x04,0x03,          /* [579] OBJ_dsaWithSHA1 */
-0x2B,0x0E,0x03,0x02,0x1D,                    /* [586] OBJ_sha1WithRSA */
-0x2A,0x86,0x48,0xCE,0x38,0x04,0x01,          /* [591] OBJ_dsa */
-0x2B,0x24,0x03,0x02,0x01,                    /* [598] OBJ_ripemd160 */
-0x2B,0x24,0x03,0x03,0x01,0x02,               /* [603] OBJ_ripemd160WithRSA */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08,     /* [609] OBJ_rc5_cbc */
-0x29,0x01,0x01,0x85,0x1A,0x01,               /* [617] OBJ_rle_compression */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x08,/* [623] OBJ_zlib_compression */
-0x55,0x1D,0x25,                              /* [634] OBJ_ext_key_usage */
-0x2B,0x06,0x01,0x05,0x05,0x07,               /* [637] OBJ_id_pkix */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,          /* [643] OBJ_id_kp */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,     /* [650] OBJ_server_auth */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,     /* [658] OBJ_client_auth */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,     /* [666] OBJ_code_sign */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,     /* [674] OBJ_email_protect */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08,     /* [682] OBJ_time_stamp */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [690] OBJ_ms_code_ind */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [700] OBJ_ms_code_com */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [710] OBJ_ms_ctl_sign */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03,/* [720] OBJ_ms_sgc */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04,/* [730] OBJ_ms_efs */
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01,/* [740] OBJ_ns_sgc */
-0x55,0x1D,0x1B,                              /* [749] OBJ_delta_crl */
-0x55,0x1D,0x15,                              /* [752] OBJ_crl_reason */
-0x55,0x1D,0x18,                              /* [755] OBJ_invalidity_date */
-0x2B,0x65,0x01,0x04,0x01,                    /* [758] OBJ_sxnet */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01,/* [763] OBJ_pbe_WithSHA1And128BitRC4 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02,/* [773] OBJ_pbe_WithSHA1And40BitRC4 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03,/* [783] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04,/* [793] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05,/* [803] OBJ_pbe_WithSHA1And128BitRC2_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06,/* [813] OBJ_pbe_WithSHA1And40BitRC2_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01,/* [823] OBJ_keyBag */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02,/* [834] OBJ_pkcs8ShroudedKeyBag */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03,/* [845] OBJ_certBag */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04,/* [856] OBJ_crlBag */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05,/* [867] OBJ_secretBag */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06,/* [878] OBJ_safeContentsBag */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14,/* [889] OBJ_friendlyName */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15,/* [898] OBJ_localKeyID */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01,/* [907] OBJ_x509Certificate */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02,/* [917] OBJ_sdsiCertificate */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01,/* [927] OBJ_x509Crl */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D,/* [937] OBJ_pbes2 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E,/* [946] OBJ_pbmac1 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07,     /* [955] OBJ_hmacWithSHA1 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,     /* [963] OBJ_id_qt_cps */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,     /* [971] OBJ_id_qt_unotice */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F,/* [979] OBJ_SMIMECapabilities */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04,/* [988] OBJ_pbeWithMD2AndRC2_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06,/* [997] OBJ_pbeWithMD5AndRC2_CBC */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A,/* [1006] OBJ_pbeWithSHA1AndDES_CBC */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E,/* [1015] OBJ_ms_ext_req */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E,/* [1025] OBJ_ext_req */
-0x55,0x04,0x29,                              /* [1034] OBJ_name */
-0x55,0x04,0x2E,                              /* [1037] OBJ_dnQualifier */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,          /* [1040] OBJ_id_pe */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,          /* [1047] OBJ_id_ad */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,     /* [1054] OBJ_info_access */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,     /* [1062] OBJ_ad_OCSP */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,     /* [1070] OBJ_ad_ca_issuers */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,     /* [1078] OBJ_OCSP_sign */
-0x28,                                        /* [1086] OBJ_iso */
-0x2A,                                        /* [1087] OBJ_member_body */
-0x2A,0x86,0x48,                              /* [1088] OBJ_ISO_US */
-0x2A,0x86,0x48,0xCE,0x38,                    /* [1091] OBJ_X9_57 */
-0x2A,0x86,0x48,0xCE,0x38,0x04,               /* [1096] OBJ_X9cm */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,     /* [1102] OBJ_pkcs1 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,     /* [1110] OBJ_pkcs5 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,/* [1118] OBJ_SMIME */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,/* [1127] OBJ_id_smime_mod */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,/* [1137] OBJ_id_smime_ct */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,/* [1147] OBJ_id_smime_aa */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,/* [1157] OBJ_id_smime_alg */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,/* [1167] OBJ_id_smime_cd */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,/* [1177] OBJ_id_smime_spq */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,/* [1187] OBJ_id_smime_cti */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x01,/* [1197] OBJ_id_smime_mod_cms */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x02,/* [1208] OBJ_id_smime_mod_ess */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x03,/* [1219] OBJ_id_smime_mod_oid */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x04,/* [1230] OBJ_id_smime_mod_msg_v3 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x05,/* [1241] OBJ_id_smime_mod_ets_eSignature_88 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x06,/* [1252] OBJ_id_smime_mod_ets_eSignature_97 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x07,/* [1263] OBJ_id_smime_mod_ets_eSigPolicy_88 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x08,/* [1274] OBJ_id_smime_mod_ets_eSigPolicy_97 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x01,/* [1285] OBJ_id_smime_ct_receipt */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x02,/* [1296] OBJ_id_smime_ct_authData */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x03,/* [1307] OBJ_id_smime_ct_publishCert */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x04,/* [1318] OBJ_id_smime_ct_TSTInfo */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x05,/* [1329] OBJ_id_smime_ct_TDTInfo */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x06,/* [1340] OBJ_id_smime_ct_contentInfo */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x07,/* [1351] OBJ_id_smime_ct_DVCSRequestData */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x08,/* [1362] OBJ_id_smime_ct_DVCSResponseData */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x01,/* [1373] OBJ_id_smime_aa_receiptRequest */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x02,/* [1384] OBJ_id_smime_aa_securityLabel */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x03,/* [1395] OBJ_id_smime_aa_mlExpandHistory */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x04,/* [1406] OBJ_id_smime_aa_contentHint */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x05,/* [1417] OBJ_id_smime_aa_msgSigDigest */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x06,/* [1428] OBJ_id_smime_aa_encapContentType */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x07,/* [1439] OBJ_id_smime_aa_contentIdentifier */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x08,/* [1450] OBJ_id_smime_aa_macValue */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x09,/* [1461] OBJ_id_smime_aa_equivalentLabels */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0A,/* [1472] OBJ_id_smime_aa_contentReference */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0B,/* [1483] OBJ_id_smime_aa_encrypKeyPref */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0C,/* [1494] OBJ_id_smime_aa_signingCertificate */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0D,/* [1505] OBJ_id_smime_aa_smimeEncryptCerts */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0E,/* [1516] OBJ_id_smime_aa_timeStampToken */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0F,/* [1527] OBJ_id_smime_aa_ets_sigPolicyId */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x10,/* [1538] OBJ_id_smime_aa_ets_commitmentType */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x11,/* [1549] OBJ_id_smime_aa_ets_signerLocation */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x12,/* [1560] OBJ_id_smime_aa_ets_signerAttr */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x13,/* [1571] OBJ_id_smime_aa_ets_otherSigCert */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x14,/* [1582] OBJ_id_smime_aa_ets_contentTimestamp */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x15,/* [1593] OBJ_id_smime_aa_ets_CertificateRefs */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x16,/* [1604] OBJ_id_smime_aa_ets_RevocationRefs */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x17,/* [1615] OBJ_id_smime_aa_ets_certValues */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x18,/* [1626] OBJ_id_smime_aa_ets_revocationValues */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x19,/* [1637] OBJ_id_smime_aa_ets_escTimeStamp */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1A,/* [1648] OBJ_id_smime_aa_ets_certCRLTimestamp */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1B,/* [1659] OBJ_id_smime_aa_ets_archiveTimeStamp */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1C,/* [1670] OBJ_id_smime_aa_signatureType */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1D,/* [1681] OBJ_id_smime_aa_dvcs_dvc */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x01,/* [1692] OBJ_id_smime_alg_ESDHwith3DES */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x02,/* [1703] OBJ_id_smime_alg_ESDHwithRC2 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x03,/* [1714] OBJ_id_smime_alg_3DESwrap */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x04,/* [1725] OBJ_id_smime_alg_RC2wrap */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x05,/* [1736] OBJ_id_smime_alg_ESDH */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x06,/* [1747] OBJ_id_smime_alg_CMS3DESwrap */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x07,/* [1758] OBJ_id_smime_alg_CMSRC2wrap */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,0x01,/* [1769] OBJ_id_smime_cd_ldap */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x01,/* [1780] OBJ_id_smime_spq_ets_sqt_uri */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x02,/* [1791] OBJ_id_smime_spq_ets_sqt_unotice */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x01,/* [1802] OBJ_id_smime_cti_ets_proofOfOrigin */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x02,/* [1813] OBJ_id_smime_cti_ets_proofOfReceipt */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x03,/* [1824] OBJ_id_smime_cti_ets_proofOfDelivery */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x04,/* [1835] OBJ_id_smime_cti_ets_proofOfSender */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x05,/* [1846] OBJ_id_smime_cti_ets_proofOfApproval */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x06,/* [1857] OBJ_id_smime_cti_ets_proofOfCreation */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x04,     /* [1868] OBJ_md4 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,          /* [1876] OBJ_id_pkix_mod */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x02,          /* [1883] OBJ_id_qt */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,          /* [1890] OBJ_id_it */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,          /* [1897] OBJ_id_pkip */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x06,          /* [1904] OBJ_id_alg */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,          /* [1911] OBJ_id_cmc */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x08,          /* [1918] OBJ_id_on */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x09,          /* [1925] OBJ_id_pda */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,          /* [1932] OBJ_id_aca */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,          /* [1939] OBJ_id_qcs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,          /* [1946] OBJ_id_cct */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x01,     /* [1953] OBJ_id_pkix1_explicit_88 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x02,     /* [1961] OBJ_id_pkix1_implicit_88 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x03,     /* [1969] OBJ_id_pkix1_explicit_93 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x04,     /* [1977] OBJ_id_pkix1_implicit_93 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x05,     /* [1985] OBJ_id_mod_crmf */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x06,     /* [1993] OBJ_id_mod_cmc */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x07,     /* [2001] OBJ_id_mod_kea_profile_88 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x08,     /* [2009] OBJ_id_mod_kea_profile_93 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x09,     /* [2017] OBJ_id_mod_cmp */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0A,     /* [2025] OBJ_id_mod_qualified_cert_88 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0B,     /* [2033] OBJ_id_mod_qualified_cert_93 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0C,     /* [2041] OBJ_id_mod_attribute_cert */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0D,     /* [2049] OBJ_id_mod_timestamp_protocol */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0E,     /* [2057] OBJ_id_mod_ocsp */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0F,     /* [2065] OBJ_id_mod_dvcs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x10,     /* [2073] OBJ_id_mod_cmp2000 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x02,     /* [2081] OBJ_biometricInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x03,     /* [2089] OBJ_qcStatements */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2097] OBJ_ac_auditEntity */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2105] OBJ_ac_targeting */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2113] OBJ_aaControls */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2121] OBJ_sbgp_ipAddrBlock */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2129] OBJ_sbgp_autonomousSysNum */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2137] OBJ_sbgp_routerIdentifier */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2145] OBJ_textNotice */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2153] OBJ_ipsecEndSystem */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2161] OBJ_ipsecTunnel */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07,     /* [2169] OBJ_ipsecUser */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A,     /* [2177] OBJ_dvcs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01,     /* [2185] OBJ_id_it_caProtEncCert */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02,     /* [2193] OBJ_id_it_signKeyPairTypes */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x03,     /* [2201] OBJ_id_it_encKeyPairTypes */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x04,     /* [2209] OBJ_id_it_preferredSymmAlg */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x05,     /* [2217] OBJ_id_it_caKeyUpdateInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x06,     /* [2225] OBJ_id_it_currentCRL */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x07,     /* [2233] OBJ_id_it_unsupportedOIDs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x08,     /* [2241] OBJ_id_it_subscriptionRequest */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x09,     /* [2249] OBJ_id_it_subscriptionResponse */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0A,     /* [2257] OBJ_id_it_keyPairParamReq */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0B,     /* [2265] OBJ_id_it_keyPairParamRep */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0C,     /* [2273] OBJ_id_it_revPassphrase */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0D,     /* [2281] OBJ_id_it_implicitConfirm */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0E,     /* [2289] OBJ_id_it_confirmWaitTime */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0F,     /* [2297] OBJ_id_it_origPKIMessage */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,     /* [2305] OBJ_id_regCtrl */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,     /* [2313] OBJ_id_regInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x01,/* [2321] OBJ_id_regCtrl_regToken */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x02,/* [2330] OBJ_id_regCtrl_authenticator */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x03,/* [2339] OBJ_id_regCtrl_pkiPublicationInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x04,/* [2348] OBJ_id_regCtrl_pkiArchiveOptions */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x05,/* [2357] OBJ_id_regCtrl_oldCertID */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x06,/* [2366] OBJ_id_regCtrl_protocolEncrKey */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x01,/* [2375] OBJ_id_regInfo_utf8Pairs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x02,/* [2384] OBJ_id_regInfo_certReq */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x01,     /* [2393] OBJ_id_alg_des40 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x02,     /* [2401] OBJ_id_alg_noSignature */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x03,     /* [2409] OBJ_id_alg_dh_sig_hmac_sha1 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x04,     /* [2417] OBJ_id_alg_dh_pop */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x01,     /* [2425] OBJ_id_cmc_statusInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x02,     /* [2433] OBJ_id_cmc_identification */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x03,     /* [2441] OBJ_id_cmc_identityProof */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x04,     /* [2449] OBJ_id_cmc_dataReturn */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x05,     /* [2457] OBJ_id_cmc_transactionId */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x06,     /* [2465] OBJ_id_cmc_senderNonce */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x07,     /* [2473] OBJ_id_cmc_recipientNonce */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x08,     /* [2481] OBJ_id_cmc_addExtensions */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x09,     /* [2489] OBJ_id_cmc_encryptedPOP */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0A,     /* [2497] OBJ_id_cmc_decryptedPOP */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0B,     /* [2505] OBJ_id_cmc_lraPOPWitness */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0F,     /* [2513] OBJ_id_cmc_getCert */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x10,     /* [2521] OBJ_id_cmc_getCRL */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x11,     /* [2529] OBJ_id_cmc_revokeRequest */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x12,     /* [2537] OBJ_id_cmc_regInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x13,     /* [2545] OBJ_id_cmc_responseInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x15,     /* [2553] OBJ_id_cmc_queryPending */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x16,     /* [2561] OBJ_id_cmc_popLinkRandom */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x17,     /* [2569] OBJ_id_cmc_popLinkWitness */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x18,     /* [2577] OBJ_id_cmc_confirmCertAcceptance */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01,     /* [2585] OBJ_id_on_personalData */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01,     /* [2593] OBJ_id_pda_dateOfBirth */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02,     /* [2601] OBJ_id_pda_placeOfBirth */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03,     /* [2609] OBJ_id_pda_gender */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04,     /* [2617] OBJ_id_pda_countryOfCitizenship */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05,     /* [2625] OBJ_id_pda_countryOfResidence */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01,     /* [2633] OBJ_id_aca_authenticationInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02,     /* [2641] OBJ_id_aca_accessIdentity */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03,     /* [2649] OBJ_id_aca_chargingIdentity */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04,     /* [2657] OBJ_id_aca_group */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05,     /* [2665] OBJ_id_aca_role */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01,     /* [2673] OBJ_id_qcs_pkixQCSyntax_v1 */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01,     /* [2681] OBJ_id_cct_crs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02,     /* [2689] OBJ_id_cct_PKIData */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03,     /* [2697] OBJ_id_cct_PKIResponse */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03,     /* [2705] OBJ_ad_timeStamping */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04,     /* [2713] OBJ_ad_dvcs */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,/* [2721] OBJ_id_pkix_OCSP_basic */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,/* [2730] OBJ_id_pkix_OCSP_Nonce */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,/* [2739] OBJ_id_pkix_OCSP_CrlID */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,/* [2748] OBJ_id_pkix_OCSP_acceptableResponses */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,/* [2757] OBJ_id_pkix_OCSP_noCheck */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,/* [2766] OBJ_id_pkix_OCSP_archiveCutoff */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,/* [2775] OBJ_id_pkix_OCSP_serviceLocator */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,/* [2784] OBJ_id_pkix_OCSP_extendedStatus */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,/* [2793] OBJ_id_pkix_OCSP_valid */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,/* [2802] OBJ_id_pkix_OCSP_path */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,/* [2811] OBJ_id_pkix_OCSP_trustRoot */
-0x2B,0x0E,0x03,0x02,                         /* [2820] OBJ_algorithm */
-0x2B,0x0E,0x03,0x02,0x0B,                    /* [2824] OBJ_rsaSignature */
-0x55,0x08,                                   /* [2829] OBJ_X500algorithms */
-0x2B,                                        /* [2831] OBJ_org */
-0x2B,0x06,                                   /* [2832] OBJ_dod */
-0x2B,0x06,0x01,                              /* [2834] OBJ_iana */
-0x2B,0x06,0x01,0x01,                         /* [2837] OBJ_Directory */
-0x2B,0x06,0x01,0x02,                         /* [2841] OBJ_Management */
-0x2B,0x06,0x01,0x03,                         /* [2845] OBJ_Experimental */
-0x2B,0x06,0x01,0x04,                         /* [2849] OBJ_Private */
-0x2B,0x06,0x01,0x05,                         /* [2853] OBJ_Security */
-0x2B,0x06,0x01,0x06,                         /* [2857] OBJ_SNMPv2 */
-0x2B,0x06,0x01,0x07,                         /* [2861] OBJ_Mail */
-0x2B,0x06,0x01,0x04,0x01,                    /* [2865] OBJ_Enterprises */
-0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58,/* [2870] OBJ_dcObject */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2879] OBJ_domainComponent */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2889] OBJ_Domain */
-0x00,                                        /* [2899] OBJ_joint_iso_ccitt */
-0x55,0x01,0x05,                              /* [2900] OBJ_selected_attribute_types */
-0x55,0x01,0x05,0x37,                         /* [2903] OBJ_clearance */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2907] OBJ_md4WithRSAEncryption */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A,     /* [2916] OBJ_ac_proxying */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B,     /* [2924] OBJ_sinfo_access */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06,     /* [2932] OBJ_id_aca_encAttrs */
-0x55,0x04,0x48,                              /* [2940] OBJ_role */
-0x55,0x1D,0x24,                              /* [2943] OBJ_policy_constraints */
-0x55,0x1D,0x37,                              /* [2946] OBJ_target_information */
-0x55,0x1D,0x38,                              /* [2949] OBJ_no_rev_avail */
-0x00,                                        /* [2952] OBJ_ccitt */
-0x2A,0x86,0x48,0xCE,0x3D,                    /* [2953] OBJ_ansi_X9_62 */
-0x2A,0x86,0x48,0xCE,0x3D,0x01,0x01,          /* [2958] OBJ_X9_62_prime_field */
-0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,          /* [2965] OBJ_X9_62_characteristic_two_field */
-0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,          /* [2972] OBJ_X9_62_id_ecPublicKey */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01,     /* [2979] OBJ_X9_62_prime192v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02,     /* [2987] OBJ_X9_62_prime192v2 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03,     /* [2995] OBJ_X9_62_prime192v3 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04,     /* [3003] OBJ_X9_62_prime239v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05,     /* [3011] OBJ_X9_62_prime239v2 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06,     /* [3019] OBJ_X9_62_prime239v3 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,     /* [3027] OBJ_X9_62_prime256v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01,          /* [3035] OBJ_ecdsa_with_SHA1 */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01,/* [3042] OBJ_ms_csp_name */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x01,/* [3051] OBJ_aes_128_ecb */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x02,/* [3060] OBJ_aes_128_cbc */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x03,/* [3069] OBJ_aes_128_ofb128 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x04,/* [3078] OBJ_aes_128_cfb128 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x15,/* [3087] OBJ_aes_192_ecb */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x16,/* [3096] OBJ_aes_192_cbc */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x17,/* [3105] OBJ_aes_192_ofb128 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x18,/* [3114] OBJ_aes_192_cfb128 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x29,/* [3123] OBJ_aes_256_ecb */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2A,/* [3132] OBJ_aes_256_cbc */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2B,/* [3141] OBJ_aes_256_ofb128 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2C,/* [3150] OBJ_aes_256_cfb128 */
-0x55,0x1D,0x17,                              /* [3159] OBJ_hold_instruction_code */
-0x2A,0x86,0x48,0xCE,0x38,0x02,0x01,          /* [3162] OBJ_hold_instruction_none */
-0x2A,0x86,0x48,0xCE,0x38,0x02,0x02,          /* [3169] OBJ_hold_instruction_call_issuer */
-0x2A,0x86,0x48,0xCE,0x38,0x02,0x03,          /* [3176] OBJ_hold_instruction_reject */
-0x09,                                        /* [3183] OBJ_data */
-0x09,0x92,0x26,                              /* [3184] OBJ_pss */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,          /* [3187] OBJ_ucl */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,     /* [3194] OBJ_pilot */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,/* [3202] OBJ_pilotAttributeType */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,/* [3211] OBJ_pilotAttributeSyntax */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,/* [3220] OBJ_pilotObjectClass */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x0A,/* [3229] OBJ_pilotGroups */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x04,/* [3238] OBJ_iA5StringSyntax */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x05,/* [3248] OBJ_caseIgnoreIA5StringSyntax */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x03,/* [3258] OBJ_pilotObject */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x04,/* [3268] OBJ_pilotPerson */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x05,/* [3278] OBJ_account */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x06,/* [3288] OBJ_document */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x07,/* [3298] OBJ_room */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x09,/* [3308] OBJ_documentSeries */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0E,/* [3318] OBJ_rFC822localPart */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0F,/* [3328] OBJ_dNSDomain */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x11,/* [3338] OBJ_domainRelatedObject */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x12,/* [3348] OBJ_friendlyCountry */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x13,/* [3358] OBJ_simpleSecurityObject */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x14,/* [3368] OBJ_pilotOrganization */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x15,/* [3378] OBJ_pilotDSA */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x16,/* [3388] OBJ_qualityLabelledData */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01,/* [3398] OBJ_userId */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x02,/* [3408] OBJ_textEncodedORAddress */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x03,/* [3418] OBJ_rfc822Mailbox */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x04,/* [3428] OBJ_info */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x05,/* [3438] OBJ_favouriteDrink */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x06,/* [3448] OBJ_roomNumber */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x07,/* [3458] OBJ_photo */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x08,/* [3468] OBJ_userClass */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x09,/* [3478] OBJ_host */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0A,/* [3488] OBJ_manager */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0B,/* [3498] OBJ_documentIdentifier */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0C,/* [3508] OBJ_documentTitle */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0D,/* [3518] OBJ_documentVersion */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0E,/* [3528] OBJ_documentAuthor */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0F,/* [3538] OBJ_documentLocation */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x14,/* [3548] OBJ_homeTelephoneNumber */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x15,/* [3558] OBJ_secretary */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x16,/* [3568] OBJ_otherMailbox */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x17,/* [3578] OBJ_lastModifiedTime */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x18,/* [3588] OBJ_lastModifiedBy */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1A,/* [3598] OBJ_aRecord */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1B,/* [3608] OBJ_pilotAttributeType27 */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1C,/* [3618] OBJ_mXRecord */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1D,/* [3628] OBJ_nSRecord */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1E,/* [3638] OBJ_sOARecord */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1F,/* [3648] OBJ_cNAMERecord */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x25,/* [3658] OBJ_associatedDomain */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x26,/* [3668] OBJ_associatedName */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x27,/* [3678] OBJ_homePostalAddress */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x28,/* [3688] OBJ_personalTitle */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x29,/* [3698] OBJ_mobileTelephoneNumber */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2A,/* [3708] OBJ_pagerTelephoneNumber */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2B,/* [3718] OBJ_friendlyCountryName */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2D,/* [3728] OBJ_organizationalStatus */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2E,/* [3738] OBJ_janetMailbox */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2F,/* [3748] OBJ_mailPreferenceOption */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x30,/* [3758] OBJ_buildingName */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x31,/* [3768] OBJ_dSAQuality */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x32,/* [3778] OBJ_singleLevelQuality */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x33,/* [3788] OBJ_subtreeMinimumQuality */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x34,/* [3798] OBJ_subtreeMaximumQuality */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x35,/* [3808] OBJ_personalSignature */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x36,/* [3818] OBJ_dITRedirect */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x37,/* [3828] OBJ_audio */
-0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x38,/* [3838] OBJ_documentPublisher */
-0x55,0x04,0x2D,                              /* [3848] OBJ_x500UniqueIdentifier */
-0x2B,0x06,0x01,0x07,0x01,                    /* [3851] OBJ_mime_mhs */
-0x2B,0x06,0x01,0x07,0x01,0x01,               /* [3856] OBJ_mime_mhs_headings */
-0x2B,0x06,0x01,0x07,0x01,0x02,               /* [3862] OBJ_mime_mhs_bodies */
-0x2B,0x06,0x01,0x07,0x01,0x01,0x01,          /* [3868] OBJ_id_hex_partial_message */
-0x2B,0x06,0x01,0x07,0x01,0x01,0x02,          /* [3875] OBJ_id_hex_multipart_message */
-0x55,0x04,0x2C,                              /* [3882] OBJ_generationQualifier */
-0x55,0x04,0x41,                              /* [3885] OBJ_pseudonym */
-0x67,0x2A,                                   /* [3888] OBJ_id_set */
-0x67,0x2A,0x00,                              /* [3890] OBJ_set_ctype */
-0x67,0x2A,0x01,                              /* [3893] OBJ_set_msgExt */
-0x67,0x2A,0x03,                              /* [3896] OBJ_set_attr */
-0x67,0x2A,0x05,                              /* [3899] OBJ_set_policy */
-0x67,0x2A,0x07,                              /* [3902] OBJ_set_certExt */
-0x67,0x2A,0x08,                              /* [3905] OBJ_set_brand */
-0x67,0x2A,0x00,0x00,                         /* [3908] OBJ_setct_PANData */
-0x67,0x2A,0x00,0x01,                         /* [3912] OBJ_setct_PANToken */
-0x67,0x2A,0x00,0x02,                         /* [3916] OBJ_setct_PANOnly */
-0x67,0x2A,0x00,0x03,                         /* [3920] OBJ_setct_OIData */
-0x67,0x2A,0x00,0x04,                         /* [3924] OBJ_setct_PI */
-0x67,0x2A,0x00,0x05,                         /* [3928] OBJ_setct_PIData */
-0x67,0x2A,0x00,0x06,                         /* [3932] OBJ_setct_PIDataUnsigned */
-0x67,0x2A,0x00,0x07,                         /* [3936] OBJ_setct_HODInput */
-0x67,0x2A,0x00,0x08,                         /* [3940] OBJ_setct_AuthResBaggage */
-0x67,0x2A,0x00,0x09,                         /* [3944] OBJ_setct_AuthRevReqBaggage */
-0x67,0x2A,0x00,0x0A,                         /* [3948] OBJ_setct_AuthRevResBaggage */
-0x67,0x2A,0x00,0x0B,                         /* [3952] OBJ_setct_CapTokenSeq */
-0x67,0x2A,0x00,0x0C,                         /* [3956] OBJ_setct_PInitResData */
-0x67,0x2A,0x00,0x0D,                         /* [3960] OBJ_setct_PI_TBS */
-0x67,0x2A,0x00,0x0E,                         /* [3964] OBJ_setct_PResData */
-0x67,0x2A,0x00,0x10,                         /* [3968] OBJ_setct_AuthReqTBS */
-0x67,0x2A,0x00,0x11,                         /* [3972] OBJ_setct_AuthResTBS */
-0x67,0x2A,0x00,0x12,                         /* [3976] OBJ_setct_AuthResTBSX */
-0x67,0x2A,0x00,0x13,                         /* [3980] OBJ_setct_AuthTokenTBS */
-0x67,0x2A,0x00,0x14,                         /* [3984] OBJ_setct_CapTokenData */
-0x67,0x2A,0x00,0x15,                         /* [3988] OBJ_setct_CapTokenTBS */
-0x67,0x2A,0x00,0x16,                         /* [3992] OBJ_setct_AcqCardCodeMsg */
-0x67,0x2A,0x00,0x17,                         /* [3996] OBJ_setct_AuthRevReqTBS */
-0x67,0x2A,0x00,0x18,                         /* [4000] OBJ_setct_AuthRevResData */
-0x67,0x2A,0x00,0x19,                         /* [4004] OBJ_setct_AuthRevResTBS */
-0x67,0x2A,0x00,0x1A,                         /* [4008] OBJ_setct_CapReqTBS */
-0x67,0x2A,0x00,0x1B,                         /* [4012] OBJ_setct_CapReqTBSX */
-0x67,0x2A,0x00,0x1C,                         /* [4016] OBJ_setct_CapResData */
-0x67,0x2A,0x00,0x1D,                         /* [4020] OBJ_setct_CapRevReqTBS */
-0x67,0x2A,0x00,0x1E,                         /* [4024] OBJ_setct_CapRevReqTBSX */
-0x67,0x2A,0x00,0x1F,                         /* [4028] OBJ_setct_CapRevResData */
-0x67,0x2A,0x00,0x20,                         /* [4032] OBJ_setct_CredReqTBS */
-0x67,0x2A,0x00,0x21,                         /* [4036] OBJ_setct_CredReqTBSX */
-0x67,0x2A,0x00,0x22,                         /* [4040] OBJ_setct_CredResData */
-0x67,0x2A,0x00,0x23,                         /* [4044] OBJ_setct_CredRevReqTBS */
-0x67,0x2A,0x00,0x24,                         /* [4048] OBJ_setct_CredRevReqTBSX */
-0x67,0x2A,0x00,0x25,                         /* [4052] OBJ_setct_CredRevResData */
-0x67,0x2A,0x00,0x26,                         /* [4056] OBJ_setct_PCertReqData */
-0x67,0x2A,0x00,0x27,                         /* [4060] OBJ_setct_PCertResTBS */
-0x67,0x2A,0x00,0x28,                         /* [4064] OBJ_setct_BatchAdminReqData */
-0x67,0x2A,0x00,0x29,                         /* [4068] OBJ_setct_BatchAdminResData */
-0x67,0x2A,0x00,0x2A,                         /* [4072] OBJ_setct_CardCInitResTBS */
-0x67,0x2A,0x00,0x2B,                         /* [4076] OBJ_setct_MeAqCInitResTBS */
-0x67,0x2A,0x00,0x2C,                         /* [4080] OBJ_setct_RegFormResTBS */
-0x67,0x2A,0x00,0x2D,                         /* [4084] OBJ_setct_CertReqData */
-0x67,0x2A,0x00,0x2E,                         /* [4088] OBJ_setct_CertReqTBS */
-0x67,0x2A,0x00,0x2F,                         /* [4092] OBJ_setct_CertResData */
-0x67,0x2A,0x00,0x30,                         /* [4096] OBJ_setct_CertInqReqTBS */
-0x67,0x2A,0x00,0x31,                         /* [4100] OBJ_setct_ErrorTBS */
-0x67,0x2A,0x00,0x32,                         /* [4104] OBJ_setct_PIDualSignedTBE */
-0x67,0x2A,0x00,0x33,                         /* [4108] OBJ_setct_PIUnsignedTBE */
-0x67,0x2A,0x00,0x34,                         /* [4112] OBJ_setct_AuthReqTBE */
-0x67,0x2A,0x00,0x35,                         /* [4116] OBJ_setct_AuthResTBE */
-0x67,0x2A,0x00,0x36,                         /* [4120] OBJ_setct_AuthResTBEX */
-0x67,0x2A,0x00,0x37,                         /* [4124] OBJ_setct_AuthTokenTBE */
-0x67,0x2A,0x00,0x38,                         /* [4128] OBJ_setct_CapTokenTBE */
-0x67,0x2A,0x00,0x39,                         /* [4132] OBJ_setct_CapTokenTBEX */
-0x67,0x2A,0x00,0x3A,                         /* [4136] OBJ_setct_AcqCardCodeMsgTBE */
-0x67,0x2A,0x00,0x3B,                         /* [4140] OBJ_setct_AuthRevReqTBE */
-0x67,0x2A,0x00,0x3C,                         /* [4144] OBJ_setct_AuthRevResTBE */
-0x67,0x2A,0x00,0x3D,                         /* [4148] OBJ_setct_AuthRevResTBEB */
-0x67,0x2A,0x00,0x3E,                         /* [4152] OBJ_setct_CapReqTBE */
-0x67,0x2A,0x00,0x3F,                         /* [4156] OBJ_setct_CapReqTBEX */
-0x67,0x2A,0x00,0x40,                         /* [4160] OBJ_setct_CapResTBE */
-0x67,0x2A,0x00,0x41,                         /* [4164] OBJ_setct_CapRevReqTBE */
-0x67,0x2A,0x00,0x42,                         /* [4168] OBJ_setct_CapRevReqTBEX */
-0x67,0x2A,0x00,0x43,                         /* [4172] OBJ_setct_CapRevResTBE */
-0x67,0x2A,0x00,0x44,                         /* [4176] OBJ_setct_CredReqTBE */
-0x67,0x2A,0x00,0x45,                         /* [4180] OBJ_setct_CredReqTBEX */
-0x67,0x2A,0x00,0x46,                         /* [4184] OBJ_setct_CredResTBE */
-0x67,0x2A,0x00,0x47,                         /* [4188] OBJ_setct_CredRevReqTBE */
-0x67,0x2A,0x00,0x48,                         /* [4192] OBJ_setct_CredRevReqTBEX */
-0x67,0x2A,0x00,0x49,                         /* [4196] OBJ_setct_CredRevResTBE */
-0x67,0x2A,0x00,0x4A,                         /* [4200] OBJ_setct_BatchAdminReqTBE */
-0x67,0x2A,0x00,0x4B,                         /* [4204] OBJ_setct_BatchAdminResTBE */
-0x67,0x2A,0x00,0x4C,                         /* [4208] OBJ_setct_RegFormReqTBE */
-0x67,0x2A,0x00,0x4D,                         /* [4212] OBJ_setct_CertReqTBE */
-0x67,0x2A,0x00,0x4E,                         /* [4216] OBJ_setct_CertReqTBEX */
-0x67,0x2A,0x00,0x4F,                         /* [4220] OBJ_setct_CertResTBE */
-0x67,0x2A,0x00,0x50,                         /* [4224] OBJ_setct_CRLNotificationTBS */
-0x67,0x2A,0x00,0x51,                         /* [4228] OBJ_setct_CRLNotificationResTBS */
-0x67,0x2A,0x00,0x52,                         /* [4232] OBJ_setct_BCIDistributionTBS */
-0x67,0x2A,0x01,0x01,                         /* [4236] OBJ_setext_genCrypt */
-0x67,0x2A,0x01,0x03,                         /* [4240] OBJ_setext_miAuth */
-0x67,0x2A,0x01,0x04,                         /* [4244] OBJ_setext_pinSecure */
-0x67,0x2A,0x01,0x05,                         /* [4248] OBJ_setext_pinAny */
-0x67,0x2A,0x01,0x07,                         /* [4252] OBJ_setext_track2 */
-0x67,0x2A,0x01,0x08,                         /* [4256] OBJ_setext_cv */
-0x67,0x2A,0x05,0x00,                         /* [4260] OBJ_set_policy_root */
-0x67,0x2A,0x07,0x00,                         /* [4264] OBJ_setCext_hashedRoot */
-0x67,0x2A,0x07,0x01,                         /* [4268] OBJ_setCext_certType */
-0x67,0x2A,0x07,0x02,                         /* [4272] OBJ_setCext_merchData */
-0x67,0x2A,0x07,0x03,                         /* [4276] OBJ_setCext_cCertRequired */
-0x67,0x2A,0x07,0x04,                         /* [4280] OBJ_setCext_tunneling */
-0x67,0x2A,0x07,0x05,                         /* [4284] OBJ_setCext_setExt */
-0x67,0x2A,0x07,0x06,                         /* [4288] OBJ_setCext_setQualf */
-0x67,0x2A,0x07,0x07,                         /* [4292] OBJ_setCext_PGWYcapabilities */
-0x67,0x2A,0x07,0x08,                         /* [4296] OBJ_setCext_TokenIdentifier */
-0x67,0x2A,0x07,0x09,                         /* [4300] OBJ_setCext_Track2Data */
-0x67,0x2A,0x07,0x0A,                         /* [4304] OBJ_setCext_TokenType */
-0x67,0x2A,0x07,0x0B,                         /* [4308] OBJ_setCext_IssuerCapabilities */
-0x67,0x2A,0x03,0x00,                         /* [4312] OBJ_setAttr_Cert */
-0x67,0x2A,0x03,0x01,                         /* [4316] OBJ_setAttr_PGWYcap */
-0x67,0x2A,0x03,0x02,                         /* [4320] OBJ_setAttr_TokenType */
-0x67,0x2A,0x03,0x03,                         /* [4324] OBJ_setAttr_IssCap */
-0x67,0x2A,0x03,0x00,0x00,                    /* [4328] OBJ_set_rootKeyThumb */
-0x67,0x2A,0x03,0x00,0x01,                    /* [4333] OBJ_set_addPolicy */
-0x67,0x2A,0x03,0x02,0x01,                    /* [4338] OBJ_setAttr_Token_EMV */
-0x67,0x2A,0x03,0x02,0x02,                    /* [4343] OBJ_setAttr_Token_B0Prime */
-0x67,0x2A,0x03,0x03,0x03,                    /* [4348] OBJ_setAttr_IssCap_CVM */
-0x67,0x2A,0x03,0x03,0x04,                    /* [4353] OBJ_setAttr_IssCap_T2 */
-0x67,0x2A,0x03,0x03,0x05,                    /* [4358] OBJ_setAttr_IssCap_Sig */
-0x67,0x2A,0x03,0x03,0x03,0x01,               /* [4363] OBJ_setAttr_GenCryptgrm */
-0x67,0x2A,0x03,0x03,0x04,0x01,               /* [4369] OBJ_setAttr_T2Enc */
-0x67,0x2A,0x03,0x03,0x04,0x02,               /* [4375] OBJ_setAttr_T2cleartxt */
-0x67,0x2A,0x03,0x03,0x05,0x01,               /* [4381] OBJ_setAttr_TokICCsig */
-0x67,0x2A,0x03,0x03,0x05,0x02,               /* [4387] OBJ_setAttr_SecDevSig */
-0x67,0x2A,0x08,0x01,                         /* [4393] OBJ_set_brand_IATA_ATA */
-0x67,0x2A,0x08,0x1E,                         /* [4397] OBJ_set_brand_Diners */
-0x67,0x2A,0x08,0x22,                         /* [4401] OBJ_set_brand_AmericanExpress */
-0x67,0x2A,0x08,0x23,                         /* [4405] OBJ_set_brand_JCB */
-0x67,0x2A,0x08,0x04,                         /* [4409] OBJ_set_brand_Visa */
-0x67,0x2A,0x08,0x05,                         /* [4413] OBJ_set_brand_MasterCard */
-0x67,0x2A,0x08,0xAE,0x7B,                    /* [4417] OBJ_set_brand_Novus */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A,     /* [4422] OBJ_des_cdmf */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4430] OBJ_rsaOAEPEncryptionSET */
-0x00,                                        /* [4439] OBJ_itu_t */
-0x50,                                        /* [4440] OBJ_joint_iso_itu_t */
-0x67,                                        /* [4441] OBJ_international_organizations */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4442] OBJ_ms_smartcard_login */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4452] OBJ_ms_upn */
-0x55,0x04,0x09,                              /* [4462] OBJ_streetAddress */
-0x55,0x04,0x11,                              /* [4465] OBJ_postalCode */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,          /* [4468] OBJ_id_ppl */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4475] OBJ_proxyCertInfo */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4483] OBJ_id_ppl_anyLanguage */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4491] OBJ_id_ppl_inheritAll */
-0x55,0x1D,0x1E,                              /* [4499] OBJ_name_constraints */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4502] OBJ_Independent */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4510] OBJ_sha256WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4519] OBJ_sha384WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4528] OBJ_sha512WithRSAEncryption */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4537] OBJ_sha224WithRSAEncryption */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4546] OBJ_sha256 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4555] OBJ_sha384 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4564] OBJ_sha512 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4573] OBJ_sha224 */
-0x2B,                                        /* [4582] OBJ_identified_organization */
-0x2B,0x81,0x04,                              /* [4583] OBJ_certicom_arc */
-0x67,0x2B,                                   /* [4586] OBJ_wap */
-0x67,0x2B,0x01,                              /* [4588] OBJ_wap_wsg */
-0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,     /* [4591] OBJ_X9_62_id_characteristic_two_basis */
-0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,/* [4599] OBJ_X9_62_onBasis */
-0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,/* [4608] OBJ_X9_62_tpBasis */
-0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x03,/* [4617] OBJ_X9_62_ppBasis */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x01,     /* [4626] OBJ_X9_62_c2pnb163v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x02,     /* [4634] OBJ_X9_62_c2pnb163v2 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x03,     /* [4642] OBJ_X9_62_c2pnb163v3 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x04,     /* [4650] OBJ_X9_62_c2pnb176v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x05,     /* [4658] OBJ_X9_62_c2tnb191v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x06,     /* [4666] OBJ_X9_62_c2tnb191v2 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x07,     /* [4674] OBJ_X9_62_c2tnb191v3 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x08,     /* [4682] OBJ_X9_62_c2onb191v4 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x09,     /* [4690] OBJ_X9_62_c2onb191v5 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0A,     /* [4698] OBJ_X9_62_c2pnb208w1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0B,     /* [4706] OBJ_X9_62_c2tnb239v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0C,     /* [4714] OBJ_X9_62_c2tnb239v2 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0D,     /* [4722] OBJ_X9_62_c2tnb239v3 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0E,     /* [4730] OBJ_X9_62_c2onb239v4 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0F,     /* [4738] OBJ_X9_62_c2onb239v5 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x10,     /* [4746] OBJ_X9_62_c2pnb272w1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x11,     /* [4754] OBJ_X9_62_c2pnb304w1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x12,     /* [4762] OBJ_X9_62_c2tnb359v1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x13,     /* [4770] OBJ_X9_62_c2pnb368w1 */
-0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x14,     /* [4778] OBJ_X9_62_c2tnb431r1 */
-0x2B,0x81,0x04,0x00,0x06,                    /* [4786] OBJ_secp112r1 */
-0x2B,0x81,0x04,0x00,0x07,                    /* [4791] OBJ_secp112r2 */
-0x2B,0x81,0x04,0x00,0x1C,                    /* [4796] OBJ_secp128r1 */
-0x2B,0x81,0x04,0x00,0x1D,                    /* [4801] OBJ_secp128r2 */
-0x2B,0x81,0x04,0x00,0x09,                    /* [4806] OBJ_secp160k1 */
-0x2B,0x81,0x04,0x00,0x08,                    /* [4811] OBJ_secp160r1 */
-0x2B,0x81,0x04,0x00,0x1E,                    /* [4816] OBJ_secp160r2 */
-0x2B,0x81,0x04,0x00,0x1F,                    /* [4821] OBJ_secp192k1 */
-0x2B,0x81,0x04,0x00,0x20,                    /* [4826] OBJ_secp224k1 */
-0x2B,0x81,0x04,0x00,0x21,                    /* [4831] OBJ_secp224r1 */
-0x2B,0x81,0x04,0x00,0x0A,                    /* [4836] OBJ_secp256k1 */
-0x2B,0x81,0x04,0x00,0x22,                    /* [4841] OBJ_secp384r1 */
-0x2B,0x81,0x04,0x00,0x23,                    /* [4846] OBJ_secp521r1 */
-0x2B,0x81,0x04,0x00,0x04,                    /* [4851] OBJ_sect113r1 */
-0x2B,0x81,0x04,0x00,0x05,                    /* [4856] OBJ_sect113r2 */
-0x2B,0x81,0x04,0x00,0x16,                    /* [4861] OBJ_sect131r1 */
-0x2B,0x81,0x04,0x00,0x17,                    /* [4866] OBJ_sect131r2 */
-0x2B,0x81,0x04,0x00,0x01,                    /* [4871] OBJ_sect163k1 */
-0x2B,0x81,0x04,0x00,0x02,                    /* [4876] OBJ_sect163r1 */
-0x2B,0x81,0x04,0x00,0x0F,                    /* [4881] OBJ_sect163r2 */
-0x2B,0x81,0x04,0x00,0x18,                    /* [4886] OBJ_sect193r1 */
-0x2B,0x81,0x04,0x00,0x19,                    /* [4891] OBJ_sect193r2 */
-0x2B,0x81,0x04,0x00,0x1A,                    /* [4896] OBJ_sect233k1 */
-0x2B,0x81,0x04,0x00,0x1B,                    /* [4901] OBJ_sect233r1 */
-0x2B,0x81,0x04,0x00,0x03,                    /* [4906] OBJ_sect239k1 */
-0x2B,0x81,0x04,0x00,0x10,                    /* [4911] OBJ_sect283k1 */
-0x2B,0x81,0x04,0x00,0x11,                    /* [4916] OBJ_sect283r1 */
-0x2B,0x81,0x04,0x00,0x24,                    /* [4921] OBJ_sect409k1 */
-0x2B,0x81,0x04,0x00,0x25,                    /* [4926] OBJ_sect409r1 */
-0x2B,0x81,0x04,0x00,0x26,                    /* [4931] OBJ_sect571k1 */
-0x2B,0x81,0x04,0x00,0x27,                    /* [4936] OBJ_sect571r1 */
-0x67,0x2B,0x01,0x04,0x01,                    /* [4941] OBJ_wap_wsg_idm_ecid_wtls1 */
-0x67,0x2B,0x01,0x04,0x03,                    /* [4946] OBJ_wap_wsg_idm_ecid_wtls3 */
-0x67,0x2B,0x01,0x04,0x04,                    /* [4951] OBJ_wap_wsg_idm_ecid_wtls4 */
-0x67,0x2B,0x01,0x04,0x05,                    /* [4956] OBJ_wap_wsg_idm_ecid_wtls5 */
-0x67,0x2B,0x01,0x04,0x06,                    /* [4961] OBJ_wap_wsg_idm_ecid_wtls6 */
-0x67,0x2B,0x01,0x04,0x07,                    /* [4966] OBJ_wap_wsg_idm_ecid_wtls7 */
-0x67,0x2B,0x01,0x04,0x08,                    /* [4971] OBJ_wap_wsg_idm_ecid_wtls8 */
-0x67,0x2B,0x01,0x04,0x09,                    /* [4976] OBJ_wap_wsg_idm_ecid_wtls9 */
-0x67,0x2B,0x01,0x04,0x0A,                    /* [4981] OBJ_wap_wsg_idm_ecid_wtls10 */
-0x67,0x2B,0x01,0x04,0x0B,                    /* [4986] OBJ_wap_wsg_idm_ecid_wtls11 */
-0x67,0x2B,0x01,0x04,0x0C,                    /* [4991] OBJ_wap_wsg_idm_ecid_wtls12 */
-0x55,0x1D,0x20,0x00,                         /* [4996] OBJ_any_policy */
-0x55,0x1D,0x21,                              /* [5000] OBJ_policy_mappings */
-0x55,0x1D,0x36,                              /* [5003] OBJ_inhibit_any_policy */
-0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x02,/* [5006] OBJ_camellia_128_cbc */
-0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x03,/* [5017] OBJ_camellia_192_cbc */
-0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x04,/* [5028] OBJ_camellia_256_cbc */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x01,     /* [5039] OBJ_camellia_128_ecb */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x15,     /* [5047] OBJ_camellia_192_ecb */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x29,     /* [5055] OBJ_camellia_256_ecb */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x04,     /* [5063] OBJ_camellia_128_cfb128 */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x18,     /* [5071] OBJ_camellia_192_cfb128 */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2C,     /* [5079] OBJ_camellia_256_cfb128 */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03,     /* [5087] OBJ_camellia_128_ofb128 */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17,     /* [5095] OBJ_camellia_192_ofb128 */
-0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B,     /* [5103] OBJ_camellia_256_ofb128 */
-0x55,0x1D,0x09,                              /* [5111] OBJ_subject_directory_attributes */
-0x55,0x1D,0x1C,                              /* [5114] OBJ_issuing_distribution_point */
-0x55,0x1D,0x1D,                              /* [5117] OBJ_certificate_issuer */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,               /* [5120] OBJ_kisa */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03,     /* [5126] OBJ_seed_ecb */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04,     /* [5134] OBJ_seed_cbc */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06,     /* [5142] OBJ_seed_ofb128 */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05,     /* [5150] OBJ_seed_cfb128 */
-0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x01,     /* [5158] OBJ_hmac_md5 */
-0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x02,     /* [5166] OBJ_hmac_sha1 */
-0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0D,/* [5174] OBJ_id_PasswordBasedMAC */
-0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x1E,/* [5183] OBJ_id_DHBasedMac */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x10,     /* [5192] OBJ_id_it_suppLangTags */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x05,     /* [5200] OBJ_caRepository */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x09,/* [5208] OBJ_id_smime_ct_compressedData */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1B,/* [5219] OBJ_id_ct_asciiTextWithCRLF */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x05,/* [5230] OBJ_id_aes128_wrap */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x19,/* [5239] OBJ_id_aes192_wrap */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2D,/* [5248] OBJ_id_aes256_wrap */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02,          /* [5257] OBJ_ecdsa_with_Recommended */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,          /* [5264] OBJ_ecdsa_with_Specified */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01,     /* [5271] OBJ_ecdsa_with_SHA224 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,     /* [5279] OBJ_ecdsa_with_SHA256 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,     /* [5287] OBJ_ecdsa_with_SHA384 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04,     /* [5295] OBJ_ecdsa_with_SHA512 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x06,     /* [5303] OBJ_hmacWithMD5 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x08,     /* [5311] OBJ_hmacWithSHA224 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x09,     /* [5319] OBJ_hmacWithSHA256 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0A,     /* [5327] OBJ_hmacWithSHA384 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0B,     /* [5335] OBJ_hmacWithSHA512 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,/* [5343] OBJ_dsa_with_SHA224 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,/* [5352] OBJ_dsa_with_SHA256 */
-0x28,0xCF,0x06,0x03,0x00,0x37,               /* [5361] OBJ_whirlpool */
-0x2A,0x85,0x03,0x02,0x02,                    /* [5367] OBJ_cryptopro */
-0x2A,0x85,0x03,0x02,0x09,                    /* [5372] OBJ_cryptocom */
-0x2A,0x85,0x03,0x02,0x02,0x03,               /* [5377] OBJ_id_GostR3411_94_with_GostR3410_2001 */
-0x2A,0x85,0x03,0x02,0x02,0x04,               /* [5383] OBJ_id_GostR3411_94_with_GostR3410_94 */
-0x2A,0x85,0x03,0x02,0x02,0x09,               /* [5389] OBJ_id_GostR3411_94 */
-0x2A,0x85,0x03,0x02,0x02,0x0A,               /* [5395] OBJ_id_HMACGostR3411_94 */
-0x2A,0x85,0x03,0x02,0x02,0x13,               /* [5401] OBJ_id_GostR3410_2001 */
-0x2A,0x85,0x03,0x02,0x02,0x14,               /* [5407] OBJ_id_GostR3410_94 */
-0x2A,0x85,0x03,0x02,0x02,0x15,               /* [5413] OBJ_id_Gost28147_89 */
-0x2A,0x85,0x03,0x02,0x02,0x16,               /* [5419] OBJ_id_Gost28147_89_MAC */
-0x2A,0x85,0x03,0x02,0x02,0x17,               /* [5425] OBJ_id_GostR3411_94_prf */
-0x2A,0x85,0x03,0x02,0x02,0x62,               /* [5431] OBJ_id_GostR3410_2001DH */
-0x2A,0x85,0x03,0x02,0x02,0x63,               /* [5437] OBJ_id_GostR3410_94DH */
-0x2A,0x85,0x03,0x02,0x02,0x0E,0x01,          /* [5443] OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
-0x2A,0x85,0x03,0x02,0x02,0x0E,0x00,          /* [5450] OBJ_id_Gost28147_89_None_KeyMeshing */
-0x2A,0x85,0x03,0x02,0x02,0x1E,0x00,          /* [5457] OBJ_id_GostR3411_94_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1E,0x01,          /* [5464] OBJ_id_GostR3411_94_CryptoProParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x00,          /* [5471] OBJ_id_Gost28147_89_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x01,          /* [5478] OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x02,          /* [5485] OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x03,          /* [5492] OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x04,          /* [5499] OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x05,          /* [5506] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x06,          /* [5513] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x07,          /* [5520] OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x00,          /* [5527] OBJ_id_GostR3410_94_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x02,          /* [5534] OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x03,          /* [5541] OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x04,          /* [5548] OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x05,          /* [5555] OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x21,0x01,          /* [5562] OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x21,0x02,          /* [5569] OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x21,0x03,          /* [5576] OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x00,          /* [5583] OBJ_id_GostR3410_2001_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x01,          /* [5590] OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x02,          /* [5597] OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x03,          /* [5604] OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x24,0x00,          /* [5611] OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x24,0x01,          /* [5618] OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x01,          /* [5625] OBJ_id_GostR3410_94_a */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x02,          /* [5632] OBJ_id_GostR3410_94_aBis */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x03,          /* [5639] OBJ_id_GostR3410_94_b */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x04,          /* [5646] OBJ_id_GostR3410_94_bBis */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01,     /* [5653] OBJ_id_Gost28147_89_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03,     /* [5661] OBJ_id_GostR3410_94_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04,     /* [5669] OBJ_id_GostR3410_2001_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03,     /* [5677] OBJ_id_GostR3411_94_with_GostR3410_94_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04,     /* [5685] OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01,     /* [5693] OBJ_id_GostR3410_2001_ParamSet_cc */
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,/* [5701] OBJ_LocalKeySet */
-0x55,0x1D,0x2E,                              /* [5710] OBJ_freshest_crl */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03,     /* [5713] OBJ_id_on_permanentIdentifier */
-0x55,0x04,0x0E,                              /* [5721] OBJ_searchGuide */
-0x55,0x04,0x0F,                              /* [5724] OBJ_businessCategory */
-0x55,0x04,0x10,                              /* [5727] OBJ_postalAddress */
-0x55,0x04,0x12,                              /* [5730] OBJ_postOfficeBox */
-0x55,0x04,0x13,                              /* [5733] OBJ_physicalDeliveryOfficeName */
-0x55,0x04,0x14,                              /* [5736] OBJ_telephoneNumber */
-0x55,0x04,0x15,                              /* [5739] OBJ_telexNumber */
-0x55,0x04,0x16,                              /* [5742] OBJ_teletexTerminalIdentifier */
-0x55,0x04,0x17,                              /* [5745] OBJ_facsimileTelephoneNumber */
-0x55,0x04,0x18,                              /* [5748] OBJ_x121Address */
-0x55,0x04,0x19,                              /* [5751] OBJ_internationaliSDNNumber */
-0x55,0x04,0x1A,                              /* [5754] OBJ_registeredAddress */
-0x55,0x04,0x1B,                              /* [5757] OBJ_destinationIndicator */
-0x55,0x04,0x1C,                              /* [5760] OBJ_preferredDeliveryMethod */
-0x55,0x04,0x1D,                              /* [5763] OBJ_presentationAddress */
-0x55,0x04,0x1E,                              /* [5766] OBJ_supportedApplicationContext */
-0x55,0x04,0x1F,                              /* [5769] OBJ_member */
-0x55,0x04,0x20,                              /* [5772] OBJ_owner */
-0x55,0x04,0x21,                              /* [5775] OBJ_roleOccupant */
-0x55,0x04,0x22,                              /* [5778] OBJ_seeAlso */
-0x55,0x04,0x23,                              /* [5781] OBJ_userPassword */
-0x55,0x04,0x24,                              /* [5784] OBJ_userCertificate */
-0x55,0x04,0x25,                              /* [5787] OBJ_cACertificate */
-0x55,0x04,0x26,                              /* [5790] OBJ_authorityRevocationList */
-0x55,0x04,0x27,                              /* [5793] OBJ_certificateRevocationList */
-0x55,0x04,0x28,                              /* [5796] OBJ_crossCertificatePair */
-0x55,0x04,0x2F,                              /* [5799] OBJ_enhancedSearchGuide */
-0x55,0x04,0x30,                              /* [5802] OBJ_protocolInformation */
-0x55,0x04,0x31,                              /* [5805] OBJ_distinguishedName */
-0x55,0x04,0x32,                              /* [5808] OBJ_uniqueMember */
-0x55,0x04,0x33,                              /* [5811] OBJ_houseIdentifier */
-0x55,0x04,0x34,                              /* [5814] OBJ_supportedAlgorithms */
-0x55,0x04,0x35,                              /* [5817] OBJ_deltaRevocationList */
-0x55,0x04,0x36,                              /* [5820] OBJ_dmdName */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x09,/* [5823] OBJ_id_alg_PWRI_KEK */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x06,/* [5834] OBJ_aes_128_gcm */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x07,/* [5843] OBJ_aes_128_ccm */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x08,/* [5852] OBJ_id_aes128_wrap_pad */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1A,/* [5861] OBJ_aes_192_gcm */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1B,/* [5870] OBJ_aes_192_ccm */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1C,/* [5879] OBJ_id_aes192_wrap_pad */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2E,/* [5888] OBJ_aes_256_gcm */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2F,/* [5897] OBJ_aes_256_ccm */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x30,/* [5906] OBJ_id_aes256_wrap_pad */
-0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x02,/* [5915] OBJ_id_camellia128_wrap */
-0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x03,/* [5926] OBJ_id_camellia192_wrap */
-0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x04,/* [5937] OBJ_id_camellia256_wrap */
-0x55,0x1D,0x25,0x00,                         /* [5948] OBJ_anyExtendedKeyUsage */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x08,/* [5952] OBJ_mgf1 */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0A,/* [5961] OBJ_rsassaPss */
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x07,/* [5970] OBJ_rsaesOaep */
+static const unsigned char lvalues[5974]={
+0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  0] OBJ_rsadsi */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  6] OBJ_pkcs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 13] OBJ_md2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05,     /* [ 21] OBJ_md5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04,     /* [ 29] OBJ_rc4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,/* [ 37] OBJ_rsaEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02,/* [ 46] OBJ_md2WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,/* [ 55] OBJ_md5WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01,/* [ 64] OBJ_pbeWithMD2AndDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03,/* [ 73] OBJ_pbeWithMD5AndDES_CBC */
+0x55,                                        /* [ 82] OBJ_X500 */
+0x55,0x04,                                   /* [ 83] OBJ_X509 */
+0x55,0x04,0x03,                              /* [ 85] OBJ_commonName */
+0x55,0x04,0x06,                              /* [ 88] OBJ_countryName */
+0x55,0x04,0x07,                              /* [ 91] OBJ_localityName */
+0x55,0x04,0x08,                              /* [ 94] OBJ_stateOrProvinceName */
+0x55,0x04,0x0A,                              /* [ 97] OBJ_organizationName */
+0x55,0x04,0x0B,                              /* [100] OBJ_organizationalUnitName */
+0x55,0x08,0x01,0x01,                         /* [103] OBJ_rsa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,     /* [107] OBJ_pkcs7 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01,/* [115] OBJ_pkcs7_data */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02,/* [124] OBJ_pkcs7_signed */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03,/* [133] OBJ_pkcs7_enveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04,/* [142] OBJ_pkcs7_signedAndEnveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05,/* [151] OBJ_pkcs7_digest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06,/* [160] OBJ_pkcs7_encrypted */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,     /* [169] OBJ_pkcs3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01,/* [177] OBJ_dhKeyAgreement */
+0x2B,0x0E,0x03,0x02,0x06,                    /* [186] OBJ_des_ecb */
+0x2B,0x0E,0x03,0x02,0x09,                    /* [191] OBJ_des_cfb64 */
+0x2B,0x0E,0x03,0x02,0x07,                    /* [196] OBJ_des_cbc */
+0x2B,0x0E,0x03,0x02,0x11,                    /* [201] OBJ_des_ede_ecb */
+0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [206] OBJ_idea_cbc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02,     /* [217] OBJ_rc2_cbc */
+0x2B,0x0E,0x03,0x02,0x12,                    /* [225] OBJ_sha */
+0x2B,0x0E,0x03,0x02,0x0F,                    /* [230] OBJ_shaWithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,     /* [235] OBJ_des_ede3_cbc */
+0x2B,0x0E,0x03,0x02,0x08,                    /* [243] OBJ_des_ofb64 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,     /* [248] OBJ_pkcs9 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,/* [256] OBJ_pkcs9_emailAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02,/* [265] OBJ_pkcs9_unstructuredName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03,/* [274] OBJ_pkcs9_contentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04,/* [283] OBJ_pkcs9_messageDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05,/* [292] OBJ_pkcs9_signingTime */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06,/* [301] OBJ_pkcs9_countersignature */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07,/* [310] OBJ_pkcs9_challengePassword */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08,/* [319] OBJ_pkcs9_unstructuredAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09,/* [328] OBJ_pkcs9_extCertAttributes */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,          /* [337] OBJ_netscape */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,     /* [344] OBJ_netscape_cert_extension */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,     /* [352] OBJ_netscape_data_type */
+0x2B,0x0E,0x03,0x02,0x1A,                    /* [360] OBJ_sha1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,/* [365] OBJ_sha1WithRSAEncryption */
+0x2B,0x0E,0x03,0x02,0x0D,                    /* [374] OBJ_dsaWithSHA */
+0x2B,0x0E,0x03,0x02,0x0C,                    /* [379] OBJ_dsa_2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B,/* [384] OBJ_pbeWithSHA1AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C,/* [393] OBJ_id_pbkdf2 */
+0x2B,0x0E,0x03,0x02,0x1B,                    /* [402] OBJ_dsaWithSHA1_2 */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,/* [407] OBJ_netscape_cert_type */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02,/* [416] OBJ_netscape_base_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03,/* [425] OBJ_netscape_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,/* [434] OBJ_netscape_ca_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07,/* [443] OBJ_netscape_renewal_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08,/* [452] OBJ_netscape_ca_policy_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C,/* [461] OBJ_netscape_ssl_server_name */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,/* [470] OBJ_netscape_comment */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05,/* [479] OBJ_netscape_cert_sequence */
+0x55,0x1D,                                   /* [488] OBJ_id_ce */
+0x55,0x1D,0x0E,                              /* [490] OBJ_subject_key_identifier */
+0x55,0x1D,0x0F,                              /* [493] OBJ_key_usage */
+0x55,0x1D,0x10,                              /* [496] OBJ_private_key_usage_period */
+0x55,0x1D,0x11,                              /* [499] OBJ_subject_alt_name */
+0x55,0x1D,0x12,                              /* [502] OBJ_issuer_alt_name */
+0x55,0x1D,0x13,                              /* [505] OBJ_basic_constraints */
+0x55,0x1D,0x14,                              /* [508] OBJ_crl_number */
+0x55,0x1D,0x20,                              /* [511] OBJ_certificate_policies */
+0x55,0x1D,0x23,                              /* [514] OBJ_authority_key_identifier */
+0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02,/* [517] OBJ_bf_cbc */
+0x55,0x08,0x03,0x65,                         /* [526] OBJ_mdc2 */
+0x55,0x08,0x03,0x64,                         /* [530] OBJ_mdc2WithRSA */
+0x55,0x04,0x2A,                              /* [534] OBJ_givenName */
+0x55,0x04,0x04,                              /* [537] OBJ_surname */
+0x55,0x04,0x2B,                              /* [540] OBJ_initials */
+0x55,0x1D,0x1F,                              /* [543] OBJ_crl_distribution_points */
+0x2B,0x0E,0x03,0x02,0x03,                    /* [546] OBJ_md5WithRSA */
+0x55,0x04,0x05,                              /* [551] OBJ_serialNumber */
+0x55,0x04,0x0C,                              /* [554] OBJ_title */
+0x55,0x04,0x0D,                              /* [557] OBJ_description */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A,/* [560] OBJ_cast5_cbc */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C,/* [569] OBJ_pbeWithMD5AndCast5_CBC */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x03,          /* [578] OBJ_dsaWithSHA1 */
+0x2B,0x0E,0x03,0x02,0x1D,                    /* [585] OBJ_sha1WithRSA */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x01,          /* [590] OBJ_dsa */
+0x2B,0x24,0x03,0x02,0x01,                    /* [597] OBJ_ripemd160 */
+0x2B,0x24,0x03,0x03,0x01,0x02,               /* [602] OBJ_ripemd160WithRSA */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08,     /* [608] OBJ_rc5_cbc */
+0x29,0x01,0x01,0x85,0x1A,0x01,               /* [616] OBJ_rle_compression */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x08,/* [622] OBJ_zlib_compression */
+0x55,0x1D,0x25,                              /* [633] OBJ_ext_key_usage */
+0x2B,0x06,0x01,0x05,0x05,0x07,               /* [636] OBJ_id_pkix */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,          /* [642] OBJ_id_kp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,     /* [649] OBJ_server_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,     /* [657] OBJ_client_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,     /* [665] OBJ_code_sign */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,     /* [673] OBJ_email_protect */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08,     /* [681] OBJ_time_stamp */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [689] OBJ_ms_code_ind */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [699] OBJ_ms_code_com */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [709] OBJ_ms_ctl_sign */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03,/* [719] OBJ_ms_sgc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04,/* [729] OBJ_ms_efs */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01,/* [739] OBJ_ns_sgc */
+0x55,0x1D,0x1B,                              /* [748] OBJ_delta_crl */
+0x55,0x1D,0x15,                              /* [751] OBJ_crl_reason */
+0x55,0x1D,0x18,                              /* [754] OBJ_invalidity_date */
+0x2B,0x65,0x01,0x04,0x01,                    /* [757] OBJ_sxnet */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01,/* [762] OBJ_pbe_WithSHA1And128BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02,/* [772] OBJ_pbe_WithSHA1And40BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03,/* [782] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04,/* [792] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05,/* [802] OBJ_pbe_WithSHA1And128BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06,/* [812] OBJ_pbe_WithSHA1And40BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01,/* [822] OBJ_keyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02,/* [833] OBJ_pkcs8ShroudedKeyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03,/* [844] OBJ_certBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04,/* [855] OBJ_crlBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05,/* [866] OBJ_secretBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06,/* [877] OBJ_safeContentsBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14,/* [888] OBJ_friendlyName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15,/* [897] OBJ_localKeyID */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01,/* [906] OBJ_x509Certificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02,/* [916] OBJ_sdsiCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01,/* [926] OBJ_x509Crl */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D,/* [936] OBJ_pbes2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E,/* [945] OBJ_pbmac1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07,     /* [954] OBJ_hmacWithSHA1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,     /* [962] OBJ_id_qt_cps */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,     /* [970] OBJ_id_qt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F,/* [978] OBJ_SMIMECapabilities */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04,/* [987] OBJ_pbeWithMD2AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06,/* [996] OBJ_pbeWithMD5AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A,/* [1005] OBJ_pbeWithSHA1AndDES_CBC */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E,/* [1014] OBJ_ms_ext_req */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E,/* [1024] OBJ_ext_req */
+0x55,0x04,0x29,                              /* [1033] OBJ_name */
+0x55,0x04,0x2E,                              /* [1036] OBJ_dnQualifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,          /* [1039] OBJ_id_pe */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,          /* [1046] OBJ_id_ad */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,     /* [1053] OBJ_info_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,     /* [1061] OBJ_ad_OCSP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,     /* [1069] OBJ_ad_ca_issuers */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,     /* [1077] OBJ_OCSP_sign */
+0x2A,                                        /* [1085] OBJ_member_body */
+0x2A,0x86,0x48,                              /* [1086] OBJ_ISO_US */
+0x2A,0x86,0x48,0xCE,0x38,                    /* [1089] OBJ_X9_57 */
+0x2A,0x86,0x48,0xCE,0x38,0x04,               /* [1094] OBJ_X9cm */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,     /* [1100] OBJ_pkcs1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,     /* [1108] OBJ_pkcs5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,/* [1116] OBJ_SMIME */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,/* [1125] OBJ_id_smime_mod */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,/* [1135] OBJ_id_smime_ct */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,/* [1145] OBJ_id_smime_aa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,/* [1155] OBJ_id_smime_alg */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,/* [1165] OBJ_id_smime_cd */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,/* [1175] OBJ_id_smime_spq */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,/* [1185] OBJ_id_smime_cti */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x01,/* [1195] OBJ_id_smime_mod_cms */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x02,/* [1206] OBJ_id_smime_mod_ess */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x03,/* [1217] OBJ_id_smime_mod_oid */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x04,/* [1228] OBJ_id_smime_mod_msg_v3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x05,/* [1239] OBJ_id_smime_mod_ets_eSignature_88 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x06,/* [1250] OBJ_id_smime_mod_ets_eSignature_97 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x07,/* [1261] OBJ_id_smime_mod_ets_eSigPolicy_88 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x08,/* [1272] OBJ_id_smime_mod_ets_eSigPolicy_97 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x01,/* [1283] OBJ_id_smime_ct_receipt */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x02,/* [1294] OBJ_id_smime_ct_authData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x03,/* [1305] OBJ_id_smime_ct_publishCert */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x04,/* [1316] OBJ_id_smime_ct_TSTInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x05,/* [1327] OBJ_id_smime_ct_TDTInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x06,/* [1338] OBJ_id_smime_ct_contentInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x07,/* [1349] OBJ_id_smime_ct_DVCSRequestData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x08,/* [1360] OBJ_id_smime_ct_DVCSResponseData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x01,/* [1371] OBJ_id_smime_aa_receiptRequest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x02,/* [1382] OBJ_id_smime_aa_securityLabel */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x03,/* [1393] OBJ_id_smime_aa_mlExpandHistory */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x04,/* [1404] OBJ_id_smime_aa_contentHint */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x05,/* [1415] OBJ_id_smime_aa_msgSigDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x06,/* [1426] OBJ_id_smime_aa_encapContentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x07,/* [1437] OBJ_id_smime_aa_contentIdentifier */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x08,/* [1448] OBJ_id_smime_aa_macValue */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x09,/* [1459] OBJ_id_smime_aa_equivalentLabels */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0A,/* [1470] OBJ_id_smime_aa_contentReference */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0B,/* [1481] OBJ_id_smime_aa_encrypKeyPref */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0C,/* [1492] OBJ_id_smime_aa_signingCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0D,/* [1503] OBJ_id_smime_aa_smimeEncryptCerts */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0E,/* [1514] OBJ_id_smime_aa_timeStampToken */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0F,/* [1525] OBJ_id_smime_aa_ets_sigPolicyId */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x10,/* [1536] OBJ_id_smime_aa_ets_commitmentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x11,/* [1547] OBJ_id_smime_aa_ets_signerLocation */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x12,/* [1558] OBJ_id_smime_aa_ets_signerAttr */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x13,/* [1569] OBJ_id_smime_aa_ets_otherSigCert */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x14,/* [1580] OBJ_id_smime_aa_ets_contentTimestamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x15,/* [1591] OBJ_id_smime_aa_ets_CertificateRefs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x16,/* [1602] OBJ_id_smime_aa_ets_RevocationRefs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x17,/* [1613] OBJ_id_smime_aa_ets_certValues */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x18,/* [1624] OBJ_id_smime_aa_ets_revocationValues */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x19,/* [1635] OBJ_id_smime_aa_ets_escTimeStamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1A,/* [1646] OBJ_id_smime_aa_ets_certCRLTimestamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1B,/* [1657] OBJ_id_smime_aa_ets_archiveTimeStamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1C,/* [1668] OBJ_id_smime_aa_signatureType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1D,/* [1679] OBJ_id_smime_aa_dvcs_dvc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x01,/* [1690] OBJ_id_smime_alg_ESDHwith3DES */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x02,/* [1701] OBJ_id_smime_alg_ESDHwithRC2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x03,/* [1712] OBJ_id_smime_alg_3DESwrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x04,/* [1723] OBJ_id_smime_alg_RC2wrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x05,/* [1734] OBJ_id_smime_alg_ESDH */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x06,/* [1745] OBJ_id_smime_alg_CMS3DESwrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x07,/* [1756] OBJ_id_smime_alg_CMSRC2wrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,0x01,/* [1767] OBJ_id_smime_cd_ldap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x01,/* [1778] OBJ_id_smime_spq_ets_sqt_uri */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x02,/* [1789] OBJ_id_smime_spq_ets_sqt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x01,/* [1800] OBJ_id_smime_cti_ets_proofOfOrigin */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x02,/* [1811] OBJ_id_smime_cti_ets_proofOfReceipt */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x03,/* [1822] OBJ_id_smime_cti_ets_proofOfDelivery */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x04,/* [1833] OBJ_id_smime_cti_ets_proofOfSender */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x05,/* [1844] OBJ_id_smime_cti_ets_proofOfApproval */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x06,/* [1855] OBJ_id_smime_cti_ets_proofOfCreation */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x04,     /* [1866] OBJ_md4 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,          /* [1874] OBJ_id_pkix_mod */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,          /* [1881] OBJ_id_qt */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,          /* [1888] OBJ_id_it */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,          /* [1895] OBJ_id_pkip */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,          /* [1902] OBJ_id_alg */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,          /* [1909] OBJ_id_cmc */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,          /* [1916] OBJ_id_on */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,          /* [1923] OBJ_id_pda */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,          /* [1930] OBJ_id_aca */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,          /* [1937] OBJ_id_qcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,          /* [1944] OBJ_id_cct */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x01,     /* [1951] OBJ_id_pkix1_explicit_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x02,     /* [1959] OBJ_id_pkix1_implicit_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x03,     /* [1967] OBJ_id_pkix1_explicit_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x04,     /* [1975] OBJ_id_pkix1_implicit_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x05,     /* [1983] OBJ_id_mod_crmf */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x06,     /* [1991] OBJ_id_mod_cmc */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x07,     /* [1999] OBJ_id_mod_kea_profile_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x08,     /* [2007] OBJ_id_mod_kea_profile_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x09,     /* [2015] OBJ_id_mod_cmp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0A,     /* [2023] OBJ_id_mod_qualified_cert_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0B,     /* [2031] OBJ_id_mod_qualified_cert_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0C,     /* [2039] OBJ_id_mod_attribute_cert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0D,     /* [2047] OBJ_id_mod_timestamp_protocol */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0E,     /* [2055] OBJ_id_mod_ocsp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0F,     /* [2063] OBJ_id_mod_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x10,     /* [2071] OBJ_id_mod_cmp2000 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x02,     /* [2079] OBJ_biometricInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x03,     /* [2087] OBJ_qcStatements */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2095] OBJ_ac_auditEntity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2103] OBJ_ac_targeting */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2111] OBJ_aaControls */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2119] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2127] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2135] OBJ_sbgp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2143] OBJ_textNotice */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2151] OBJ_ipsecEndSystem */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2159] OBJ_ipsecTunnel */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07,     /* [2167] OBJ_ipsecUser */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A,     /* [2175] OBJ_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01,     /* [2183] OBJ_id_it_caProtEncCert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02,     /* [2191] OBJ_id_it_signKeyPairTypes */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x03,     /* [2199] OBJ_id_it_encKeyPairTypes */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x04,     /* [2207] OBJ_id_it_preferredSymmAlg */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x05,     /* [2215] OBJ_id_it_caKeyUpdateInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x06,     /* [2223] OBJ_id_it_currentCRL */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x07,     /* [2231] OBJ_id_it_unsupportedOIDs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x08,     /* [2239] OBJ_id_it_subscriptionRequest */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x09,     /* [2247] OBJ_id_it_subscriptionResponse */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0A,     /* [2255] OBJ_id_it_keyPairParamReq */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0B,     /* [2263] OBJ_id_it_keyPairParamRep */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0C,     /* [2271] OBJ_id_it_revPassphrase */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0D,     /* [2279] OBJ_id_it_implicitConfirm */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0E,     /* [2287] OBJ_id_it_confirmWaitTime */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0F,     /* [2295] OBJ_id_it_origPKIMessage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,     /* [2303] OBJ_id_regCtrl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,     /* [2311] OBJ_id_regInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x01,/* [2319] OBJ_id_regCtrl_regToken */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x02,/* [2328] OBJ_id_regCtrl_authenticator */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x03,/* [2337] OBJ_id_regCtrl_pkiPublicationInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x04,/* [2346] OBJ_id_regCtrl_pkiArchiveOptions */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x05,/* [2355] OBJ_id_regCtrl_oldCertID */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x06,/* [2364] OBJ_id_regCtrl_protocolEncrKey */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x01,/* [2373] OBJ_id_regInfo_utf8Pairs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x02,/* [2382] OBJ_id_regInfo_certReq */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x01,     /* [2391] OBJ_id_alg_des40 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x02,     /* [2399] OBJ_id_alg_noSignature */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x03,     /* [2407] OBJ_id_alg_dh_sig_hmac_sha1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x04,     /* [2415] OBJ_id_alg_dh_pop */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x01,     /* [2423] OBJ_id_cmc_statusInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x02,     /* [2431] OBJ_id_cmc_identification */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x03,     /* [2439] OBJ_id_cmc_identityProof */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x04,     /* [2447] OBJ_id_cmc_dataReturn */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x05,     /* [2455] OBJ_id_cmc_transactionId */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x06,     /* [2463] OBJ_id_cmc_senderNonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x07,     /* [2471] OBJ_id_cmc_recipientNonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x08,     /* [2479] OBJ_id_cmc_addExtensions */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x09,     /* [2487] OBJ_id_cmc_encryptedPOP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0A,     /* [2495] OBJ_id_cmc_decryptedPOP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0B,     /* [2503] OBJ_id_cmc_lraPOPWitness */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0F,     /* [2511] OBJ_id_cmc_getCert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x10,     /* [2519] OBJ_id_cmc_getCRL */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x11,     /* [2527] OBJ_id_cmc_revokeRequest */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x12,     /* [2535] OBJ_id_cmc_regInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x13,     /* [2543] OBJ_id_cmc_responseInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x15,     /* [2551] OBJ_id_cmc_queryPending */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x16,     /* [2559] OBJ_id_cmc_popLinkRandom */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x17,     /* [2567] OBJ_id_cmc_popLinkWitness */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x18,     /* [2575] OBJ_id_cmc_confirmCertAcceptance */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01,     /* [2583] OBJ_id_on_personalData */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01,     /* [2591] OBJ_id_pda_dateOfBirth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02,     /* [2599] OBJ_id_pda_placeOfBirth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03,     /* [2607] OBJ_id_pda_gender */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04,     /* [2615] OBJ_id_pda_countryOfCitizenship */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05,     /* [2623] OBJ_id_pda_countryOfResidence */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01,     /* [2631] OBJ_id_aca_authenticationInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02,     /* [2639] OBJ_id_aca_accessIdentity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03,     /* [2647] OBJ_id_aca_chargingIdentity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04,     /* [2655] OBJ_id_aca_group */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05,     /* [2663] OBJ_id_aca_role */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01,     /* [2671] OBJ_id_qcs_pkixQCSyntax_v1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01,     /* [2679] OBJ_id_cct_crs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02,     /* [2687] OBJ_id_cct_PKIData */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03,     /* [2695] OBJ_id_cct_PKIResponse */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03,     /* [2703] OBJ_ad_timeStamping */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04,     /* [2711] OBJ_ad_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,/* [2719] OBJ_id_pkix_OCSP_basic */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,/* [2728] OBJ_id_pkix_OCSP_Nonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,/* [2737] OBJ_id_pkix_OCSP_CrlID */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,/* [2746] OBJ_id_pkix_OCSP_acceptableResponses */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,/* [2755] OBJ_id_pkix_OCSP_noCheck */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,/* [2764] OBJ_id_pkix_OCSP_archiveCutoff */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,/* [2773] OBJ_id_pkix_OCSP_serviceLocator */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,/* [2782] OBJ_id_pkix_OCSP_extendedStatus */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,/* [2791] OBJ_id_pkix_OCSP_valid */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,/* [2800] OBJ_id_pkix_OCSP_path */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,/* [2809] OBJ_id_pkix_OCSP_trustRoot */
+0x2B,0x0E,0x03,0x02,                         /* [2818] OBJ_algorithm */
+0x2B,0x0E,0x03,0x02,0x0B,                    /* [2822] OBJ_rsaSignature */
+0x55,0x08,                                   /* [2827] OBJ_X500algorithms */
+0x2B,                                        /* [2829] OBJ_org */
+0x2B,0x06,                                   /* [2830] OBJ_dod */
+0x2B,0x06,0x01,                              /* [2832] OBJ_iana */
+0x2B,0x06,0x01,0x01,                         /* [2835] OBJ_Directory */
+0x2B,0x06,0x01,0x02,                         /* [2839] OBJ_Management */
+0x2B,0x06,0x01,0x03,                         /* [2843] OBJ_Experimental */
+0x2B,0x06,0x01,0x04,                         /* [2847] OBJ_Private */
+0x2B,0x06,0x01,0x05,                         /* [2851] OBJ_Security */
+0x2B,0x06,0x01,0x06,                         /* [2855] OBJ_SNMPv2 */
+0x2B,0x06,0x01,0x07,                         /* [2859] OBJ_Mail */
+0x2B,0x06,0x01,0x04,0x01,                    /* [2863] OBJ_Enterprises */
+0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58,/* [2868] OBJ_dcObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2877] OBJ_domainComponent */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2887] OBJ_Domain */
+0x55,0x01,0x05,                              /* [2897] OBJ_selected_attribute_types */
+0x55,0x01,0x05,0x37,                         /* [2900] OBJ_clearance */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2904] OBJ_md4WithRSAEncryption */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A,     /* [2913] OBJ_ac_proxying */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B,     /* [2921] OBJ_sinfo_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06,     /* [2929] OBJ_id_aca_encAttrs */
+0x55,0x04,0x48,                              /* [2937] OBJ_role */
+0x55,0x1D,0x24,                              /* [2940] OBJ_policy_constraints */
+0x55,0x1D,0x37,                              /* [2943] OBJ_target_information */
+0x55,0x1D,0x38,                              /* [2946] OBJ_no_rev_avail */
+0x2A,0x86,0x48,0xCE,0x3D,                    /* [2949] OBJ_ansi_X9_62 */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x01,          /* [2954] OBJ_X9_62_prime_field */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,          /* [2961] OBJ_X9_62_characteristic_two_field */
+0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,          /* [2968] OBJ_X9_62_id_ecPublicKey */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01,     /* [2975] OBJ_X9_62_prime192v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02,     /* [2983] OBJ_X9_62_prime192v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03,     /* [2991] OBJ_X9_62_prime192v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04,     /* [2999] OBJ_X9_62_prime239v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05,     /* [3007] OBJ_X9_62_prime239v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06,     /* [3015] OBJ_X9_62_prime239v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,     /* [3023] OBJ_X9_62_prime256v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01,          /* [3031] OBJ_ecdsa_with_SHA1 */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01,/* [3038] OBJ_ms_csp_name */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x01,/* [3047] OBJ_aes_128_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x02,/* [3056] OBJ_aes_128_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x03,/* [3065] OBJ_aes_128_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x04,/* [3074] OBJ_aes_128_cfb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x15,/* [3083] OBJ_aes_192_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x16,/* [3092] OBJ_aes_192_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x17,/* [3101] OBJ_aes_192_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x18,/* [3110] OBJ_aes_192_cfb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x29,/* [3119] OBJ_aes_256_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2A,/* [3128] OBJ_aes_256_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2B,/* [3137] OBJ_aes_256_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2C,/* [3146] OBJ_aes_256_cfb128 */
+0x55,0x1D,0x17,                              /* [3155] OBJ_hold_instruction_code */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x01,          /* [3158] OBJ_hold_instruction_none */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x02,          /* [3165] OBJ_hold_instruction_call_issuer */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x03,          /* [3172] OBJ_hold_instruction_reject */
+0x09,                                        /* [3179] OBJ_data */
+0x09,0x92,0x26,                              /* [3180] OBJ_pss */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,          /* [3183] OBJ_ucl */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,     /* [3190] OBJ_pilot */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,/* [3198] OBJ_pilotAttributeType */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,/* [3207] OBJ_pilotAttributeSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,/* [3216] OBJ_pilotObjectClass */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x0A,/* [3225] OBJ_pilotGroups */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x04,/* [3234] OBJ_iA5StringSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x05,/* [3244] OBJ_caseIgnoreIA5StringSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x03,/* [3254] OBJ_pilotObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x04,/* [3264] OBJ_pilotPerson */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x05,/* [3274] OBJ_account */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x06,/* [3284] OBJ_document */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x07,/* [3294] OBJ_room */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x09,/* [3304] OBJ_documentSeries */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0E,/* [3314] OBJ_rFC822localPart */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0F,/* [3324] OBJ_dNSDomain */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x11,/* [3334] OBJ_domainRelatedObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x12,/* [3344] OBJ_friendlyCountry */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x13,/* [3354] OBJ_simpleSecurityObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x14,/* [3364] OBJ_pilotOrganization */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x15,/* [3374] OBJ_pilotDSA */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x16,/* [3384] OBJ_qualityLabelledData */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01,/* [3394] OBJ_userId */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x02,/* [3404] OBJ_textEncodedORAddress */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x03,/* [3414] OBJ_rfc822Mailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x04,/* [3424] OBJ_info */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x05,/* [3434] OBJ_favouriteDrink */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x06,/* [3444] OBJ_roomNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x07,/* [3454] OBJ_photo */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x08,/* [3464] OBJ_userClass */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x09,/* [3474] OBJ_host */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0A,/* [3484] OBJ_manager */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0B,/* [3494] OBJ_documentIdentifier */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0C,/* [3504] OBJ_documentTitle */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0D,/* [3514] OBJ_documentVersion */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0E,/* [3524] OBJ_documentAuthor */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0F,/* [3534] OBJ_documentLocation */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x14,/* [3544] OBJ_homeTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x15,/* [3554] OBJ_secretary */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x16,/* [3564] OBJ_otherMailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x17,/* [3574] OBJ_lastModifiedTime */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x18,/* [3584] OBJ_lastModifiedBy */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1A,/* [3594] OBJ_aRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1B,/* [3604] OBJ_pilotAttributeType27 */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1C,/* [3614] OBJ_mXRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1D,/* [3624] OBJ_nSRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1E,/* [3634] OBJ_sOARecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1F,/* [3644] OBJ_cNAMERecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x25,/* [3654] OBJ_associatedDomain */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x26,/* [3664] OBJ_associatedName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x27,/* [3674] OBJ_homePostalAddress */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x28,/* [3684] OBJ_personalTitle */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x29,/* [3694] OBJ_mobileTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2A,/* [3704] OBJ_pagerTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2B,/* [3714] OBJ_friendlyCountryName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2D,/* [3724] OBJ_organizationalStatus */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2E,/* [3734] OBJ_janetMailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2F,/* [3744] OBJ_mailPreferenceOption */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x30,/* [3754] OBJ_buildingName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x31,/* [3764] OBJ_dSAQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x32,/* [3774] OBJ_singleLevelQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x33,/* [3784] OBJ_subtreeMinimumQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x34,/* [3794] OBJ_subtreeMaximumQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x35,/* [3804] OBJ_personalSignature */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x36,/* [3814] OBJ_dITRedirect */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x37,/* [3824] OBJ_audio */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x38,/* [3834] OBJ_documentPublisher */
+0x55,0x04,0x2D,                              /* [3844] OBJ_x500UniqueIdentifier */
+0x2B,0x06,0x01,0x07,0x01,                    /* [3847] OBJ_mime_mhs */
+0x2B,0x06,0x01,0x07,0x01,0x01,               /* [3852] OBJ_mime_mhs_headings */
+0x2B,0x06,0x01,0x07,0x01,0x02,               /* [3858] OBJ_mime_mhs_bodies */
+0x2B,0x06,0x01,0x07,0x01,0x01,0x01,          /* [3864] OBJ_id_hex_partial_message */
+0x2B,0x06,0x01,0x07,0x01,0x01,0x02,          /* [3871] OBJ_id_hex_multipart_message */
+0x55,0x04,0x2C,                              /* [3878] OBJ_generationQualifier */
+0x55,0x04,0x41,                              /* [3881] OBJ_pseudonym */
+0x67,0x2A,                                   /* [3884] OBJ_id_set */
+0x67,0x2A,0x00,                              /* [3886] OBJ_set_ctype */
+0x67,0x2A,0x01,                              /* [3889] OBJ_set_msgExt */
+0x67,0x2A,0x03,                              /* [3892] OBJ_set_attr */
+0x67,0x2A,0x05,                              /* [3895] OBJ_set_policy */
+0x67,0x2A,0x07,                              /* [3898] OBJ_set_certExt */
+0x67,0x2A,0x08,                              /* [3901] OBJ_set_brand */
+0x67,0x2A,0x00,0x00,                         /* [3904] OBJ_setct_PANData */
+0x67,0x2A,0x00,0x01,                         /* [3908] OBJ_setct_PANToken */
+0x67,0x2A,0x00,0x02,                         /* [3912] OBJ_setct_PANOnly */
+0x67,0x2A,0x00,0x03,                         /* [3916] OBJ_setct_OIData */
+0x67,0x2A,0x00,0x04,                         /* [3920] OBJ_setct_PI */
+0x67,0x2A,0x00,0x05,                         /* [3924] OBJ_setct_PIData */
+0x67,0x2A,0x00,0x06,                         /* [3928] OBJ_setct_PIDataUnsigned */
+0x67,0x2A,0x00,0x07,                         /* [3932] OBJ_setct_HODInput */
+0x67,0x2A,0x00,0x08,                         /* [3936] OBJ_setct_AuthResBaggage */
+0x67,0x2A,0x00,0x09,                         /* [3940] OBJ_setct_AuthRevReqBaggage */
+0x67,0x2A,0x00,0x0A,                         /* [3944] OBJ_setct_AuthRevResBaggage */
+0x67,0x2A,0x00,0x0B,                         /* [3948] OBJ_setct_CapTokenSeq */
+0x67,0x2A,0x00,0x0C,                         /* [3952] OBJ_setct_PInitResData */
+0x67,0x2A,0x00,0x0D,                         /* [3956] OBJ_setct_PI_TBS */
+0x67,0x2A,0x00,0x0E,                         /* [3960] OBJ_setct_PResData */
+0x67,0x2A,0x00,0x10,                         /* [3964] OBJ_setct_AuthReqTBS */
+0x67,0x2A,0x00,0x11,                         /* [3968] OBJ_setct_AuthResTBS */
+0x67,0x2A,0x00,0x12,                         /* [3972] OBJ_setct_AuthResTBSX */
+0x67,0x2A,0x00,0x13,                         /* [3976] OBJ_setct_AuthTokenTBS */
+0x67,0x2A,0x00,0x14,                         /* [3980] OBJ_setct_CapTokenData */
+0x67,0x2A,0x00,0x15,                         /* [3984] OBJ_setct_CapTokenTBS */
+0x67,0x2A,0x00,0x16,                         /* [3988] OBJ_setct_AcqCardCodeMsg */
+0x67,0x2A,0x00,0x17,                         /* [3992] OBJ_setct_AuthRevReqTBS */
+0x67,0x2A,0x00,0x18,                         /* [3996] OBJ_setct_AuthRevResData */
+0x67,0x2A,0x00,0x19,                         /* [4000] OBJ_setct_AuthRevResTBS */
+0x67,0x2A,0x00,0x1A,                         /* [4004] OBJ_setct_CapReqTBS */
+0x67,0x2A,0x00,0x1B,                         /* [4008] OBJ_setct_CapReqTBSX */
+0x67,0x2A,0x00,0x1C,                         /* [4012] OBJ_setct_CapResData */
+0x67,0x2A,0x00,0x1D,                         /* [4016] OBJ_setct_CapRevReqTBS */
+0x67,0x2A,0x00,0x1E,                         /* [4020] OBJ_setct_CapRevReqTBSX */
+0x67,0x2A,0x00,0x1F,                         /* [4024] OBJ_setct_CapRevResData */
+0x67,0x2A,0x00,0x20,                         /* [4028] OBJ_setct_CredReqTBS */
+0x67,0x2A,0x00,0x21,                         /* [4032] OBJ_setct_CredReqTBSX */
+0x67,0x2A,0x00,0x22,                         /* [4036] OBJ_setct_CredResData */
+0x67,0x2A,0x00,0x23,                         /* [4040] OBJ_setct_CredRevReqTBS */
+0x67,0x2A,0x00,0x24,                         /* [4044] OBJ_setct_CredRevReqTBSX */
+0x67,0x2A,0x00,0x25,                         /* [4048] OBJ_setct_CredRevResData */
+0x67,0x2A,0x00,0x26,                         /* [4052] OBJ_setct_PCertReqData */
+0x67,0x2A,0x00,0x27,                         /* [4056] OBJ_setct_PCertResTBS */
+0x67,0x2A,0x00,0x28,                         /* [4060] OBJ_setct_BatchAdminReqData */
+0x67,0x2A,0x00,0x29,                         /* [4064] OBJ_setct_BatchAdminResData */
+0x67,0x2A,0x00,0x2A,                         /* [4068] OBJ_setct_CardCInitResTBS */
+0x67,0x2A,0x00,0x2B,                         /* [4072] OBJ_setct_MeAqCInitResTBS */
+0x67,0x2A,0x00,0x2C,                         /* [4076] OBJ_setct_RegFormResTBS */
+0x67,0x2A,0x00,0x2D,                         /* [4080] OBJ_setct_CertReqData */
+0x67,0x2A,0x00,0x2E,                         /* [4084] OBJ_setct_CertReqTBS */
+0x67,0x2A,0x00,0x2F,                         /* [4088] OBJ_setct_CertResData */
+0x67,0x2A,0x00,0x30,                         /* [4092] OBJ_setct_CertInqReqTBS */
+0x67,0x2A,0x00,0x31,                         /* [4096] OBJ_setct_ErrorTBS */
+0x67,0x2A,0x00,0x32,                         /* [4100] OBJ_setct_PIDualSignedTBE */
+0x67,0x2A,0x00,0x33,                         /* [4104] OBJ_setct_PIUnsignedTBE */
+0x67,0x2A,0x00,0x34,                         /* [4108] OBJ_setct_AuthReqTBE */
+0x67,0x2A,0x00,0x35,                         /* [4112] OBJ_setct_AuthResTBE */
+0x67,0x2A,0x00,0x36,                         /* [4116] OBJ_setct_AuthResTBEX */
+0x67,0x2A,0x00,0x37,                         /* [4120] OBJ_setct_AuthTokenTBE */
+0x67,0x2A,0x00,0x38,                         /* [4124] OBJ_setct_CapTokenTBE */
+0x67,0x2A,0x00,0x39,                         /* [4128] OBJ_setct_CapTokenTBEX */
+0x67,0x2A,0x00,0x3A,                         /* [4132] OBJ_setct_AcqCardCodeMsgTBE */
+0x67,0x2A,0x00,0x3B,                         /* [4136] OBJ_setct_AuthRevReqTBE */
+0x67,0x2A,0x00,0x3C,                         /* [4140] OBJ_setct_AuthRevResTBE */
+0x67,0x2A,0x00,0x3D,                         /* [4144] OBJ_setct_AuthRevResTBEB */
+0x67,0x2A,0x00,0x3E,                         /* [4148] OBJ_setct_CapReqTBE */
+0x67,0x2A,0x00,0x3F,                         /* [4152] OBJ_setct_CapReqTBEX */
+0x67,0x2A,0x00,0x40,                         /* [4156] OBJ_setct_CapResTBE */
+0x67,0x2A,0x00,0x41,                         /* [4160] OBJ_setct_CapRevReqTBE */
+0x67,0x2A,0x00,0x42,                         /* [4164] OBJ_setct_CapRevReqTBEX */
+0x67,0x2A,0x00,0x43,                         /* [4168] OBJ_setct_CapRevResTBE */
+0x67,0x2A,0x00,0x44,                         /* [4172] OBJ_setct_CredReqTBE */
+0x67,0x2A,0x00,0x45,                         /* [4176] OBJ_setct_CredReqTBEX */
+0x67,0x2A,0x00,0x46,                         /* [4180] OBJ_setct_CredResTBE */
+0x67,0x2A,0x00,0x47,                         /* [4184] OBJ_setct_CredRevReqTBE */
+0x67,0x2A,0x00,0x48,                         /* [4188] OBJ_setct_CredRevReqTBEX */
+0x67,0x2A,0x00,0x49,                         /* [4192] OBJ_setct_CredRevResTBE */
+0x67,0x2A,0x00,0x4A,                         /* [4196] OBJ_setct_BatchAdminReqTBE */
+0x67,0x2A,0x00,0x4B,                         /* [4200] OBJ_setct_BatchAdminResTBE */
+0x67,0x2A,0x00,0x4C,                         /* [4204] OBJ_setct_RegFormReqTBE */
+0x67,0x2A,0x00,0x4D,                         /* [4208] OBJ_setct_CertReqTBE */
+0x67,0x2A,0x00,0x4E,                         /* [4212] OBJ_setct_CertReqTBEX */
+0x67,0x2A,0x00,0x4F,                         /* [4216] OBJ_setct_CertResTBE */
+0x67,0x2A,0x00,0x50,                         /* [4220] OBJ_setct_CRLNotificationTBS */
+0x67,0x2A,0x00,0x51,                         /* [4224] OBJ_setct_CRLNotificationResTBS */
+0x67,0x2A,0x00,0x52,                         /* [4228] OBJ_setct_BCIDistributionTBS */
+0x67,0x2A,0x01,0x01,                         /* [4232] OBJ_setext_genCrypt */
+0x67,0x2A,0x01,0x03,                         /* [4236] OBJ_setext_miAuth */
+0x67,0x2A,0x01,0x04,                         /* [4240] OBJ_setext_pinSecure */
+0x67,0x2A,0x01,0x05,                         /* [4244] OBJ_setext_pinAny */
+0x67,0x2A,0x01,0x07,                         /* [4248] OBJ_setext_track2 */
+0x67,0x2A,0x01,0x08,                         /* [4252] OBJ_setext_cv */
+0x67,0x2A,0x05,0x00,                         /* [4256] OBJ_set_policy_root */
+0x67,0x2A,0x07,0x00,                         /* [4260] OBJ_setCext_hashedRoot */
+0x67,0x2A,0x07,0x01,                         /* [4264] OBJ_setCext_certType */
+0x67,0x2A,0x07,0x02,                         /* [4268] OBJ_setCext_merchData */
+0x67,0x2A,0x07,0x03,                         /* [4272] OBJ_setCext_cCertRequired */
+0x67,0x2A,0x07,0x04,                         /* [4276] OBJ_setCext_tunneling */
+0x67,0x2A,0x07,0x05,                         /* [4280] OBJ_setCext_setExt */
+0x67,0x2A,0x07,0x06,                         /* [4284] OBJ_setCext_setQualf */
+0x67,0x2A,0x07,0x07,                         /* [4288] OBJ_setCext_PGWYcapabilities */
+0x67,0x2A,0x07,0x08,                         /* [4292] OBJ_setCext_TokenIdentifier */
+0x67,0x2A,0x07,0x09,                         /* [4296] OBJ_setCext_Track2Data */
+0x67,0x2A,0x07,0x0A,                         /* [4300] OBJ_setCext_TokenType */
+0x67,0x2A,0x07,0x0B,                         /* [4304] OBJ_setCext_IssuerCapabilities */
+0x67,0x2A,0x03,0x00,                         /* [4308] OBJ_setAttr_Cert */
+0x67,0x2A,0x03,0x01,                         /* [4312] OBJ_setAttr_PGWYcap */
+0x67,0x2A,0x03,0x02,                         /* [4316] OBJ_setAttr_TokenType */
+0x67,0x2A,0x03,0x03,                         /* [4320] OBJ_setAttr_IssCap */
+0x67,0x2A,0x03,0x00,0x00,                    /* [4324] OBJ_set_rootKeyThumb */
+0x67,0x2A,0x03,0x00,0x01,                    /* [4329] OBJ_set_addPolicy */
+0x67,0x2A,0x03,0x02,0x01,                    /* [4334] OBJ_setAttr_Token_EMV */
+0x67,0x2A,0x03,0x02,0x02,                    /* [4339] OBJ_setAttr_Token_B0Prime */
+0x67,0x2A,0x03,0x03,0x03,                    /* [4344] OBJ_setAttr_IssCap_CVM */
+0x67,0x2A,0x03,0x03,0x04,                    /* [4349] OBJ_setAttr_IssCap_T2 */
+0x67,0x2A,0x03,0x03,0x05,                    /* [4354] OBJ_setAttr_IssCap_Sig */
+0x67,0x2A,0x03,0x03,0x03,0x01,               /* [4359] OBJ_setAttr_GenCryptgrm */
+0x67,0x2A,0x03,0x03,0x04,0x01,               /* [4365] OBJ_setAttr_T2Enc */
+0x67,0x2A,0x03,0x03,0x04,0x02,               /* [4371] OBJ_setAttr_T2cleartxt */
+0x67,0x2A,0x03,0x03,0x05,0x01,               /* [4377] OBJ_setAttr_TokICCsig */
+0x67,0x2A,0x03,0x03,0x05,0x02,               /* [4383] OBJ_setAttr_SecDevSig */
+0x67,0x2A,0x08,0x01,                         /* [4389] OBJ_set_brand_IATA_ATA */
+0x67,0x2A,0x08,0x1E,                         /* [4393] OBJ_set_brand_Diners */
+0x67,0x2A,0x08,0x22,                         /* [4397] OBJ_set_brand_AmericanExpress */
+0x67,0x2A,0x08,0x23,                         /* [4401] OBJ_set_brand_JCB */
+0x67,0x2A,0x08,0x04,                         /* [4405] OBJ_set_brand_Visa */
+0x67,0x2A,0x08,0x05,                         /* [4409] OBJ_set_brand_MasterCard */
+0x67,0x2A,0x08,0xAE,0x7B,                    /* [4413] OBJ_set_brand_Novus */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A,     /* [4418] OBJ_des_cdmf */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06,/* [4426] OBJ_rsaOAEPEncryptionSET */
+0x67,                                        /* [4435] OBJ_international_organizations */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [4436] OBJ_ms_smartcard_login */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [4446] OBJ_ms_upn */
+0x55,0x04,0x09,                              /* [4456] OBJ_streetAddress */
+0x55,0x04,0x11,                              /* [4459] OBJ_postalCode */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,          /* [4462] OBJ_id_ppl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4469] OBJ_proxyCertInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4477] OBJ_id_ppl_anyLanguage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4485] OBJ_id_ppl_inheritAll */
+0x55,0x1D,0x1E,                              /* [4493] OBJ_name_constraints */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4496] OBJ_Independent */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,/* [4504] OBJ_sha256WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C,/* [4513] OBJ_sha384WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D,/* [4522] OBJ_sha512WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E,/* [4531] OBJ_sha224WithRSAEncryption */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,/* [4540] OBJ_sha256 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4549] OBJ_sha384 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4558] OBJ_sha512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4567] OBJ_sha224 */
+0x2B,                                        /* [4576] OBJ_identified_organization */
+0x2B,0x81,0x04,                              /* [4577] OBJ_certicom_arc */
+0x67,0x2B,                                   /* [4580] OBJ_wap */
+0x67,0x2B,0x01,                              /* [4582] OBJ_wap_wsg */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,     /* [4585] OBJ_X9_62_id_characteristic_two_basis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,/* [4593] OBJ_X9_62_onBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,/* [4602] OBJ_X9_62_tpBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x03,/* [4611] OBJ_X9_62_ppBasis */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x01,     /* [4620] OBJ_X9_62_c2pnb163v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x02,     /* [4628] OBJ_X9_62_c2pnb163v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x03,     /* [4636] OBJ_X9_62_c2pnb163v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x04,     /* [4644] OBJ_X9_62_c2pnb176v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x05,     /* [4652] OBJ_X9_62_c2tnb191v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x06,     /* [4660] OBJ_X9_62_c2tnb191v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x07,     /* [4668] OBJ_X9_62_c2tnb191v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x08,     /* [4676] OBJ_X9_62_c2onb191v4 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x09,     /* [4684] OBJ_X9_62_c2onb191v5 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0A,     /* [4692] OBJ_X9_62_c2pnb208w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0B,     /* [4700] OBJ_X9_62_c2tnb239v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0C,     /* [4708] OBJ_X9_62_c2tnb239v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0D,     /* [4716] OBJ_X9_62_c2tnb239v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0E,     /* [4724] OBJ_X9_62_c2onb239v4 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0F,     /* [4732] OBJ_X9_62_c2onb239v5 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x10,     /* [4740] OBJ_X9_62_c2pnb272w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x11,     /* [4748] OBJ_X9_62_c2pnb304w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x12,     /* [4756] OBJ_X9_62_c2tnb359v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x13,     /* [4764] OBJ_X9_62_c2pnb368w1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x14,     /* [4772] OBJ_X9_62_c2tnb431r1 */
+0x2B,0x81,0x04,0x00,0x06,                    /* [4780] OBJ_secp112r1 */
+0x2B,0x81,0x04,0x00,0x07,                    /* [4785] OBJ_secp112r2 */
+0x2B,0x81,0x04,0x00,0x1C,                    /* [4790] OBJ_secp128r1 */
+0x2B,0x81,0x04,0x00,0x1D,                    /* [4795] OBJ_secp128r2 */
+0x2B,0x81,0x04,0x00,0x09,                    /* [4800] OBJ_secp160k1 */
+0x2B,0x81,0x04,0x00,0x08,                    /* [4805] OBJ_secp160r1 */
+0x2B,0x81,0x04,0x00,0x1E,                    /* [4810] OBJ_secp160r2 */
+0x2B,0x81,0x04,0x00,0x1F,                    /* [4815] OBJ_secp192k1 */
+0x2B,0x81,0x04,0x00,0x20,                    /* [4820] OBJ_secp224k1 */
+0x2B,0x81,0x04,0x00,0x21,                    /* [4825] OBJ_secp224r1 */
+0x2B,0x81,0x04,0x00,0x0A,                    /* [4830] OBJ_secp256k1 */
+0x2B,0x81,0x04,0x00,0x22,                    /* [4835] OBJ_secp384r1 */
+0x2B,0x81,0x04,0x00,0x23,                    /* [4840] OBJ_secp521r1 */
+0x2B,0x81,0x04,0x00,0x04,                    /* [4845] OBJ_sect113r1 */
+0x2B,0x81,0x04,0x00,0x05,                    /* [4850] OBJ_sect113r2 */
+0x2B,0x81,0x04,0x00,0x16,                    /* [4855] OBJ_sect131r1 */
+0x2B,0x81,0x04,0x00,0x17,                    /* [4860] OBJ_sect131r2 */
+0x2B,0x81,0x04,0x00,0x01,                    /* [4865] OBJ_sect163k1 */
+0x2B,0x81,0x04,0x00,0x02,                    /* [4870] OBJ_sect163r1 */
+0x2B,0x81,0x04,0x00,0x0F,                    /* [4875] OBJ_sect163r2 */
+0x2B,0x81,0x04,0x00,0x18,                    /* [4880] OBJ_sect193r1 */
+0x2B,0x81,0x04,0x00,0x19,                    /* [4885] OBJ_sect193r2 */
+0x2B,0x81,0x04,0x00,0x1A,                    /* [4890] OBJ_sect233k1 */
+0x2B,0x81,0x04,0x00,0x1B,                    /* [4895] OBJ_sect233r1 */
+0x2B,0x81,0x04,0x00,0x03,                    /* [4900] OBJ_sect239k1 */
+0x2B,0x81,0x04,0x00,0x10,                    /* [4905] OBJ_sect283k1 */
+0x2B,0x81,0x04,0x00,0x11,                    /* [4910] OBJ_sect283r1 */
+0x2B,0x81,0x04,0x00,0x24,                    /* [4915] OBJ_sect409k1 */
+0x2B,0x81,0x04,0x00,0x25,                    /* [4920] OBJ_sect409r1 */
+0x2B,0x81,0x04,0x00,0x26,                    /* [4925] OBJ_sect571k1 */
+0x2B,0x81,0x04,0x00,0x27,                    /* [4930] OBJ_sect571r1 */
+0x67,0x2B,0x01,0x04,0x01,                    /* [4935] OBJ_wap_wsg_idm_ecid_wtls1 */
+0x67,0x2B,0x01,0x04,0x03,                    /* [4940] OBJ_wap_wsg_idm_ecid_wtls3 */
+0x67,0x2B,0x01,0x04,0x04,                    /* [4945] OBJ_wap_wsg_idm_ecid_wtls4 */
+0x67,0x2B,0x01,0x04,0x05,                    /* [4950] OBJ_wap_wsg_idm_ecid_wtls5 */
+0x67,0x2B,0x01,0x04,0x06,                    /* [4955] OBJ_wap_wsg_idm_ecid_wtls6 */
+0x67,0x2B,0x01,0x04,0x07,                    /* [4960] OBJ_wap_wsg_idm_ecid_wtls7 */
+0x67,0x2B,0x01,0x04,0x08,                    /* [4965] OBJ_wap_wsg_idm_ecid_wtls8 */
+0x67,0x2B,0x01,0x04,0x09,                    /* [4970] OBJ_wap_wsg_idm_ecid_wtls9 */
+0x67,0x2B,0x01,0x04,0x0A,                    /* [4975] OBJ_wap_wsg_idm_ecid_wtls10 */
+0x67,0x2B,0x01,0x04,0x0B,                    /* [4980] OBJ_wap_wsg_idm_ecid_wtls11 */
+0x67,0x2B,0x01,0x04,0x0C,                    /* [4985] OBJ_wap_wsg_idm_ecid_wtls12 */
+0x55,0x1D,0x20,0x00,                         /* [4990] OBJ_any_policy */
+0x55,0x1D,0x21,                              /* [4994] OBJ_policy_mappings */
+0x55,0x1D,0x36,                              /* [4997] OBJ_inhibit_any_policy */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x02,/* [5000] OBJ_camellia_128_cbc */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x03,/* [5011] OBJ_camellia_192_cbc */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x04,/* [5022] OBJ_camellia_256_cbc */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x01,     /* [5033] OBJ_camellia_128_ecb */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x15,     /* [5041] OBJ_camellia_192_ecb */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x29,     /* [5049] OBJ_camellia_256_ecb */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x04,     /* [5057] OBJ_camellia_128_cfb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x18,     /* [5065] OBJ_camellia_192_cfb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2C,     /* [5073] OBJ_camellia_256_cfb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03,     /* [5081] OBJ_camellia_128_ofb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17,     /* [5089] OBJ_camellia_192_ofb128 */
+0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B,     /* [5097] OBJ_camellia_256_ofb128 */
+0x55,0x1D,0x09,                              /* [5105] OBJ_subject_directory_attributes */
+0x55,0x1D,0x1C,                              /* [5108] OBJ_issuing_distribution_point */
+0x55,0x1D,0x1D,                              /* [5111] OBJ_certificate_issuer */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,               /* [5114] OBJ_kisa */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03,     /* [5120] OBJ_seed_ecb */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04,     /* [5128] OBJ_seed_cbc */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06,     /* [5136] OBJ_seed_ofb128 */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05,     /* [5144] OBJ_seed_cfb128 */
+0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x01,     /* [5152] OBJ_hmac_md5 */
+0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x02,     /* [5160] OBJ_hmac_sha1 */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0D,/* [5168] OBJ_id_PasswordBasedMAC */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x1E,/* [5177] OBJ_id_DHBasedMac */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x10,     /* [5186] OBJ_id_it_suppLangTags */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x05,     /* [5194] OBJ_caRepository */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x09,/* [5202] OBJ_id_smime_ct_compressedData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1B,/* [5213] OBJ_id_ct_asciiTextWithCRLF */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x05,/* [5224] OBJ_id_aes128_wrap */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x19,/* [5233] OBJ_id_aes192_wrap */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2D,/* [5242] OBJ_id_aes256_wrap */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02,          /* [5251] OBJ_ecdsa_with_Recommended */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,          /* [5258] OBJ_ecdsa_with_Specified */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01,     /* [5265] OBJ_ecdsa_with_SHA224 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,     /* [5273] OBJ_ecdsa_with_SHA256 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,     /* [5281] OBJ_ecdsa_with_SHA384 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04,     /* [5289] OBJ_ecdsa_with_SHA512 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x06,     /* [5297] OBJ_hmacWithMD5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x08,     /* [5305] OBJ_hmacWithSHA224 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x09,     /* [5313] OBJ_hmacWithSHA256 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0A,     /* [5321] OBJ_hmacWithSHA384 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0B,     /* [5329] OBJ_hmacWithSHA512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,/* [5337] OBJ_dsa_with_SHA224 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,/* [5346] OBJ_dsa_with_SHA256 */
+0x28,0xCF,0x06,0x03,0x00,0x37,               /* [5355] OBJ_whirlpool */
+0x2A,0x85,0x03,0x02,0x02,                    /* [5361] OBJ_cryptopro */
+0x2A,0x85,0x03,0x02,0x09,                    /* [5366] OBJ_cryptocom */
+0x2A,0x85,0x03,0x02,0x02,0x03,               /* [5371] OBJ_id_GostR3411_94_with_GostR3410_2001 */
+0x2A,0x85,0x03,0x02,0x02,0x04,               /* [5377] OBJ_id_GostR3411_94_with_GostR3410_94 */
+0x2A,0x85,0x03,0x02,0x02,0x09,               /* [5383] OBJ_id_GostR3411_94 */
+0x2A,0x85,0x03,0x02,0x02,0x0A,               /* [5389] OBJ_id_HMACGostR3411_94 */
+0x2A,0x85,0x03,0x02,0x02,0x13,               /* [5395] OBJ_id_GostR3410_2001 */
+0x2A,0x85,0x03,0x02,0x02,0x14,               /* [5401] OBJ_id_GostR3410_94 */
+0x2A,0x85,0x03,0x02,0x02,0x15,               /* [5407] OBJ_id_Gost28147_89 */
+0x2A,0x85,0x03,0x02,0x02,0x16,               /* [5413] OBJ_id_Gost28147_89_MAC */
+0x2A,0x85,0x03,0x02,0x02,0x17,               /* [5419] OBJ_id_GostR3411_94_prf */
+0x2A,0x85,0x03,0x02,0x02,0x62,               /* [5425] OBJ_id_GostR3410_2001DH */
+0x2A,0x85,0x03,0x02,0x02,0x63,               /* [5431] OBJ_id_GostR3410_94DH */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x01,          /* [5437] OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x00,          /* [5444] OBJ_id_Gost28147_89_None_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x00,          /* [5451] OBJ_id_GostR3411_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x01,          /* [5458] OBJ_id_GostR3411_94_CryptoProParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x00,          /* [5465] OBJ_id_Gost28147_89_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x01,          /* [5472] OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x02,          /* [5479] OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x03,          /* [5486] OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x04,          /* [5493] OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x05,          /* [5500] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x06,          /* [5507] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x07,          /* [5514] OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x00,          /* [5521] OBJ_id_GostR3410_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x02,          /* [5528] OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x03,          /* [5535] OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x04,          /* [5542] OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x05,          /* [5549] OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x01,          /* [5556] OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x02,          /* [5563] OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x03,          /* [5570] OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x00,          /* [5577] OBJ_id_GostR3410_2001_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x01,          /* [5584] OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x02,          /* [5591] OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x03,          /* [5598] OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x00,          /* [5605] OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x01,          /* [5612] OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x01,          /* [5619] OBJ_id_GostR3410_94_a */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x02,          /* [5626] OBJ_id_GostR3410_94_aBis */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x03,          /* [5633] OBJ_id_GostR3410_94_b */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x04,          /* [5640] OBJ_id_GostR3410_94_bBis */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01,     /* [5647] OBJ_id_Gost28147_89_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03,     /* [5655] OBJ_id_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04,     /* [5663] OBJ_id_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03,     /* [5671] OBJ_id_GostR3411_94_with_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04,     /* [5679] OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01,     /* [5687] OBJ_id_GostR3410_2001_ParamSet_cc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,/* [5695] OBJ_LocalKeySet */
+0x55,0x1D,0x2E,                              /* [5704] OBJ_freshest_crl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03,     /* [5707] OBJ_id_on_permanentIdentifier */
+0x55,0x04,0x0E,                              /* [5715] OBJ_searchGuide */
+0x55,0x04,0x0F,                              /* [5718] OBJ_businessCategory */
+0x55,0x04,0x10,                              /* [5721] OBJ_postalAddress */
+0x55,0x04,0x12,                              /* [5724] OBJ_postOfficeBox */
+0x55,0x04,0x13,                              /* [5727] OBJ_physicalDeliveryOfficeName */
+0x55,0x04,0x14,                              /* [5730] OBJ_telephoneNumber */
+0x55,0x04,0x15,                              /* [5733] OBJ_telexNumber */
+0x55,0x04,0x16,                              /* [5736] OBJ_teletexTerminalIdentifier */
+0x55,0x04,0x17,                              /* [5739] OBJ_facsimileTelephoneNumber */
+0x55,0x04,0x18,                              /* [5742] OBJ_x121Address */
+0x55,0x04,0x19,                              /* [5745] OBJ_internationaliSDNNumber */
+0x55,0x04,0x1A,                              /* [5748] OBJ_registeredAddress */
+0x55,0x04,0x1B,                              /* [5751] OBJ_destinationIndicator */
+0x55,0x04,0x1C,                              /* [5754] OBJ_preferredDeliveryMethod */
+0x55,0x04,0x1D,                              /* [5757] OBJ_presentationAddress */
+0x55,0x04,0x1E,                              /* [5760] OBJ_supportedApplicationContext */
+0x55,0x04,0x1F,                              /* [5763] OBJ_member */
+0x55,0x04,0x20,                              /* [5766] OBJ_owner */
+0x55,0x04,0x21,                              /* [5769] OBJ_roleOccupant */
+0x55,0x04,0x22,                              /* [5772] OBJ_seeAlso */
+0x55,0x04,0x23,                              /* [5775] OBJ_userPassword */
+0x55,0x04,0x24,                              /* [5778] OBJ_userCertificate */
+0x55,0x04,0x25,                              /* [5781] OBJ_cACertificate */
+0x55,0x04,0x26,                              /* [5784] OBJ_authorityRevocationList */
+0x55,0x04,0x27,                              /* [5787] OBJ_certificateRevocationList */
+0x55,0x04,0x28,                              /* [5790] OBJ_crossCertificatePair */
+0x55,0x04,0x2F,                              /* [5793] OBJ_enhancedSearchGuide */
+0x55,0x04,0x30,                              /* [5796] OBJ_protocolInformation */
+0x55,0x04,0x31,                              /* [5799] OBJ_distinguishedName */
+0x55,0x04,0x32,                              /* [5802] OBJ_uniqueMember */
+0x55,0x04,0x33,                              /* [5805] OBJ_houseIdentifier */
+0x55,0x04,0x34,                              /* [5808] OBJ_supportedAlgorithms */
+0x55,0x04,0x35,                              /* [5811] OBJ_deltaRevocationList */
+0x55,0x04,0x36,                              /* [5814] OBJ_dmdName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x09,/* [5817] OBJ_id_alg_PWRI_KEK */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x06,/* [5828] OBJ_aes_128_gcm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x07,/* [5837] OBJ_aes_128_ccm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x08,/* [5846] OBJ_id_aes128_wrap_pad */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1A,/* [5855] OBJ_aes_192_gcm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1B,/* [5864] OBJ_aes_192_ccm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1C,/* [5873] OBJ_id_aes192_wrap_pad */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2E,/* [5882] OBJ_aes_256_gcm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2F,/* [5891] OBJ_aes_256_ccm */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x30,/* [5900] OBJ_id_aes256_wrap_pad */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x02,/* [5909] OBJ_id_camellia128_wrap */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x03,/* [5920] OBJ_id_camellia192_wrap */
+0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x04,/* [5931] OBJ_id_camellia256_wrap */
+0x55,0x1D,0x25,0x00,                         /* [5942] OBJ_anyExtendedKeyUsage */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x08,/* [5946] OBJ_mgf1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0A,/* [5955] OBJ_rsassaPss */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x07,/* [5964] OBJ_rsaesOaep */
 };
 
 static const ASN1_OBJECT nid_objs[NUM_NID]={
-{"UNDEF","undefined",NID_undef,1,&(lvalues[0]),0},
-{"rsadsi","RSA Data Security, Inc.",NID_rsadsi,6,&(lvalues[1]),0},
-{"pkcs","RSA Data Security, Inc. PKCS",NID_pkcs,7,&(lvalues[7]),0},
-{"MD2","md2",NID_md2,8,&(lvalues[14]),0},
-{"MD5","md5",NID_md5,8,&(lvalues[22]),0},
-{"RC4","rc4",NID_rc4,8,&(lvalues[30]),0},
-{"rsaEncryption","rsaEncryption",NID_rsaEncryption,9,&(lvalues[38]),0},
+{"UNDEF","undefined",NID_undef,0,NULL,0},
+{"rsadsi","RSA Data Security, Inc.",NID_rsadsi,6,&(lvalues[0]),0},
+{"pkcs","RSA Data Security, Inc. PKCS",NID_pkcs,7,&(lvalues[6]),0},
+{"MD2","md2",NID_md2,8,&(lvalues[13]),0},
+{"MD5","md5",NID_md5,8,&(lvalues[21]),0},
+{"RC4","rc4",NID_rc4,8,&(lvalues[29]),0},
+{"rsaEncryption","rsaEncryption",NID_rsaEncryption,9,&(lvalues[37]),0},
 {"RSA-MD2","md2WithRSAEncryption",NID_md2WithRSAEncryption,9,
-	&(lvalues[47]),0},
+	&(lvalues[46]),0},
 {"RSA-MD5","md5WithRSAEncryption",NID_md5WithRSAEncryption,9,
-	&(lvalues[56]),0},
+	&(lvalues[55]),0},
 {"PBE-MD2-DES","pbeWithMD2AndDES-CBC",NID_pbeWithMD2AndDES_CBC,9,
-	&(lvalues[65]),0},
+	&(lvalues[64]),0},
 {"PBE-MD5-DES","pbeWithMD5AndDES-CBC",NID_pbeWithMD5AndDES_CBC,9,
-	&(lvalues[74]),0},
-{"X500","directory services (X.500)",NID_X500,1,&(lvalues[83]),0},
-{"X509","X509",NID_X509,2,&(lvalues[84]),0},
-{"CN","commonName",NID_commonName,3,&(lvalues[86]),0},
-{"C","countryName",NID_countryName,3,&(lvalues[89]),0},
-{"L","localityName",NID_localityName,3,&(lvalues[92]),0},
-{"ST","stateOrProvinceName",NID_stateOrProvinceName,3,&(lvalues[95]),0},
-{"O","organizationName",NID_organizationName,3,&(lvalues[98]),0},
+	&(lvalues[73]),0},
+{"X500","directory services (X.500)",NID_X500,1,&(lvalues[82]),0},
+{"X509","X509",NID_X509,2,&(lvalues[83]),0},
+{"CN","commonName",NID_commonName,3,&(lvalues[85]),0},
+{"C","countryName",NID_countryName,3,&(lvalues[88]),0},
+{"L","localityName",NID_localityName,3,&(lvalues[91]),0},
+{"ST","stateOrProvinceName",NID_stateOrProvinceName,3,&(lvalues[94]),0},
+{"O","organizationName",NID_organizationName,3,&(lvalues[97]),0},
 {"OU","organizationalUnitName",NID_organizationalUnitName,3,
-	&(lvalues[101]),0},
-{"RSA","rsa",NID_rsa,4,&(lvalues[104]),0},
-{"pkcs7","pkcs7",NID_pkcs7,8,&(lvalues[108]),0},
-{"pkcs7-data","pkcs7-data",NID_pkcs7_data,9,&(lvalues[116]),0},
+	&(lvalues[100]),0},
+{"RSA","rsa",NID_rsa,4,&(lvalues[103]),0},
+{"pkcs7","pkcs7",NID_pkcs7,8,&(lvalues[107]),0},
+{"pkcs7-data","pkcs7-data",NID_pkcs7_data,9,&(lvalues[115]),0},
 {"pkcs7-signedData","pkcs7-signedData",NID_pkcs7_signed,9,
-	&(lvalues[125]),0},
+	&(lvalues[124]),0},
 {"pkcs7-envelopedData","pkcs7-envelopedData",NID_pkcs7_enveloped,9,
-	&(lvalues[134]),0},
+	&(lvalues[133]),0},
 {"pkcs7-signedAndEnvelopedData","pkcs7-signedAndEnvelopedData",
-	NID_pkcs7_signedAndEnveloped,9,&(lvalues[143]),0},
+	NID_pkcs7_signedAndEnveloped,9,&(lvalues[142]),0},
 {"pkcs7-digestData","pkcs7-digestData",NID_pkcs7_digest,9,
-	&(lvalues[152]),0},
+	&(lvalues[151]),0},
 {"pkcs7-encryptedData","pkcs7-encryptedData",NID_pkcs7_encrypted,9,
-	&(lvalues[161]),0},
-{"pkcs3","pkcs3",NID_pkcs3,8,&(lvalues[170]),0},
+	&(lvalues[160]),0},
+{"pkcs3","pkcs3",NID_pkcs3,8,&(lvalues[169]),0},
 {"dhKeyAgreement","dhKeyAgreement",NID_dhKeyAgreement,9,
-	&(lvalues[178]),0},
-{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[187]),0},
-{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[192]),0},
-{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[197]),0},
-{"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[202]),0},
+	&(lvalues[177]),0},
+{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[186]),0},
+{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[191]),0},
+{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[196]),0},
+{"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[201]),0},
 {"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL,0},
-{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[207]),0},
+{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[206]),0},
 {"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL,0},
 {"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL,0},
-{"RC2-CBC","rc2-cbc",NID_rc2_cbc,8,&(lvalues[218]),0},
+{"RC2-CBC","rc2-cbc",NID_rc2_cbc,8,&(lvalues[217]),0},
 {"RC2-ECB","rc2-ecb",NID_rc2_ecb,0,NULL,0},
 {"RC2-CFB","rc2-cfb",NID_rc2_cfb64,0,NULL,0},
 {"RC2-OFB","rc2-ofb",NID_rc2_ofb64,0,NULL,0},
-{"SHA","sha",NID_sha,5,&(lvalues[226]),0},
+{"SHA","sha",NID_sha,5,&(lvalues[225]),0},
 {"RSA-SHA","shaWithRSAEncryption",NID_shaWithRSAEncryption,5,
-	&(lvalues[231]),0},
+	&(lvalues[230]),0},
 {"DES-EDE-CBC","des-ede-cbc",NID_des_ede_cbc,0,NULL,0},
-{"DES-EDE3-CBC","des-ede3-cbc",NID_des_ede3_cbc,8,&(lvalues[236]),0},
-{"DES-OFB","des-ofb",NID_des_ofb64,5,&(lvalues[244]),0},
+{"DES-EDE3-CBC","des-ede3-cbc",NID_des_ede3_cbc,8,&(lvalues[235]),0},
+{"DES-OFB","des-ofb",NID_des_ofb64,5,&(lvalues[243]),0},
 {"IDEA-OFB","idea-ofb",NID_idea_ofb64,0,NULL,0},
-{"pkcs9","pkcs9",NID_pkcs9,8,&(lvalues[249]),0},
+{"pkcs9","pkcs9",NID_pkcs9,8,&(lvalues[248]),0},
 {"emailAddress","emailAddress",NID_pkcs9_emailAddress,9,
-	&(lvalues[257]),0},
+	&(lvalues[256]),0},
 {"unstructuredName","unstructuredName",NID_pkcs9_unstructuredName,9,
-	&(lvalues[266]),0},
-{"contentType","contentType",NID_pkcs9_contentType,9,&(lvalues[275]),0},
+	&(lvalues[265]),0},
+{"contentType","contentType",NID_pkcs9_contentType,9,&(lvalues[274]),0},
 {"messageDigest","messageDigest",NID_pkcs9_messageDigest,9,
-	&(lvalues[284]),0},
-{"signingTime","signingTime",NID_pkcs9_signingTime,9,&(lvalues[293]),0},
+	&(lvalues[283]),0},
+{"signingTime","signingTime",NID_pkcs9_signingTime,9,&(lvalues[292]),0},
 {"countersignature","countersignature",NID_pkcs9_countersignature,9,
-	&(lvalues[302]),0},
+	&(lvalues[301]),0},
 {"challengePassword","challengePassword",NID_pkcs9_challengePassword,
-	9,&(lvalues[311]),0},
+	9,&(lvalues[310]),0},
 {"unstructuredAddress","unstructuredAddress",
-	NID_pkcs9_unstructuredAddress,9,&(lvalues[320]),0},
+	NID_pkcs9_unstructuredAddress,9,&(lvalues[319]),0},
 {"extendedCertificateAttributes","extendedCertificateAttributes",
-	NID_pkcs9_extCertAttributes,9,&(lvalues[329]),0},
+	NID_pkcs9_extCertAttributes,9,&(lvalues[328]),0},
 {"Netscape","Netscape Communications Corp.",NID_netscape,7,
-	&(lvalues[338]),0},
+	&(lvalues[337]),0},
 {"nsCertExt","Netscape Certificate Extension",
-	NID_netscape_cert_extension,8,&(lvalues[345]),0},
+	NID_netscape_cert_extension,8,&(lvalues[344]),0},
 {"nsDataType","Netscape Data Type",NID_netscape_data_type,8,
-	&(lvalues[353]),0},
+	&(lvalues[352]),0},
 {"DES-EDE-CFB","des-ede-cfb",NID_des_ede_cfb64,0,NULL,0},
 {"DES-EDE3-CFB","des-ede3-cfb",NID_des_ede3_cfb64,0,NULL,0},
 {"DES-EDE-OFB","des-ede-ofb",NID_des_ede_ofb64,0,NULL,0},
 {"DES-EDE3-OFB","des-ede3-ofb",NID_des_ede3_ofb64,0,NULL,0},
-{"SHA1","sha1",NID_sha1,5,&(lvalues[361]),0},
+{"SHA1","sha1",NID_sha1,5,&(lvalues[360]),0},
 {"RSA-SHA1","sha1WithRSAEncryption",NID_sha1WithRSAEncryption,9,
-	&(lvalues[366]),0},
-{"DSA-SHA","dsaWithSHA",NID_dsaWithSHA,5,&(lvalues[375]),0},
-{"DSA-old","dsaEncryption-old",NID_dsa_2,5,&(lvalues[380]),0},
+	&(lvalues[365]),0},
+{"DSA-SHA","dsaWithSHA",NID_dsaWithSHA,5,&(lvalues[374]),0},
+{"DSA-old","dsaEncryption-old",NID_dsa_2,5,&(lvalues[379]),0},
 {"PBE-SHA1-RC2-64","pbeWithSHA1AndRC2-CBC",NID_pbeWithSHA1AndRC2_CBC,
-	9,&(lvalues[385]),0},
-{"PBKDF2","PBKDF2",NID_id_pbkdf2,9,&(lvalues[394]),0},
-{"DSA-SHA1-old","dsaWithSHA1-old",NID_dsaWithSHA1_2,5,&(lvalues[403]),0},
+	9,&(lvalues[384]),0},
+{"PBKDF2","PBKDF2",NID_id_pbkdf2,9,&(lvalues[393]),0},
+{"DSA-SHA1-old","dsaWithSHA1-old",NID_dsaWithSHA1_2,5,&(lvalues[402]),0},
 {"nsCertType","Netscape Cert Type",NID_netscape_cert_type,9,
-	&(lvalues[408]),0},
+	&(lvalues[407]),0},
 {"nsBaseUrl","Netscape Base Url",NID_netscape_base_url,9,
-	&(lvalues[417]),0},
+	&(lvalues[416]),0},
 {"nsRevocationUrl","Netscape Revocation Url",
-	NID_netscape_revocation_url,9,&(lvalues[426]),0},
+	NID_netscape_revocation_url,9,&(lvalues[425]),0},
 {"nsCaRevocationUrl","Netscape CA Revocation Url",
-	NID_netscape_ca_revocation_url,9,&(lvalues[435]),0},
+	NID_netscape_ca_revocation_url,9,&(lvalues[434]),0},
 {"nsRenewalUrl","Netscape Renewal Url",NID_netscape_renewal_url,9,
-	&(lvalues[444]),0},
+	&(lvalues[443]),0},
 {"nsCaPolicyUrl","Netscape CA Policy Url",NID_netscape_ca_policy_url,
-	9,&(lvalues[453]),0},
+	9,&(lvalues[452]),0},
 {"nsSslServerName","Netscape SSL Server Name",
-	NID_netscape_ssl_server_name,9,&(lvalues[462]),0},
-{"nsComment","Netscape Comment",NID_netscape_comment,9,&(lvalues[471]),0},
+	NID_netscape_ssl_server_name,9,&(lvalues[461]),0},
+{"nsComment","Netscape Comment",NID_netscape_comment,9,&(lvalues[470]),0},
 {"nsCertSequence","Netscape Certificate Sequence",
-	NID_netscape_cert_sequence,9,&(lvalues[480]),0},
+	NID_netscape_cert_sequence,9,&(lvalues[479]),0},
 {"DESX-CBC","desx-cbc",NID_desx_cbc,0,NULL,0},
-{"id-ce","id-ce",NID_id_ce,2,&(lvalues[489]),0},
+{"id-ce","id-ce",NID_id_ce,2,&(lvalues[488]),0},
 {"subjectKeyIdentifier","X509v3 Subject Key Identifier",
-	NID_subject_key_identifier,3,&(lvalues[491]),0},
-{"keyUsage","X509v3 Key Usage",NID_key_usage,3,&(lvalues[494]),0},
+	NID_subject_key_identifier,3,&(lvalues[490]),0},
+{"keyUsage","X509v3 Key Usage",NID_key_usage,3,&(lvalues[493]),0},
 {"privateKeyUsagePeriod","X509v3 Private Key Usage Period",
-	NID_private_key_usage_period,3,&(lvalues[497]),0},
+	NID_private_key_usage_period,3,&(lvalues[496]),0},
 {"subjectAltName","X509v3 Subject Alternative Name",
-	NID_subject_alt_name,3,&(lvalues[500]),0},
+	NID_subject_alt_name,3,&(lvalues[499]),0},
 {"issuerAltName","X509v3 Issuer Alternative Name",NID_issuer_alt_name,
-	3,&(lvalues[503]),0},
+	3,&(lvalues[502]),0},
 {"basicConstraints","X509v3 Basic Constraints",NID_basic_constraints,
-	3,&(lvalues[506]),0},
-{"crlNumber","X509v3 CRL Number",NID_crl_number,3,&(lvalues[509]),0},
+	3,&(lvalues[505]),0},
+{"crlNumber","X509v3 CRL Number",NID_crl_number,3,&(lvalues[508]),0},
 {"certificatePolicies","X509v3 Certificate Policies",
-	NID_certificate_policies,3,&(lvalues[512]),0},
+	NID_certificate_policies,3,&(lvalues[511]),0},
 {"authorityKeyIdentifier","X509v3 Authority Key Identifier",
-	NID_authority_key_identifier,3,&(lvalues[515]),0},
-{"BF-CBC","bf-cbc",NID_bf_cbc,9,&(lvalues[518]),0},
+	NID_authority_key_identifier,3,&(lvalues[514]),0},
+{"BF-CBC","bf-cbc",NID_bf_cbc,9,&(lvalues[517]),0},
 {"BF-ECB","bf-ecb",NID_bf_ecb,0,NULL,0},
 {"BF-CFB","bf-cfb",NID_bf_cfb64,0,NULL,0},
 {"BF-OFB","bf-ofb",NID_bf_ofb64,0,NULL,0},
-{"MDC2","mdc2",NID_mdc2,4,&(lvalues[527]),0},
-{"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0},
+{"MDC2","mdc2",NID_mdc2,4,&(lvalues[526]),0},
+{"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[530]),0},
 {"RC4-40","rc4-40",NID_rc4_40,0,NULL,0},
 {"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL,0},
-{"GN","givenName",NID_givenName,3,&(lvalues[535]),0},
-{"SN","surname",NID_surname,3,&(lvalues[538]),0},
-{"initials","initials",NID_initials,3,&(lvalues[541]),0},
+{"GN","givenName",NID_givenName,3,&(lvalues[534]),0},
+{"SN","surname",NID_surname,3,&(lvalues[537]),0},
+{"initials","initials",NID_initials,3,&(lvalues[540]),0},
 {NULL,NULL,NID_undef,0,NULL,0},
 {"crlDistributionPoints","X509v3 CRL Distribution Points",
-	NID_crl_distribution_points,3,&(lvalues[544]),0},
-{"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[547]),0},
-{"serialNumber","serialNumber",NID_serialNumber,3,&(lvalues[552]),0},
-{"title","title",NID_title,3,&(lvalues[555]),0},
-{"description","description",NID_description,3,&(lvalues[558]),0},
-{"CAST5-CBC","cast5-cbc",NID_cast5_cbc,9,&(lvalues[561]),0},
+	NID_crl_distribution_points,3,&(lvalues[543]),0},
+{"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[546]),0},
+{"serialNumber","serialNumber",NID_serialNumber,3,&(lvalues[551]),0},
+{"title","title",NID_title,3,&(lvalues[554]),0},
+{"description","description",NID_description,3,&(lvalues[557]),0},
+{"CAST5-CBC","cast5-cbc",NID_cast5_cbc,9,&(lvalues[560]),0},
 {"CAST5-ECB","cast5-ecb",NID_cast5_ecb,0,NULL,0},
 {"CAST5-CFB","cast5-cfb",NID_cast5_cfb64,0,NULL,0},
 {"CAST5-OFB","cast5-ofb",NID_cast5_ofb64,0,NULL,0},
 {"pbeWithMD5AndCast5CBC","pbeWithMD5AndCast5CBC",
-	NID_pbeWithMD5AndCast5_CBC,9,&(lvalues[570]),0},
-{"DSA-SHA1","dsaWithSHA1",NID_dsaWithSHA1,7,&(lvalues[579]),0},
+	NID_pbeWithMD5AndCast5_CBC,9,&(lvalues[569]),0},
+{"DSA-SHA1","dsaWithSHA1",NID_dsaWithSHA1,7,&(lvalues[578]),0},
 {"MD5-SHA1","md5-sha1",NID_md5_sha1,0,NULL,0},
-{"RSA-SHA1-2","sha1WithRSA",NID_sha1WithRSA,5,&(lvalues[586]),0},
-{"DSA","dsaEncryption",NID_dsa,7,&(lvalues[591]),0},
-{"RIPEMD160","ripemd160",NID_ripemd160,5,&(lvalues[598]),0},
+{"RSA-SHA1-2","sha1WithRSA",NID_sha1WithRSA,5,&(lvalues[585]),0},
+{"DSA","dsaEncryption",NID_dsa,7,&(lvalues[590]),0},
+{"RIPEMD160","ripemd160",NID_ripemd160,5,&(lvalues[597]),0},
 {NULL,NULL,NID_undef,0,NULL,0},
 {"RSA-RIPEMD160","ripemd160WithRSA",NID_ripemd160WithRSA,6,
-	&(lvalues[603]),0},
-{"RC5-CBC","rc5-cbc",NID_rc5_cbc,8,&(lvalues[609]),0},
+	&(lvalues[602]),0},
+{"RC5-CBC","rc5-cbc",NID_rc5_cbc,8,&(lvalues[608]),0},
 {"RC5-ECB","rc5-ecb",NID_rc5_ecb,0,NULL,0},
 {"RC5-CFB","rc5-cfb",NID_rc5_cfb64,0,NULL,0},
 {"RC5-OFB","rc5-ofb",NID_rc5_ofb64,0,NULL,0},
-{"RLE","run length compression",NID_rle_compression,6,&(lvalues[617]),0},
-{"ZLIB","zlib compression",NID_zlib_compression,11,&(lvalues[623]),0},
+{"RLE","run length compression",NID_rle_compression,6,&(lvalues[616]),0},
+{"ZLIB","zlib compression",NID_zlib_compression,11,&(lvalues[622]),0},
 {"extendedKeyUsage","X509v3 Extended Key Usage",NID_ext_key_usage,3,
-	&(lvalues[634]),0},
-{"PKIX","PKIX",NID_id_pkix,6,&(lvalues[637]),0},
-{"id-kp","id-kp",NID_id_kp,7,&(lvalues[643]),0},
+	&(lvalues[633]),0},
+{"PKIX","PKIX",NID_id_pkix,6,&(lvalues[636]),0},
+{"id-kp","id-kp",NID_id_kp,7,&(lvalues[642]),0},
 {"serverAuth","TLS Web Server Authentication",NID_server_auth,8,
-	&(lvalues[650]),0},
+	&(lvalues[649]),0},
 {"clientAuth","TLS Web Client Authentication",NID_client_auth,8,
-	&(lvalues[658]),0},
-{"codeSigning","Code Signing",NID_code_sign,8,&(lvalues[666]),0},
+	&(lvalues[657]),0},
+{"codeSigning","Code Signing",NID_code_sign,8,&(lvalues[665]),0},
 {"emailProtection","E-mail Protection",NID_email_protect,8,
-	&(lvalues[674]),0},
-{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[682]),0},
+	&(lvalues[673]),0},
+{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[681]),0},
 {"msCodeInd","Microsoft Individual Code Signing",NID_ms_code_ind,10,
-	&(lvalues[690]),0},
+	&(lvalues[689]),0},
 {"msCodeCom","Microsoft Commercial Code Signing",NID_ms_code_com,10,
-	&(lvalues[700]),0},
+	&(lvalues[699]),0},
 {"msCTLSign","Microsoft Trust List Signing",NID_ms_ctl_sign,10,
-	&(lvalues[710]),0},
-{"msSGC","Microsoft Server Gated Crypto",NID_ms_sgc,10,&(lvalues[720]),0},
+	&(lvalues[709]),0},
+{"msSGC","Microsoft Server Gated Crypto",NID_ms_sgc,10,&(lvalues[719]),0},
 {"msEFS","Microsoft Encrypted File System",NID_ms_efs,10,
-	&(lvalues[730]),0},
-{"nsSGC","Netscape Server Gated Crypto",NID_ns_sgc,9,&(lvalues[740]),0},
+	&(lvalues[729]),0},
+{"nsSGC","Netscape Server Gated Crypto",NID_ns_sgc,9,&(lvalues[739]),0},
 {"deltaCRL","X509v3 Delta CRL Indicator",NID_delta_crl,3,
-	&(lvalues[749]),0},
-{"CRLReason","X509v3 CRL Reason Code",NID_crl_reason,3,&(lvalues[752]),0},
+	&(lvalues[748]),0},
+{"CRLReason","X509v3 CRL Reason Code",NID_crl_reason,3,&(lvalues[751]),0},
 {"invalidityDate","Invalidity Date",NID_invalidity_date,3,
-	&(lvalues[755]),0},
-{"SXNetID","Strong Extranet ID",NID_sxnet,5,&(lvalues[758]),0},
+	&(lvalues[754]),0},
+{"SXNetID","Strong Extranet ID",NID_sxnet,5,&(lvalues[757]),0},
 {"PBE-SHA1-RC4-128","pbeWithSHA1And128BitRC4",
-	NID_pbe_WithSHA1And128BitRC4,10,&(lvalues[763]),0},
+	NID_pbe_WithSHA1And128BitRC4,10,&(lvalues[762]),0},
 {"PBE-SHA1-RC4-40","pbeWithSHA1And40BitRC4",
-	NID_pbe_WithSHA1And40BitRC4,10,&(lvalues[773]),0},
+	NID_pbe_WithSHA1And40BitRC4,10,&(lvalues[772]),0},
 {"PBE-SHA1-3DES","pbeWithSHA1And3-KeyTripleDES-CBC",
-	NID_pbe_WithSHA1And3_Key_TripleDES_CBC,10,&(lvalues[783]),0},
+	NID_pbe_WithSHA1And3_Key_TripleDES_CBC,10,&(lvalues[782]),0},
 {"PBE-SHA1-2DES","pbeWithSHA1And2-KeyTripleDES-CBC",
-	NID_pbe_WithSHA1And2_Key_TripleDES_CBC,10,&(lvalues[793]),0},
+	NID_pbe_WithSHA1And2_Key_TripleDES_CBC,10,&(lvalues[792]),0},
 {"PBE-SHA1-RC2-128","pbeWithSHA1And128BitRC2-CBC",
-	NID_pbe_WithSHA1And128BitRC2_CBC,10,&(lvalues[803]),0},
+	NID_pbe_WithSHA1And128BitRC2_CBC,10,&(lvalues[802]),0},
 {"PBE-SHA1-RC2-40","pbeWithSHA1And40BitRC2-CBC",
-	NID_pbe_WithSHA1And40BitRC2_CBC,10,&(lvalues[813]),0},
-{"keyBag","keyBag",NID_keyBag,11,&(lvalues[823]),0},
+	NID_pbe_WithSHA1And40BitRC2_CBC,10,&(lvalues[812]),0},
+{"keyBag","keyBag",NID_keyBag,11,&(lvalues[822]),0},
 {"pkcs8ShroudedKeyBag","pkcs8ShroudedKeyBag",NID_pkcs8ShroudedKeyBag,
-	11,&(lvalues[834]),0},
-{"certBag","certBag",NID_certBag,11,&(lvalues[845]),0},
-{"crlBag","crlBag",NID_crlBag,11,&(lvalues[856]),0},
-{"secretBag","secretBag",NID_secretBag,11,&(lvalues[867]),0},
+	11,&(lvalues[833]),0},
+{"certBag","certBag",NID_certBag,11,&(lvalues[844]),0},
+{"crlBag","crlBag",NID_crlBag,11,&(lvalues[855]),0},
+{"secretBag","secretBag",NID_secretBag,11,&(lvalues[866]),0},
 {"safeContentsBag","safeContentsBag",NID_safeContentsBag,11,
-	&(lvalues[878]),0},
-{"friendlyName","friendlyName",NID_friendlyName,9,&(lvalues[889]),0},
-{"localKeyID","localKeyID",NID_localKeyID,9,&(lvalues[898]),0},
+	&(lvalues[877]),0},
+{"friendlyName","friendlyName",NID_friendlyName,9,&(lvalues[888]),0},
+{"localKeyID","localKeyID",NID_localKeyID,9,&(lvalues[897]),0},
 {"x509Certificate","x509Certificate",NID_x509Certificate,10,
-	&(lvalues[907]),0},
+	&(lvalues[906]),0},
 {"sdsiCertificate","sdsiCertificate",NID_sdsiCertificate,10,
-	&(lvalues[917]),0},
-{"x509Crl","x509Crl",NID_x509Crl,10,&(lvalues[927]),0},
-{"PBES2","PBES2",NID_pbes2,9,&(lvalues[937]),0},
-{"PBMAC1","PBMAC1",NID_pbmac1,9,&(lvalues[946]),0},
-{"hmacWithSHA1","hmacWithSHA1",NID_hmacWithSHA1,8,&(lvalues[955]),0},
-{"id-qt-cps","Policy Qualifier CPS",NID_id_qt_cps,8,&(lvalues[963]),0},
+	&(lvalues[916]),0},
+{"x509Crl","x509Crl",NID_x509Crl,10,&(lvalues[926]),0},
+{"PBES2","PBES2",NID_pbes2,9,&(lvalues[936]),0},
+{"PBMAC1","PBMAC1",NID_pbmac1,9,&(lvalues[945]),0},
+{"hmacWithSHA1","hmacWithSHA1",NID_hmacWithSHA1,8,&(lvalues[954]),0},
+{"id-qt-cps","Policy Qualifier CPS",NID_id_qt_cps,8,&(lvalues[962]),0},
 {"id-qt-unotice","Policy Qualifier User Notice",NID_id_qt_unotice,8,
-	&(lvalues[971]),0},
+	&(lvalues[970]),0},
 {"RC2-64-CBC","rc2-64-cbc",NID_rc2_64_cbc,0,NULL,0},
 {"SMIME-CAPS","S/MIME Capabilities",NID_SMIMECapabilities,9,
-	&(lvalues[979]),0},
+	&(lvalues[978]),0},
 {"PBE-MD2-RC2-64","pbeWithMD2AndRC2-CBC",NID_pbeWithMD2AndRC2_CBC,9,
-	&(lvalues[988]),0},
+	&(lvalues[987]),0},
 {"PBE-MD5-RC2-64","pbeWithMD5AndRC2-CBC",NID_pbeWithMD5AndRC2_CBC,9,
-	&(lvalues[997]),0},
+	&(lvalues[996]),0},
 {"PBE-SHA1-DES","pbeWithSHA1AndDES-CBC",NID_pbeWithSHA1AndDES_CBC,9,
-	&(lvalues[1006]),0},
+	&(lvalues[1005]),0},
 {"msExtReq","Microsoft Extension Request",NID_ms_ext_req,10,
-	&(lvalues[1015]),0},
-{"extReq","Extension Request",NID_ext_req,9,&(lvalues[1025]),0},
-{"name","name",NID_name,3,&(lvalues[1034]),0},
-{"dnQualifier","dnQualifier",NID_dnQualifier,3,&(lvalues[1037]),0},
-{"id-pe","id-pe",NID_id_pe,7,&(lvalues[1040]),0},
-{"id-ad","id-ad",NID_id_ad,7,&(lvalues[1047]),0},
+	&(lvalues[1014]),0},
+{"extReq","Extension Request",NID_ext_req,9,&(lvalues[1024]),0},
+{"name","name",NID_name,3,&(lvalues[1033]),0},
+{"dnQualifier","dnQualifier",NID_dnQualifier,3,&(lvalues[1036]),0},
+{"id-pe","id-pe",NID_id_pe,7,&(lvalues[1039]),0},
+{"id-ad","id-ad",NID_id_ad,7,&(lvalues[1046]),0},
 {"authorityInfoAccess","Authority Information Access",NID_info_access,
-	8,&(lvalues[1054]),0},
-{"OCSP","OCSP",NID_ad_OCSP,8,&(lvalues[1062]),0},
-{"caIssuers","CA Issuers",NID_ad_ca_issuers,8,&(lvalues[1070]),0},
-{"OCSPSigning","OCSP Signing",NID_OCSP_sign,8,&(lvalues[1078]),0},
-{"ISO","iso",NID_iso,1,&(lvalues[1086]),0},
-{"member-body","ISO Member Body",NID_member_body,1,&(lvalues[1087]),0},
-{"ISO-US","ISO US Member Body",NID_ISO_US,3,&(lvalues[1088]),0},
-{"X9-57","X9.57",NID_X9_57,5,&(lvalues[1091]),0},
-{"X9cm","X9.57 CM ?",NID_X9cm,6,&(lvalues[1096]),0},
-{"pkcs1","pkcs1",NID_pkcs1,8,&(lvalues[1102]),0},
-{"pkcs5","pkcs5",NID_pkcs5,8,&(lvalues[1110]),0},
-{"SMIME","S/MIME",NID_SMIME,9,&(lvalues[1118]),0},
-{"id-smime-mod","id-smime-mod",NID_id_smime_mod,10,&(lvalues[1127]),0},
-{"id-smime-ct","id-smime-ct",NID_id_smime_ct,10,&(lvalues[1137]),0},
-{"id-smime-aa","id-smime-aa",NID_id_smime_aa,10,&(lvalues[1147]),0},
-{"id-smime-alg","id-smime-alg",NID_id_smime_alg,10,&(lvalues[1157]),0},
-{"id-smime-cd","id-smime-cd",NID_id_smime_cd,10,&(lvalues[1167]),0},
-{"id-smime-spq","id-smime-spq",NID_id_smime_spq,10,&(lvalues[1177]),0},
-{"id-smime-cti","id-smime-cti",NID_id_smime_cti,10,&(lvalues[1187]),0},
+	8,&(lvalues[1053]),0},
+{"OCSP","OCSP",NID_ad_OCSP,8,&(lvalues[1061]),0},
+{"caIssuers","CA Issuers",NID_ad_ca_issuers,8,&(lvalues[1069]),0},
+{"OCSPSigning","OCSP Signing",NID_OCSP_sign,8,&(lvalues[1077]),0},
+{"ISO","iso",NID_iso,0,NULL,0},
+{"member-body","ISO Member Body",NID_member_body,1,&(lvalues[1085]),0},
+{"ISO-US","ISO US Member Body",NID_ISO_US,3,&(lvalues[1086]),0},
+{"X9-57","X9.57",NID_X9_57,5,&(lvalues[1089]),0},
+{"X9cm","X9.57 CM ?",NID_X9cm,6,&(lvalues[1094]),0},
+{"pkcs1","pkcs1",NID_pkcs1,8,&(lvalues[1100]),0},
+{"pkcs5","pkcs5",NID_pkcs5,8,&(lvalues[1108]),0},
+{"SMIME","S/MIME",NID_SMIME,9,&(lvalues[1116]),0},
+{"id-smime-mod","id-smime-mod",NID_id_smime_mod,10,&(lvalues[1125]),0},
+{"id-smime-ct","id-smime-ct",NID_id_smime_ct,10,&(lvalues[1135]),0},
+{"id-smime-aa","id-smime-aa",NID_id_smime_aa,10,&(lvalues[1145]),0},
+{"id-smime-alg","id-smime-alg",NID_id_smime_alg,10,&(lvalues[1155]),0},
+{"id-smime-cd","id-smime-cd",NID_id_smime_cd,10,&(lvalues[1165]),0},
+{"id-smime-spq","id-smime-spq",NID_id_smime_spq,10,&(lvalues[1175]),0},
+{"id-smime-cti","id-smime-cti",NID_id_smime_cti,10,&(lvalues[1185]),0},
 {"id-smime-mod-cms","id-smime-mod-cms",NID_id_smime_mod_cms,11,
-	&(lvalues[1197]),0},
+	&(lvalues[1195]),0},
 {"id-smime-mod-ess","id-smime-mod-ess",NID_id_smime_mod_ess,11,
-	&(lvalues[1208]),0},
+	&(lvalues[1206]),0},
 {"id-smime-mod-oid","id-smime-mod-oid",NID_id_smime_mod_oid,11,
-	&(lvalues[1219]),0},
+	&(lvalues[1217]),0},
 {"id-smime-mod-msg-v3","id-smime-mod-msg-v3",NID_id_smime_mod_msg_v3,
-	11,&(lvalues[1230]),0},
+	11,&(lvalues[1228]),0},
 {"id-smime-mod-ets-eSignature-88","id-smime-mod-ets-eSignature-88",
-	NID_id_smime_mod_ets_eSignature_88,11,&(lvalues[1241]),0},
+	NID_id_smime_mod_ets_eSignature_88,11,&(lvalues[1239]),0},
 {"id-smime-mod-ets-eSignature-97","id-smime-mod-ets-eSignature-97",
-	NID_id_smime_mod_ets_eSignature_97,11,&(lvalues[1252]),0},
+	NID_id_smime_mod_ets_eSignature_97,11,&(lvalues[1250]),0},
 {"id-smime-mod-ets-eSigPolicy-88","id-smime-mod-ets-eSigPolicy-88",
-	NID_id_smime_mod_ets_eSigPolicy_88,11,&(lvalues[1263]),0},
+	NID_id_smime_mod_ets_eSigPolicy_88,11,&(lvalues[1261]),0},
 {"id-smime-mod-ets-eSigPolicy-97","id-smime-mod-ets-eSigPolicy-97",
-	NID_id_smime_mod_ets_eSigPolicy_97,11,&(lvalues[1274]),0},
+	NID_id_smime_mod_ets_eSigPolicy_97,11,&(lvalues[1272]),0},
 {"id-smime-ct-receipt","id-smime-ct-receipt",NID_id_smime_ct_receipt,
-	11,&(lvalues[1285]),0},
+	11,&(lvalues[1283]),0},
 {"id-smime-ct-authData","id-smime-ct-authData",
-	NID_id_smime_ct_authData,11,&(lvalues[1296]),0},
+	NID_id_smime_ct_authData,11,&(lvalues[1294]),0},
 {"id-smime-ct-publishCert","id-smime-ct-publishCert",
-	NID_id_smime_ct_publishCert,11,&(lvalues[1307]),0},
+	NID_id_smime_ct_publishCert,11,&(lvalues[1305]),0},
 {"id-smime-ct-TSTInfo","id-smime-ct-TSTInfo",NID_id_smime_ct_TSTInfo,
-	11,&(lvalues[1318]),0},
+	11,&(lvalues[1316]),0},
 {"id-smime-ct-TDTInfo","id-smime-ct-TDTInfo",NID_id_smime_ct_TDTInfo,
-	11,&(lvalues[1329]),0},
+	11,&(lvalues[1327]),0},
 {"id-smime-ct-contentInfo","id-smime-ct-contentInfo",
-	NID_id_smime_ct_contentInfo,11,&(lvalues[1340]),0},
+	NID_id_smime_ct_contentInfo,11,&(lvalues[1338]),0},
 {"id-smime-ct-DVCSRequestData","id-smime-ct-DVCSRequestData",
-	NID_id_smime_ct_DVCSRequestData,11,&(lvalues[1351]),0},
+	NID_id_smime_ct_DVCSRequestData,11,&(lvalues[1349]),0},
 {"id-smime-ct-DVCSResponseData","id-smime-ct-DVCSResponseData",
-	NID_id_smime_ct_DVCSResponseData,11,&(lvalues[1362]),0},
+	NID_id_smime_ct_DVCSResponseData,11,&(lvalues[1360]),0},
 {"id-smime-aa-receiptRequest","id-smime-aa-receiptRequest",
-	NID_id_smime_aa_receiptRequest,11,&(lvalues[1373]),0},
+	NID_id_smime_aa_receiptRequest,11,&(lvalues[1371]),0},
 {"id-smime-aa-securityLabel","id-smime-aa-securityLabel",
-	NID_id_smime_aa_securityLabel,11,&(lvalues[1384]),0},
+	NID_id_smime_aa_securityLabel,11,&(lvalues[1382]),0},
 {"id-smime-aa-mlExpandHistory","id-smime-aa-mlExpandHistory",
-	NID_id_smime_aa_mlExpandHistory,11,&(lvalues[1395]),0},
+	NID_id_smime_aa_mlExpandHistory,11,&(lvalues[1393]),0},
 {"id-smime-aa-contentHint","id-smime-aa-contentHint",
-	NID_id_smime_aa_contentHint,11,&(lvalues[1406]),0},
+	NID_id_smime_aa_contentHint,11,&(lvalues[1404]),0},
 {"id-smime-aa-msgSigDigest","id-smime-aa-msgSigDigest",
-	NID_id_smime_aa_msgSigDigest,11,&(lvalues[1417]),0},
+	NID_id_smime_aa_msgSigDigest,11,&(lvalues[1415]),0},
 {"id-smime-aa-encapContentType","id-smime-aa-encapContentType",
-	NID_id_smime_aa_encapContentType,11,&(lvalues[1428]),0},
+	NID_id_smime_aa_encapContentType,11,&(lvalues[1426]),0},
 {"id-smime-aa-contentIdentifier","id-smime-aa-contentIdentifier",
-	NID_id_smime_aa_contentIdentifier,11,&(lvalues[1439]),0},
+	NID_id_smime_aa_contentIdentifier,11,&(lvalues[1437]),0},
 {"id-smime-aa-macValue","id-smime-aa-macValue",
-	NID_id_smime_aa_macValue,11,&(lvalues[1450]),0},
+	NID_id_smime_aa_macValue,11,&(lvalues[1448]),0},
 {"id-smime-aa-equivalentLabels","id-smime-aa-equivalentLabels",
-	NID_id_smime_aa_equivalentLabels,11,&(lvalues[1461]),0},
+	NID_id_smime_aa_equivalentLabels,11,&(lvalues[1459]),0},
 {"id-smime-aa-contentReference","id-smime-aa-contentReference",
-	NID_id_smime_aa_contentReference,11,&(lvalues[1472]),0},
+	NID_id_smime_aa_contentReference,11,&(lvalues[1470]),0},
 {"id-smime-aa-encrypKeyPref","id-smime-aa-encrypKeyPref",
-	NID_id_smime_aa_encrypKeyPref,11,&(lvalues[1483]),0},
+	NID_id_smime_aa_encrypKeyPref,11,&(lvalues[1481]),0},
 {"id-smime-aa-signingCertificate","id-smime-aa-signingCertificate",
-	NID_id_smime_aa_signingCertificate,11,&(lvalues[1494]),0},
+	NID_id_smime_aa_signingCertificate,11,&(lvalues[1492]),0},
 {"id-smime-aa-smimeEncryptCerts","id-smime-aa-smimeEncryptCerts",
-	NID_id_smime_aa_smimeEncryptCerts,11,&(lvalues[1505]),0},
+	NID_id_smime_aa_smimeEncryptCerts,11,&(lvalues[1503]),0},
 {"id-smime-aa-timeStampToken","id-smime-aa-timeStampToken",
-	NID_id_smime_aa_timeStampToken,11,&(lvalues[1516]),0},
+	NID_id_smime_aa_timeStampToken,11,&(lvalues[1514]),0},
 {"id-smime-aa-ets-sigPolicyId","id-smime-aa-ets-sigPolicyId",
-	NID_id_smime_aa_ets_sigPolicyId,11,&(lvalues[1527]),0},
+	NID_id_smime_aa_ets_sigPolicyId,11,&(lvalues[1525]),0},
 {"id-smime-aa-ets-commitmentType","id-smime-aa-ets-commitmentType",
-	NID_id_smime_aa_ets_commitmentType,11,&(lvalues[1538]),0},
+	NID_id_smime_aa_ets_commitmentType,11,&(lvalues[1536]),0},
 {"id-smime-aa-ets-signerLocation","id-smime-aa-ets-signerLocation",
-	NID_id_smime_aa_ets_signerLocation,11,&(lvalues[1549]),0},
+	NID_id_smime_aa_ets_signerLocation,11,&(lvalues[1547]),0},
 {"id-smime-aa-ets-signerAttr","id-smime-aa-ets-signerAttr",
-	NID_id_smime_aa_ets_signerAttr,11,&(lvalues[1560]),0},
+	NID_id_smime_aa_ets_signerAttr,11,&(lvalues[1558]),0},
 {"id-smime-aa-ets-otherSigCert","id-smime-aa-ets-otherSigCert",
-	NID_id_smime_aa_ets_otherSigCert,11,&(lvalues[1571]),0},
+	NID_id_smime_aa_ets_otherSigCert,11,&(lvalues[1569]),0},
 {"id-smime-aa-ets-contentTimestamp",
 	"id-smime-aa-ets-contentTimestamp",
-	NID_id_smime_aa_ets_contentTimestamp,11,&(lvalues[1582]),0},
+	NID_id_smime_aa_ets_contentTimestamp,11,&(lvalues[1580]),0},
 {"id-smime-aa-ets-CertificateRefs","id-smime-aa-ets-CertificateRefs",
-	NID_id_smime_aa_ets_CertificateRefs,11,&(lvalues[1593]),0},
+	NID_id_smime_aa_ets_CertificateRefs,11,&(lvalues[1591]),0},
 {"id-smime-aa-ets-RevocationRefs","id-smime-aa-ets-RevocationRefs",
-	NID_id_smime_aa_ets_RevocationRefs,11,&(lvalues[1604]),0},
+	NID_id_smime_aa_ets_RevocationRefs,11,&(lvalues[1602]),0},
 {"id-smime-aa-ets-certValues","id-smime-aa-ets-certValues",
-	NID_id_smime_aa_ets_certValues,11,&(lvalues[1615]),0},
+	NID_id_smime_aa_ets_certValues,11,&(lvalues[1613]),0},
 {"id-smime-aa-ets-revocationValues",
 	"id-smime-aa-ets-revocationValues",
-	NID_id_smime_aa_ets_revocationValues,11,&(lvalues[1626]),0},
+	NID_id_smime_aa_ets_revocationValues,11,&(lvalues[1624]),0},
 {"id-smime-aa-ets-escTimeStamp","id-smime-aa-ets-escTimeStamp",
-	NID_id_smime_aa_ets_escTimeStamp,11,&(lvalues[1637]),0},
+	NID_id_smime_aa_ets_escTimeStamp,11,&(lvalues[1635]),0},
 {"id-smime-aa-ets-certCRLTimestamp",
 	"id-smime-aa-ets-certCRLTimestamp",
-	NID_id_smime_aa_ets_certCRLTimestamp,11,&(lvalues[1648]),0},
+	NID_id_smime_aa_ets_certCRLTimestamp,11,&(lvalues[1646]),0},
 {"id-smime-aa-ets-archiveTimeStamp",
 	"id-smime-aa-ets-archiveTimeStamp",
-	NID_id_smime_aa_ets_archiveTimeStamp,11,&(lvalues[1659]),0},
+	NID_id_smime_aa_ets_archiveTimeStamp,11,&(lvalues[1657]),0},
 {"id-smime-aa-signatureType","id-smime-aa-signatureType",
-	NID_id_smime_aa_signatureType,11,&(lvalues[1670]),0},
+	NID_id_smime_aa_signatureType,11,&(lvalues[1668]),0},
 {"id-smime-aa-dvcs-dvc","id-smime-aa-dvcs-dvc",
-	NID_id_smime_aa_dvcs_dvc,11,&(lvalues[1681]),0},
+	NID_id_smime_aa_dvcs_dvc,11,&(lvalues[1679]),0},
 {"id-smime-alg-ESDHwith3DES","id-smime-alg-ESDHwith3DES",
-	NID_id_smime_alg_ESDHwith3DES,11,&(lvalues[1692]),0},
+	NID_id_smime_alg_ESDHwith3DES,11,&(lvalues[1690]),0},
 {"id-smime-alg-ESDHwithRC2","id-smime-alg-ESDHwithRC2",
-	NID_id_smime_alg_ESDHwithRC2,11,&(lvalues[1703]),0},
+	NID_id_smime_alg_ESDHwithRC2,11,&(lvalues[1701]),0},
 {"id-smime-alg-3DESwrap","id-smime-alg-3DESwrap",
-	NID_id_smime_alg_3DESwrap,11,&(lvalues[1714]),0},
+	NID_id_smime_alg_3DESwrap,11,&(lvalues[1712]),0},
 {"id-smime-alg-RC2wrap","id-smime-alg-RC2wrap",
-	NID_id_smime_alg_RC2wrap,11,&(lvalues[1725]),0},
+	NID_id_smime_alg_RC2wrap,11,&(lvalues[1723]),0},
 {"id-smime-alg-ESDH","id-smime-alg-ESDH",NID_id_smime_alg_ESDH,11,
-	&(lvalues[1736]),0},
+	&(lvalues[1734]),0},
 {"id-smime-alg-CMS3DESwrap","id-smime-alg-CMS3DESwrap",
-	NID_id_smime_alg_CMS3DESwrap,11,&(lvalues[1747]),0},
+	NID_id_smime_alg_CMS3DESwrap,11,&(lvalues[1745]),0},
 {"id-smime-alg-CMSRC2wrap","id-smime-alg-CMSRC2wrap",
-	NID_id_smime_alg_CMSRC2wrap,11,&(lvalues[1758]),0},
+	NID_id_smime_alg_CMSRC2wrap,11,&(lvalues[1756]),0},
 {"id-smime-cd-ldap","id-smime-cd-ldap",NID_id_smime_cd_ldap,11,
-	&(lvalues[1769]),0},
+	&(lvalues[1767]),0},
 {"id-smime-spq-ets-sqt-uri","id-smime-spq-ets-sqt-uri",
-	NID_id_smime_spq_ets_sqt_uri,11,&(lvalues[1780]),0},
+	NID_id_smime_spq_ets_sqt_uri,11,&(lvalues[1778]),0},
 {"id-smime-spq-ets-sqt-unotice","id-smime-spq-ets-sqt-unotice",
-	NID_id_smime_spq_ets_sqt_unotice,11,&(lvalues[1791]),0},
+	NID_id_smime_spq_ets_sqt_unotice,11,&(lvalues[1789]),0},
 {"id-smime-cti-ets-proofOfOrigin","id-smime-cti-ets-proofOfOrigin",
-	NID_id_smime_cti_ets_proofOfOrigin,11,&(lvalues[1802]),0},
+	NID_id_smime_cti_ets_proofOfOrigin,11,&(lvalues[1800]),0},
 {"id-smime-cti-ets-proofOfReceipt","id-smime-cti-ets-proofOfReceipt",
-	NID_id_smime_cti_ets_proofOfReceipt,11,&(lvalues[1813]),0},
+	NID_id_smime_cti_ets_proofOfReceipt,11,&(lvalues[1811]),0},
 {"id-smime-cti-ets-proofOfDelivery",
 	"id-smime-cti-ets-proofOfDelivery",
-	NID_id_smime_cti_ets_proofOfDelivery,11,&(lvalues[1824]),0},
+	NID_id_smime_cti_ets_proofOfDelivery,11,&(lvalues[1822]),0},
 {"id-smime-cti-ets-proofOfSender","id-smime-cti-ets-proofOfSender",
-	NID_id_smime_cti_ets_proofOfSender,11,&(lvalues[1835]),0},
+	NID_id_smime_cti_ets_proofOfSender,11,&(lvalues[1833]),0},
 {"id-smime-cti-ets-proofOfApproval",
 	"id-smime-cti-ets-proofOfApproval",
-	NID_id_smime_cti_ets_proofOfApproval,11,&(lvalues[1846]),0},
+	NID_id_smime_cti_ets_proofOfApproval,11,&(lvalues[1844]),0},
 {"id-smime-cti-ets-proofOfCreation",
 	"id-smime-cti-ets-proofOfCreation",
-	NID_id_smime_cti_ets_proofOfCreation,11,&(lvalues[1857]),0},
-{"MD4","md4",NID_md4,8,&(lvalues[1868]),0},
-{"id-pkix-mod","id-pkix-mod",NID_id_pkix_mod,7,&(lvalues[1876]),0},
-{"id-qt","id-qt",NID_id_qt,7,&(lvalues[1883]),0},
-{"id-it","id-it",NID_id_it,7,&(lvalues[1890]),0},
-{"id-pkip","id-pkip",NID_id_pkip,7,&(lvalues[1897]),0},
-{"id-alg","id-alg",NID_id_alg,7,&(lvalues[1904]),0},
-{"id-cmc","id-cmc",NID_id_cmc,7,&(lvalues[1911]),0},
-{"id-on","id-on",NID_id_on,7,&(lvalues[1918]),0},
-{"id-pda","id-pda",NID_id_pda,7,&(lvalues[1925]),0},
-{"id-aca","id-aca",NID_id_aca,7,&(lvalues[1932]),0},
-{"id-qcs","id-qcs",NID_id_qcs,7,&(lvalues[1939]),0},
-{"id-cct","id-cct",NID_id_cct,7,&(lvalues[1946]),0},
+	NID_id_smime_cti_ets_proofOfCreation,11,&(lvalues[1855]),0},
+{"MD4","md4",NID_md4,8,&(lvalues[1866]),0},
+{"id-pkix-mod","id-pkix-mod",NID_id_pkix_mod,7,&(lvalues[1874]),0},
+{"id-qt","id-qt",NID_id_qt,7,&(lvalues[1881]),0},
+{"id-it","id-it",NID_id_it,7,&(lvalues[1888]),0},
+{"id-pkip","id-pkip",NID_id_pkip,7,&(lvalues[1895]),0},
+{"id-alg","id-alg",NID_id_alg,7,&(lvalues[1902]),0},
+{"id-cmc","id-cmc",NID_id_cmc,7,&(lvalues[1909]),0},
+{"id-on","id-on",NID_id_on,7,&(lvalues[1916]),0},
+{"id-pda","id-pda",NID_id_pda,7,&(lvalues[1923]),0},
+{"id-aca","id-aca",NID_id_aca,7,&(lvalues[1930]),0},
+{"id-qcs","id-qcs",NID_id_qcs,7,&(lvalues[1937]),0},
+{"id-cct","id-cct",NID_id_cct,7,&(lvalues[1944]),0},
 {"id-pkix1-explicit-88","id-pkix1-explicit-88",
-	NID_id_pkix1_explicit_88,8,&(lvalues[1953]),0},
+	NID_id_pkix1_explicit_88,8,&(lvalues[1951]),0},
 {"id-pkix1-implicit-88","id-pkix1-implicit-88",
-	NID_id_pkix1_implicit_88,8,&(lvalues[1961]),0},
+	NID_id_pkix1_implicit_88,8,&(lvalues[1959]),0},
 {"id-pkix1-explicit-93","id-pkix1-explicit-93",
-	NID_id_pkix1_explicit_93,8,&(lvalues[1969]),0},
+	NID_id_pkix1_explicit_93,8,&(lvalues[1967]),0},
 {"id-pkix1-implicit-93","id-pkix1-implicit-93",
-	NID_id_pkix1_implicit_93,8,&(lvalues[1977]),0},
-{"id-mod-crmf","id-mod-crmf",NID_id_mod_crmf,8,&(lvalues[1985]),0},
-{"id-mod-cmc","id-mod-cmc",NID_id_mod_cmc,8,&(lvalues[1993]),0},
+	NID_id_pkix1_implicit_93,8,&(lvalues[1975]),0},
+{"id-mod-crmf","id-mod-crmf",NID_id_mod_crmf,8,&(lvalues[1983]),0},
+{"id-mod-cmc","id-mod-cmc",NID_id_mod_cmc,8,&(lvalues[1991]),0},
 {"id-mod-kea-profile-88","id-mod-kea-profile-88",
-	NID_id_mod_kea_profile_88,8,&(lvalues[2001]),0},
+	NID_id_mod_kea_profile_88,8,&(lvalues[1999]),0},
 {"id-mod-kea-profile-93","id-mod-kea-profile-93",
-	NID_id_mod_kea_profile_93,8,&(lvalues[2009]),0},
-{"id-mod-cmp","id-mod-cmp",NID_id_mod_cmp,8,&(lvalues[2017]),0},
+	NID_id_mod_kea_profile_93,8,&(lvalues[2007]),0},
+{"id-mod-cmp","id-mod-cmp",NID_id_mod_cmp,8,&(lvalues[2015]),0},
 {"id-mod-qualified-cert-88","id-mod-qualified-cert-88",
-	NID_id_mod_qualified_cert_88,8,&(lvalues[2025]),0},
+	NID_id_mod_qualified_cert_88,8,&(lvalues[2023]),0},
 {"id-mod-qualified-cert-93","id-mod-qualified-cert-93",
-	NID_id_mod_qualified_cert_93,8,&(lvalues[2033]),0},
+	NID_id_mod_qualified_cert_93,8,&(lvalues[2031]),0},
 {"id-mod-attribute-cert","id-mod-attribute-cert",
-	NID_id_mod_attribute_cert,8,&(lvalues[2041]),0},
+	NID_id_mod_attribute_cert,8,&(lvalues[2039]),0},
 {"id-mod-timestamp-protocol","id-mod-timestamp-protocol",
-	NID_id_mod_timestamp_protocol,8,&(lvalues[2049]),0},
-{"id-mod-ocsp","id-mod-ocsp",NID_id_mod_ocsp,8,&(lvalues[2057]),0},
-{"id-mod-dvcs","id-mod-dvcs",NID_id_mod_dvcs,8,&(lvalues[2065]),0},
+	NID_id_mod_timestamp_protocol,8,&(lvalues[2047]),0},
+{"id-mod-ocsp","id-mod-ocsp",NID_id_mod_ocsp,8,&(lvalues[2055]),0},
+{"id-mod-dvcs","id-mod-dvcs",NID_id_mod_dvcs,8,&(lvalues[2063]),0},
 {"id-mod-cmp2000","id-mod-cmp2000",NID_id_mod_cmp2000,8,
-	&(lvalues[2073]),0},
-{"biometricInfo","Biometric Info",NID_biometricInfo,8,&(lvalues[2081]),0},
-{"qcStatements","qcStatements",NID_qcStatements,8,&(lvalues[2089]),0},
+	&(lvalues[2071]),0},
+{"biometricInfo","Biometric Info",NID_biometricInfo,8,&(lvalues[2079]),0},
+{"qcStatements","qcStatements",NID_qcStatements,8,&(lvalues[2087]),0},
 {"ac-auditEntity","ac-auditEntity",NID_ac_auditEntity,8,
-	&(lvalues[2097]),0},
-{"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2105]),0},
-{"aaControls","aaControls",NID_aaControls,8,&(lvalues[2113]),0},
+	&(lvalues[2095]),0},
+{"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2103]),0},
+{"aaControls","aaControls",NID_aaControls,8,&(lvalues[2111]),0},
 {"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
-	&(lvalues[2121]),0},
+	&(lvalues[2119]),0},
 {"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
-	NID_sbgp_autonomousSysNum,8,&(lvalues[2129]),0},
+	NID_sbgp_autonomousSysNum,8,&(lvalues[2127]),0},
 {"sbgp-routerIdentifier","sbgp-routerIdentifier",
-	NID_sbgp_routerIdentifier,8,&(lvalues[2137]),0},
-{"textNotice","textNotice",NID_textNotice,8,&(lvalues[2145]),0},
+	NID_sbgp_routerIdentifier,8,&(lvalues[2135]),0},
+{"textNotice","textNotice",NID_textNotice,8,&(lvalues[2143]),0},
 {"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
-	&(lvalues[2153]),0},
-{"ipsecTunnel","IPSec Tunnel",NID_ipsecTunnel,8,&(lvalues[2161]),0},
-{"ipsecUser","IPSec User",NID_ipsecUser,8,&(lvalues[2169]),0},
-{"DVCS","dvcs",NID_dvcs,8,&(lvalues[2177]),0},
+	&(lvalues[2151]),0},
+{"ipsecTunnel","IPSec Tunnel",NID_ipsecTunnel,8,&(lvalues[2159]),0},
+{"ipsecUser","IPSec User",NID_ipsecUser,8,&(lvalues[2167]),0},
+{"DVCS","dvcs",NID_dvcs,8,&(lvalues[2175]),0},
 {"id-it-caProtEncCert","id-it-caProtEncCert",NID_id_it_caProtEncCert,
-	8,&(lvalues[2185]),0},
+	8,&(lvalues[2183]),0},
 {"id-it-signKeyPairTypes","id-it-signKeyPairTypes",
-	NID_id_it_signKeyPairTypes,8,&(lvalues[2193]),0},
+	NID_id_it_signKeyPairTypes,8,&(lvalues[2191]),0},
 {"id-it-encKeyPairTypes","id-it-encKeyPairTypes",
-	NID_id_it_encKeyPairTypes,8,&(lvalues[2201]),0},
+	NID_id_it_encKeyPairTypes,8,&(lvalues[2199]),0},
 {"id-it-preferredSymmAlg","id-it-preferredSymmAlg",
-	NID_id_it_preferredSymmAlg,8,&(lvalues[2209]),0},
+	NID_id_it_preferredSymmAlg,8,&(lvalues[2207]),0},
 {"id-it-caKeyUpdateInfo","id-it-caKeyUpdateInfo",
-	NID_id_it_caKeyUpdateInfo,8,&(lvalues[2217]),0},
+	NID_id_it_caKeyUpdateInfo,8,&(lvalues[2215]),0},
 {"id-it-currentCRL","id-it-currentCRL",NID_id_it_currentCRL,8,
-	&(lvalues[2225]),0},
+	&(lvalues[2223]),0},
 {"id-it-unsupportedOIDs","id-it-unsupportedOIDs",
-	NID_id_it_unsupportedOIDs,8,&(lvalues[2233]),0},
+	NID_id_it_unsupportedOIDs,8,&(lvalues[2231]),0},
 {"id-it-subscriptionRequest","id-it-subscriptionRequest",
-	NID_id_it_subscriptionRequest,8,&(lvalues[2241]),0},
+	NID_id_it_subscriptionRequest,8,&(lvalues[2239]),0},
 {"id-it-subscriptionResponse","id-it-subscriptionResponse",
-	NID_id_it_subscriptionResponse,8,&(lvalues[2249]),0},
+	NID_id_it_subscriptionResponse,8,&(lvalues[2247]),0},
 {"id-it-keyPairParamReq","id-it-keyPairParamReq",
-	NID_id_it_keyPairParamReq,8,&(lvalues[2257]),0},
+	NID_id_it_keyPairParamReq,8,&(lvalues[2255]),0},
 {"id-it-keyPairParamRep","id-it-keyPairParamRep",
-	NID_id_it_keyPairParamRep,8,&(lvalues[2265]),0},
+	NID_id_it_keyPairParamRep,8,&(lvalues[2263]),0},
 {"id-it-revPassphrase","id-it-revPassphrase",NID_id_it_revPassphrase,
-	8,&(lvalues[2273]),0},
+	8,&(lvalues[2271]),0},
 {"id-it-implicitConfirm","id-it-implicitConfirm",
-	NID_id_it_implicitConfirm,8,&(lvalues[2281]),0},
+	NID_id_it_implicitConfirm,8,&(lvalues[2279]),0},
 {"id-it-confirmWaitTime","id-it-confirmWaitTime",
-	NID_id_it_confirmWaitTime,8,&(lvalues[2289]),0},
+	NID_id_it_confirmWaitTime,8,&(lvalues[2287]),0},
 {"id-it-origPKIMessage","id-it-origPKIMessage",
-	NID_id_it_origPKIMessage,8,&(lvalues[2297]),0},
-{"id-regCtrl","id-regCtrl",NID_id_regCtrl,8,&(lvalues[2305]),0},
-{"id-regInfo","id-regInfo",NID_id_regInfo,8,&(lvalues[2313]),0},
+	NID_id_it_origPKIMessage,8,&(lvalues[2295]),0},
+{"id-regCtrl","id-regCtrl",NID_id_regCtrl,8,&(lvalues[2303]),0},
+{"id-regInfo","id-regInfo",NID_id_regInfo,8,&(lvalues[2311]),0},
 {"id-regCtrl-regToken","id-regCtrl-regToken",NID_id_regCtrl_regToken,
-	9,&(lvalues[2321]),0},
+	9,&(lvalues[2319]),0},
 {"id-regCtrl-authenticator","id-regCtrl-authenticator",
-	NID_id_regCtrl_authenticator,9,&(lvalues[2330]),0},
+	NID_id_regCtrl_authenticator,9,&(lvalues[2328]),0},
 {"id-regCtrl-pkiPublicationInfo","id-regCtrl-pkiPublicationInfo",
-	NID_id_regCtrl_pkiPublicationInfo,9,&(lvalues[2339]),0},
+	NID_id_regCtrl_pkiPublicationInfo,9,&(lvalues[2337]),0},
 {"id-regCtrl-pkiArchiveOptions","id-regCtrl-pkiArchiveOptions",
-	NID_id_regCtrl_pkiArchiveOptions,9,&(lvalues[2348]),0},
+	NID_id_regCtrl_pkiArchiveOptions,9,&(lvalues[2346]),0},
 {"id-regCtrl-oldCertID","id-regCtrl-oldCertID",
-	NID_id_regCtrl_oldCertID,9,&(lvalues[2357]),0},
+	NID_id_regCtrl_oldCertID,9,&(lvalues[2355]),0},
 {"id-regCtrl-protocolEncrKey","id-regCtrl-protocolEncrKey",
-	NID_id_regCtrl_protocolEncrKey,9,&(lvalues[2366]),0},
+	NID_id_regCtrl_protocolEncrKey,9,&(lvalues[2364]),0},
 {"id-regInfo-utf8Pairs","id-regInfo-utf8Pairs",
-	NID_id_regInfo_utf8Pairs,9,&(lvalues[2375]),0},
+	NID_id_regInfo_utf8Pairs,9,&(lvalues[2373]),0},
 {"id-regInfo-certReq","id-regInfo-certReq",NID_id_regInfo_certReq,9,
-	&(lvalues[2384]),0},
-{"id-alg-des40","id-alg-des40",NID_id_alg_des40,8,&(lvalues[2393]),0},
+	&(lvalues[2382]),0},
+{"id-alg-des40","id-alg-des40",NID_id_alg_des40,8,&(lvalues[2391]),0},
 {"id-alg-noSignature","id-alg-noSignature",NID_id_alg_noSignature,8,
-	&(lvalues[2401]),0},
+	&(lvalues[2399]),0},
 {"id-alg-dh-sig-hmac-sha1","id-alg-dh-sig-hmac-sha1",
-	NID_id_alg_dh_sig_hmac_sha1,8,&(lvalues[2409]),0},
-{"id-alg-dh-pop","id-alg-dh-pop",NID_id_alg_dh_pop,8,&(lvalues[2417]),0},
+	NID_id_alg_dh_sig_hmac_sha1,8,&(lvalues[2407]),0},
+{"id-alg-dh-pop","id-alg-dh-pop",NID_id_alg_dh_pop,8,&(lvalues[2415]),0},
 {"id-cmc-statusInfo","id-cmc-statusInfo",NID_id_cmc_statusInfo,8,
-	&(lvalues[2425]),0},
+	&(lvalues[2423]),0},
 {"id-cmc-identification","id-cmc-identification",
-	NID_id_cmc_identification,8,&(lvalues[2433]),0},
+	NID_id_cmc_identification,8,&(lvalues[2431]),0},
 {"id-cmc-identityProof","id-cmc-identityProof",
-	NID_id_cmc_identityProof,8,&(lvalues[2441]),0},
+	NID_id_cmc_identityProof,8,&(lvalues[2439]),0},
 {"id-cmc-dataReturn","id-cmc-dataReturn",NID_id_cmc_dataReturn,8,
-	&(lvalues[2449]),0},
+	&(lvalues[2447]),0},
 {"id-cmc-transactionId","id-cmc-transactionId",
-	NID_id_cmc_transactionId,8,&(lvalues[2457]),0},
+	NID_id_cmc_transactionId,8,&(lvalues[2455]),0},
 {"id-cmc-senderNonce","id-cmc-senderNonce",NID_id_cmc_senderNonce,8,
-	&(lvalues[2465]),0},
+	&(lvalues[2463]),0},
 {"id-cmc-recipientNonce","id-cmc-recipientNonce",
-	NID_id_cmc_recipientNonce,8,&(lvalues[2473]),0},
+	NID_id_cmc_recipientNonce,8,&(lvalues[2471]),0},
 {"id-cmc-addExtensions","id-cmc-addExtensions",
-	NID_id_cmc_addExtensions,8,&(lvalues[2481]),0},
+	NID_id_cmc_addExtensions,8,&(lvalues[2479]),0},
 {"id-cmc-encryptedPOP","id-cmc-encryptedPOP",NID_id_cmc_encryptedPOP,
-	8,&(lvalues[2489]),0},
+	8,&(lvalues[2487]),0},
 {"id-cmc-decryptedPOP","id-cmc-decryptedPOP",NID_id_cmc_decryptedPOP,
-	8,&(lvalues[2497]),0},
+	8,&(lvalues[2495]),0},
 {"id-cmc-lraPOPWitness","id-cmc-lraPOPWitness",
-	NID_id_cmc_lraPOPWitness,8,&(lvalues[2505]),0},
+	NID_id_cmc_lraPOPWitness,8,&(lvalues[2503]),0},
 {"id-cmc-getCert","id-cmc-getCert",NID_id_cmc_getCert,8,
-	&(lvalues[2513]),0},
-{"id-cmc-getCRL","id-cmc-getCRL",NID_id_cmc_getCRL,8,&(lvalues[2521]),0},
+	&(lvalues[2511]),0},
+{"id-cmc-getCRL","id-cmc-getCRL",NID_id_cmc_getCRL,8,&(lvalues[2519]),0},
 {"id-cmc-revokeRequest","id-cmc-revokeRequest",
-	NID_id_cmc_revokeRequest,8,&(lvalues[2529]),0},
+	NID_id_cmc_revokeRequest,8,&(lvalues[2527]),0},
 {"id-cmc-regInfo","id-cmc-regInfo",NID_id_cmc_regInfo,8,
-	&(lvalues[2537]),0},
+	&(lvalues[2535]),0},
 {"id-cmc-responseInfo","id-cmc-responseInfo",NID_id_cmc_responseInfo,
-	8,&(lvalues[2545]),0},
+	8,&(lvalues[2543]),0},
 {"id-cmc-queryPending","id-cmc-queryPending",NID_id_cmc_queryPending,
-	8,&(lvalues[2553]),0},
+	8,&(lvalues[2551]),0},
 {"id-cmc-popLinkRandom","id-cmc-popLinkRandom",
-	NID_id_cmc_popLinkRandom,8,&(lvalues[2561]),0},
+	NID_id_cmc_popLinkRandom,8,&(lvalues[2559]),0},
 {"id-cmc-popLinkWitness","id-cmc-popLinkWitness",
-	NID_id_cmc_popLinkWitness,8,&(lvalues[2569]),0},
+	NID_id_cmc_popLinkWitness,8,&(lvalues[2567]),0},
 {"id-cmc-confirmCertAcceptance","id-cmc-confirmCertAcceptance",
-	NID_id_cmc_confirmCertAcceptance,8,&(lvalues[2577]),0},
+	NID_id_cmc_confirmCertAcceptance,8,&(lvalues[2575]),0},
 {"id-on-personalData","id-on-personalData",NID_id_on_personalData,8,
-	&(lvalues[2585]),0},
+	&(lvalues[2583]),0},
 {"id-pda-dateOfBirth","id-pda-dateOfBirth",NID_id_pda_dateOfBirth,8,
-	&(lvalues[2593]),0},
+	&(lvalues[2591]),0},
 {"id-pda-placeOfBirth","id-pda-placeOfBirth",NID_id_pda_placeOfBirth,
-	8,&(lvalues[2601]),0},
+	8,&(lvalues[2599]),0},
 {NULL,NULL,NID_undef,0,NULL,0},
-{"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2609]),0},
+{"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2607]),0},
 {"id-pda-countryOfCitizenship","id-pda-countryOfCitizenship",
-	NID_id_pda_countryOfCitizenship,8,&(lvalues[2617]),0},
+	NID_id_pda_countryOfCitizenship,8,&(lvalues[2615]),0},
 {"id-pda-countryOfResidence","id-pda-countryOfResidence",
-	NID_id_pda_countryOfResidence,8,&(lvalues[2625]),0},
+	NID_id_pda_countryOfResidence,8,&(lvalues[2623]),0},
 {"id-aca-authenticationInfo","id-aca-authenticationInfo",
-	NID_id_aca_authenticationInfo,8,&(lvalues[2633]),0},
+	NID_id_aca_authenticationInfo,8,&(lvalues[2631]),0},
 {"id-aca-accessIdentity","id-aca-accessIdentity",
-	NID_id_aca_accessIdentity,8,&(lvalues[2641]),0},
+	NID_id_aca_accessIdentity,8,&(lvalues[2639]),0},
 {"id-aca-chargingIdentity","id-aca-chargingIdentity",
-	NID_id_aca_chargingIdentity,8,&(lvalues[2649]),0},
-{"id-aca-group","id-aca-group",NID_id_aca_group,8,&(lvalues[2657]),0},
-{"id-aca-role","id-aca-role",NID_id_aca_role,8,&(lvalues[2665]),0},
+	NID_id_aca_chargingIdentity,8,&(lvalues[2647]),0},
+{"id-aca-group","id-aca-group",NID_id_aca_group,8,&(lvalues[2655]),0},
+{"id-aca-role","id-aca-role",NID_id_aca_role,8,&(lvalues[2663]),0},
 {"id-qcs-pkixQCSyntax-v1","id-qcs-pkixQCSyntax-v1",
-	NID_id_qcs_pkixQCSyntax_v1,8,&(lvalues[2673]),0},
-{"id-cct-crs","id-cct-crs",NID_id_cct_crs,8,&(lvalues[2681]),0},
+	NID_id_qcs_pkixQCSyntax_v1,8,&(lvalues[2671]),0},
+{"id-cct-crs","id-cct-crs",NID_id_cct_crs,8,&(lvalues[2679]),0},
 {"id-cct-PKIData","id-cct-PKIData",NID_id_cct_PKIData,8,
-	&(lvalues[2689]),0},
+	&(lvalues[2687]),0},
 {"id-cct-PKIResponse","id-cct-PKIResponse",NID_id_cct_PKIResponse,8,
-	&(lvalues[2697]),0},
+	&(lvalues[2695]),0},
 {"ad_timestamping","AD Time Stamping",NID_ad_timeStamping,8,
-	&(lvalues[2705]),0},
-{"AD_DVCS","ad dvcs",NID_ad_dvcs,8,&(lvalues[2713]),0},
+	&(lvalues[2703]),0},
+{"AD_DVCS","ad dvcs",NID_ad_dvcs,8,&(lvalues[2711]),0},
 {"basicOCSPResponse","Basic OCSP Response",NID_id_pkix_OCSP_basic,9,
-	&(lvalues[2721]),0},
-{"Nonce","OCSP Nonce",NID_id_pkix_OCSP_Nonce,9,&(lvalues[2730]),0},
-{"CrlID","OCSP CRL ID",NID_id_pkix_OCSP_CrlID,9,&(lvalues[2739]),0},
+	&(lvalues[2719]),0},
+{"Nonce","OCSP Nonce",NID_id_pkix_OCSP_Nonce,9,&(lvalues[2728]),0},
+{"CrlID","OCSP CRL ID",NID_id_pkix_OCSP_CrlID,9,&(lvalues[2737]),0},
 {"acceptableResponses","Acceptable OCSP Responses",
-	NID_id_pkix_OCSP_acceptableResponses,9,&(lvalues[2748]),0},
-{"noCheck","OCSP No Check",NID_id_pkix_OCSP_noCheck,9,&(lvalues[2757]),0},
+	NID_id_pkix_OCSP_acceptableResponses,9,&(lvalues[2746]),0},
+{"noCheck","OCSP No Check",NID_id_pkix_OCSP_noCheck,9,&(lvalues[2755]),0},
 {"archiveCutoff","OCSP Archive Cutoff",NID_id_pkix_OCSP_archiveCutoff,
-	9,&(lvalues[2766]),0},
+	9,&(lvalues[2764]),0},
 {"serviceLocator","OCSP Service Locator",
-	NID_id_pkix_OCSP_serviceLocator,9,&(lvalues[2775]),0},
+	NID_id_pkix_OCSP_serviceLocator,9,&(lvalues[2773]),0},
 {"extendedStatus","Extended OCSP Status",
-	NID_id_pkix_OCSP_extendedStatus,9,&(lvalues[2784]),0},
-{"valid","valid",NID_id_pkix_OCSP_valid,9,&(lvalues[2793]),0},
-{"path","path",NID_id_pkix_OCSP_path,9,&(lvalues[2802]),0},
+	NID_id_pkix_OCSP_extendedStatus,9,&(lvalues[2782]),0},
+{"valid","valid",NID_id_pkix_OCSP_valid,9,&(lvalues[2791]),0},
+{"path","path",NID_id_pkix_OCSP_path,9,&(lvalues[2800]),0},
 {"trustRoot","Trust Root",NID_id_pkix_OCSP_trustRoot,9,
-	&(lvalues[2811]),0},
-{"algorithm","algorithm",NID_algorithm,4,&(lvalues[2820]),0},
-{"rsaSignature","rsaSignature",NID_rsaSignature,5,&(lvalues[2824]),0},
+	&(lvalues[2809]),0},
+{"algorithm","algorithm",NID_algorithm,4,&(lvalues[2818]),0},
+{"rsaSignature","rsaSignature",NID_rsaSignature,5,&(lvalues[2822]),0},
 {"X500algorithms","directory services - algorithms",
-	NID_X500algorithms,2,&(lvalues[2829]),0},
-{"ORG","org",NID_org,1,&(lvalues[2831]),0},
-{"DOD","dod",NID_dod,2,&(lvalues[2832]),0},
-{"IANA","iana",NID_iana,3,&(lvalues[2834]),0},
-{"directory","Directory",NID_Directory,4,&(lvalues[2837]),0},
-{"mgmt","Management",NID_Management,4,&(lvalues[2841]),0},
-{"experimental","Experimental",NID_Experimental,4,&(lvalues[2845]),0},
-{"private","Private",NID_Private,4,&(lvalues[2849]),0},
-{"security","Security",NID_Security,4,&(lvalues[2853]),0},
-{"snmpv2","SNMPv2",NID_SNMPv2,4,&(lvalues[2857]),0},
-{"Mail","Mail",NID_Mail,4,&(lvalues[2861]),0},
-{"enterprises","Enterprises",NID_Enterprises,5,&(lvalues[2865]),0},
-{"dcobject","dcObject",NID_dcObject,9,&(lvalues[2870]),0},
-{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2879]),0},
-{"domain","Domain",NID_Domain,10,&(lvalues[2889]),0},
-{"NULL","NULL",NID_joint_iso_ccitt,1,&(lvalues[2899]),0},
+	NID_X500algorithms,2,&(lvalues[2827]),0},
+{"ORG","org",NID_org,1,&(lvalues[2829]),0},
+{"DOD","dod",NID_dod,2,&(lvalues[2830]),0},
+{"IANA","iana",NID_iana,3,&(lvalues[2832]),0},
+{"directory","Directory",NID_Directory,4,&(lvalues[2835]),0},
+{"mgmt","Management",NID_Management,4,&(lvalues[2839]),0},
+{"experimental","Experimental",NID_Experimental,4,&(lvalues[2843]),0},
+{"private","Private",NID_Private,4,&(lvalues[2847]),0},
+{"security","Security",NID_Security,4,&(lvalues[2851]),0},
+{"snmpv2","SNMPv2",NID_SNMPv2,4,&(lvalues[2855]),0},
+{"Mail","Mail",NID_Mail,4,&(lvalues[2859]),0},
+{"enterprises","Enterprises",NID_Enterprises,5,&(lvalues[2863]),0},
+{"dcobject","dcObject",NID_dcObject,9,&(lvalues[2868]),0},
+{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2877]),0},
+{"domain","Domain",NID_Domain,10,&(lvalues[2887]),0},
+{"NULL","NULL",NID_joint_iso_ccitt,0,NULL,0},
 {"selected-attribute-types","Selected Attribute Types",
-	NID_selected_attribute_types,3,&(lvalues[2900]),0},
-{"clearance","clearance",NID_clearance,4,&(lvalues[2903]),0},
+	NID_selected_attribute_types,3,&(lvalues[2897]),0},
+{"clearance","clearance",NID_clearance,4,&(lvalues[2900]),0},
 {"RSA-MD4","md4WithRSAEncryption",NID_md4WithRSAEncryption,9,
-	&(lvalues[2907]),0},
-{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2916]),0},
+	&(lvalues[2904]),0},
+{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2913]),0},
 {"subjectInfoAccess","Subject Information Access",NID_sinfo_access,8,
-	&(lvalues[2924]),0},
+	&(lvalues[2921]),0},
 {"id-aca-encAttrs","id-aca-encAttrs",NID_id_aca_encAttrs,8,
-	&(lvalues[2932]),0},
-{"role","role",NID_role,3,&(lvalues[2940]),0},
+	&(lvalues[2929]),0},
+{"role","role",NID_role,3,&(lvalues[2937]),0},
 {"policyConstraints","X509v3 Policy Constraints",
-	NID_policy_constraints,3,&(lvalues[2943]),0},
+	NID_policy_constraints,3,&(lvalues[2940]),0},
 {"targetInformation","X509v3 AC Targeting",NID_target_information,3,
-	&(lvalues[2946]),0},
+	&(lvalues[2943]),0},
 {"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
-	&(lvalues[2949]),0},
-{"NULL","NULL",NID_ccitt,1,&(lvalues[2952]),0},
-{"ansi-X9-62","ANSI X9.62",NID_ansi_X9_62,5,&(lvalues[2953]),0},
-{"prime-field","prime-field",NID_X9_62_prime_field,7,&(lvalues[2958]),0},
+	&(lvalues[2946]),0},
+{"NULL","NULL",NID_ccitt,0,NULL,0},
+{"ansi-X9-62","ANSI X9.62",NID_ansi_X9_62,5,&(lvalues[2949]),0},
+{"prime-field","prime-field",NID_X9_62_prime_field,7,&(lvalues[2954]),0},
 {"characteristic-two-field","characteristic-two-field",
-	NID_X9_62_characteristic_two_field,7,&(lvalues[2965]),0},
+	NID_X9_62_characteristic_two_field,7,&(lvalues[2961]),0},
 {"id-ecPublicKey","id-ecPublicKey",NID_X9_62_id_ecPublicKey,7,
-	&(lvalues[2972]),0},
-{"prime192v1","prime192v1",NID_X9_62_prime192v1,8,&(lvalues[2979]),0},
-{"prime192v2","prime192v2",NID_X9_62_prime192v2,8,&(lvalues[2987]),0},
-{"prime192v3","prime192v3",NID_X9_62_prime192v3,8,&(lvalues[2995]),0},
-{"prime239v1","prime239v1",NID_X9_62_prime239v1,8,&(lvalues[3003]),0},
-{"prime239v2","prime239v2",NID_X9_62_prime239v2,8,&(lvalues[3011]),0},
-{"prime239v3","prime239v3",NID_X9_62_prime239v3,8,&(lvalues[3019]),0},
-{"prime256v1","prime256v1",NID_X9_62_prime256v1,8,&(lvalues[3027]),0},
+	&(lvalues[2968]),0},
+{"prime192v1","prime192v1",NID_X9_62_prime192v1,8,&(lvalues[2975]),0},
+{"prime192v2","prime192v2",NID_X9_62_prime192v2,8,&(lvalues[2983]),0},
+{"prime192v3","prime192v3",NID_X9_62_prime192v3,8,&(lvalues[2991]),0},
+{"prime239v1","prime239v1",NID_X9_62_prime239v1,8,&(lvalues[2999]),0},
+{"prime239v2","prime239v2",NID_X9_62_prime239v2,8,&(lvalues[3007]),0},
+{"prime239v3","prime239v3",NID_X9_62_prime239v3,8,&(lvalues[3015]),0},
+{"prime256v1","prime256v1",NID_X9_62_prime256v1,8,&(lvalues[3023]),0},
 {"ecdsa-with-SHA1","ecdsa-with-SHA1",NID_ecdsa_with_SHA1,7,
-	&(lvalues[3035]),0},
-{"CSPName","Microsoft CSP Name",NID_ms_csp_name,9,&(lvalues[3042]),0},
-{"AES-128-ECB","aes-128-ecb",NID_aes_128_ecb,9,&(lvalues[3051]),0},
-{"AES-128-CBC","aes-128-cbc",NID_aes_128_cbc,9,&(lvalues[3060]),0},
-{"AES-128-OFB","aes-128-ofb",NID_aes_128_ofb128,9,&(lvalues[3069]),0},
-{"AES-128-CFB","aes-128-cfb",NID_aes_128_cfb128,9,&(lvalues[3078]),0},
-{"AES-192-ECB","aes-192-ecb",NID_aes_192_ecb,9,&(lvalues[3087]),0},
-{"AES-192-CBC","aes-192-cbc",NID_aes_192_cbc,9,&(lvalues[3096]),0},
-{"AES-192-OFB","aes-192-ofb",NID_aes_192_ofb128,9,&(lvalues[3105]),0},
-{"AES-192-CFB","aes-192-cfb",NID_aes_192_cfb128,9,&(lvalues[3114]),0},
-{"AES-256-ECB","aes-256-ecb",NID_aes_256_ecb,9,&(lvalues[3123]),0},
-{"AES-256-CBC","aes-256-cbc",NID_aes_256_cbc,9,&(lvalues[3132]),0},
-{"AES-256-OFB","aes-256-ofb",NID_aes_256_ofb128,9,&(lvalues[3141]),0},
-{"AES-256-CFB","aes-256-cfb",NID_aes_256_cfb128,9,&(lvalues[3150]),0},
+	&(lvalues[3031]),0},
+{"CSPName","Microsoft CSP Name",NID_ms_csp_name,9,&(lvalues[3038]),0},
+{"AES-128-ECB","aes-128-ecb",NID_aes_128_ecb,9,&(lvalues[3047]),0},
+{"AES-128-CBC","aes-128-cbc",NID_aes_128_cbc,9,&(lvalues[3056]),0},
+{"AES-128-OFB","aes-128-ofb",NID_aes_128_ofb128,9,&(lvalues[3065]),0},
+{"AES-128-CFB","aes-128-cfb",NID_aes_128_cfb128,9,&(lvalues[3074]),0},
+{"AES-192-ECB","aes-192-ecb",NID_aes_192_ecb,9,&(lvalues[3083]),0},
+{"AES-192-CBC","aes-192-cbc",NID_aes_192_cbc,9,&(lvalues[3092]),0},
+{"AES-192-OFB","aes-192-ofb",NID_aes_192_ofb128,9,&(lvalues[3101]),0},
+{"AES-192-CFB","aes-192-cfb",NID_aes_192_cfb128,9,&(lvalues[3110]),0},
+{"AES-256-ECB","aes-256-ecb",NID_aes_256_ecb,9,&(lvalues[3119]),0},
+{"AES-256-CBC","aes-256-cbc",NID_aes_256_cbc,9,&(lvalues[3128]),0},
+{"AES-256-OFB","aes-256-ofb",NID_aes_256_ofb128,9,&(lvalues[3137]),0},
+{"AES-256-CFB","aes-256-cfb",NID_aes_256_cfb128,9,&(lvalues[3146]),0},
 {"holdInstructionCode","Hold Instruction Code",
-	NID_hold_instruction_code,3,&(lvalues[3159]),0},
+	NID_hold_instruction_code,3,&(lvalues[3155]),0},
 {"holdInstructionNone","Hold Instruction None",
-	NID_hold_instruction_none,7,&(lvalues[3162]),0},
+	NID_hold_instruction_none,7,&(lvalues[3158]),0},
 {"holdInstructionCallIssuer","Hold Instruction Call Issuer",
-	NID_hold_instruction_call_issuer,7,&(lvalues[3169]),0},
+	NID_hold_instruction_call_issuer,7,&(lvalues[3165]),0},
 {"holdInstructionReject","Hold Instruction Reject",
-	NID_hold_instruction_reject,7,&(lvalues[3176]),0},
-{"data","data",NID_data,1,&(lvalues[3183]),0},
-{"pss","pss",NID_pss,3,&(lvalues[3184]),0},
-{"ucl","ucl",NID_ucl,7,&(lvalues[3187]),0},
-{"pilot","pilot",NID_pilot,8,&(lvalues[3194]),0},
+	NID_hold_instruction_reject,7,&(lvalues[3172]),0},
+{"data","data",NID_data,1,&(lvalues[3179]),0},
+{"pss","pss",NID_pss,3,&(lvalues[3180]),0},
+{"ucl","ucl",NID_ucl,7,&(lvalues[3183]),0},
+{"pilot","pilot",NID_pilot,8,&(lvalues[3190]),0},
 {"pilotAttributeType","pilotAttributeType",NID_pilotAttributeType,9,
-	&(lvalues[3202]),0},
+	&(lvalues[3198]),0},
 {"pilotAttributeSyntax","pilotAttributeSyntax",
-	NID_pilotAttributeSyntax,9,&(lvalues[3211]),0},
+	NID_pilotAttributeSyntax,9,&(lvalues[3207]),0},
 {"pilotObjectClass","pilotObjectClass",NID_pilotObjectClass,9,
-	&(lvalues[3220]),0},
-{"pilotGroups","pilotGroups",NID_pilotGroups,9,&(lvalues[3229]),0},
+	&(lvalues[3216]),0},
+{"pilotGroups","pilotGroups",NID_pilotGroups,9,&(lvalues[3225]),0},
 {"iA5StringSyntax","iA5StringSyntax",NID_iA5StringSyntax,10,
-	&(lvalues[3238]),0},
+	&(lvalues[3234]),0},
 {"caseIgnoreIA5StringSyntax","caseIgnoreIA5StringSyntax",
-	NID_caseIgnoreIA5StringSyntax,10,&(lvalues[3248]),0},
-{"pilotObject","pilotObject",NID_pilotObject,10,&(lvalues[3258]),0},
-{"pilotPerson","pilotPerson",NID_pilotPerson,10,&(lvalues[3268]),0},
-{"account","account",NID_account,10,&(lvalues[3278]),0},
-{"document","document",NID_document,10,&(lvalues[3288]),0},
-{"room","room",NID_room,10,&(lvalues[3298]),0},
+	NID_caseIgnoreIA5StringSyntax,10,&(lvalues[3244]),0},
+{"pilotObject","pilotObject",NID_pilotObject,10,&(lvalues[3254]),0},
+{"pilotPerson","pilotPerson",NID_pilotPerson,10,&(lvalues[3264]),0},
+{"account","account",NID_account,10,&(lvalues[3274]),0},
+{"document","document",NID_document,10,&(lvalues[3284]),0},
+{"room","room",NID_room,10,&(lvalues[3294]),0},
 {"documentSeries","documentSeries",NID_documentSeries,10,
-	&(lvalues[3308]),0},
+	&(lvalues[3304]),0},
 {"rFC822localPart","rFC822localPart",NID_rFC822localPart,10,
-	&(lvalues[3318]),0},
-{"dNSDomain","dNSDomain",NID_dNSDomain,10,&(lvalues[3328]),0},
+	&(lvalues[3314]),0},
+{"dNSDomain","dNSDomain",NID_dNSDomain,10,&(lvalues[3324]),0},
 {"domainRelatedObject","domainRelatedObject",NID_domainRelatedObject,
-	10,&(lvalues[3338]),0},
+	10,&(lvalues[3334]),0},
 {"friendlyCountry","friendlyCountry",NID_friendlyCountry,10,
-	&(lvalues[3348]),0},
+	&(lvalues[3344]),0},
 {"simpleSecurityObject","simpleSecurityObject",
-	NID_simpleSecurityObject,10,&(lvalues[3358]),0},
+	NID_simpleSecurityObject,10,&(lvalues[3354]),0},
 {"pilotOrganization","pilotOrganization",NID_pilotOrganization,10,
-	&(lvalues[3368]),0},
-{"pilotDSA","pilotDSA",NID_pilotDSA,10,&(lvalues[3378]),0},
+	&(lvalues[3364]),0},
+{"pilotDSA","pilotDSA",NID_pilotDSA,10,&(lvalues[3374]),0},
 {"qualityLabelledData","qualityLabelledData",NID_qualityLabelledData,
-	10,&(lvalues[3388]),0},
-{"UID","userId",NID_userId,10,&(lvalues[3398]),0},
+	10,&(lvalues[3384]),0},
+{"UID","userId",NID_userId,10,&(lvalues[3394]),0},
 {"textEncodedORAddress","textEncodedORAddress",
-	NID_textEncodedORAddress,10,&(lvalues[3408]),0},
-{"mail","rfc822Mailbox",NID_rfc822Mailbox,10,&(lvalues[3418]),0},
-{"info","info",NID_info,10,&(lvalues[3428]),0},
+	NID_textEncodedORAddress,10,&(lvalues[3404]),0},
+{"mail","rfc822Mailbox",NID_rfc822Mailbox,10,&(lvalues[3414]),0},
+{"info","info",NID_info,10,&(lvalues[3424]),0},
 {"favouriteDrink","favouriteDrink",NID_favouriteDrink,10,
-	&(lvalues[3438]),0},
-{"roomNumber","roomNumber",NID_roomNumber,10,&(lvalues[3448]),0},
-{"photo","photo",NID_photo,10,&(lvalues[3458]),0},
-{"userClass","userClass",NID_userClass,10,&(lvalues[3468]),0},
-{"host","host",NID_host,10,&(lvalues[3478]),0},
-{"manager","manager",NID_manager,10,&(lvalues[3488]),0},
+	&(lvalues[3434]),0},
+{"roomNumber","roomNumber",NID_roomNumber,10,&(lvalues[3444]),0},
+{"photo","photo",NID_photo,10,&(lvalues[3454]),0},
+{"userClass","userClass",NID_userClass,10,&(lvalues[3464]),0},
+{"host","host",NID_host,10,&(lvalues[3474]),0},
+{"manager","manager",NID_manager,10,&(lvalues[3484]),0},
 {"documentIdentifier","documentIdentifier",NID_documentIdentifier,10,
-	&(lvalues[3498]),0},
-{"documentTitle","documentTitle",NID_documentTitle,10,&(lvalues[3508]),0},
+	&(lvalues[3494]),0},
+{"documentTitle","documentTitle",NID_documentTitle,10,&(lvalues[3504]),0},
 {"documentVersion","documentVersion",NID_documentVersion,10,
-	&(lvalues[3518]),0},
+	&(lvalues[3514]),0},
 {"documentAuthor","documentAuthor",NID_documentAuthor,10,
-	&(lvalues[3528]),0},
+	&(lvalues[3524]),0},
 {"documentLocation","documentLocation",NID_documentLocation,10,
-	&(lvalues[3538]),0},
+	&(lvalues[3534]),0},
 {"homeTelephoneNumber","homeTelephoneNumber",NID_homeTelephoneNumber,
-	10,&(lvalues[3548]),0},
-{"secretary","secretary",NID_secretary,10,&(lvalues[3558]),0},
-{"otherMailbox","otherMailbox",NID_otherMailbox,10,&(lvalues[3568]),0},
+	10,&(lvalues[3544]),0},
+{"secretary","secretary",NID_secretary,10,&(lvalues[3554]),0},
+{"otherMailbox","otherMailbox",NID_otherMailbox,10,&(lvalues[3564]),0},
 {"lastModifiedTime","lastModifiedTime",NID_lastModifiedTime,10,
-	&(lvalues[3578]),0},
+	&(lvalues[3574]),0},
 {"lastModifiedBy","lastModifiedBy",NID_lastModifiedBy,10,
-	&(lvalues[3588]),0},
-{"aRecord","aRecord",NID_aRecord,10,&(lvalues[3598]),0},
+	&(lvalues[3584]),0},
+{"aRecord","aRecord",NID_aRecord,10,&(lvalues[3594]),0},
 {"pilotAttributeType27","pilotAttributeType27",
-	NID_pilotAttributeType27,10,&(lvalues[3608]),0},
-{"mXRecord","mXRecord",NID_mXRecord,10,&(lvalues[3618]),0},
-{"nSRecord","nSRecord",NID_nSRecord,10,&(lvalues[3628]),0},
-{"sOARecord","sOARecord",NID_sOARecord,10,&(lvalues[3638]),0},
-{"cNAMERecord","cNAMERecord",NID_cNAMERecord,10,&(lvalues[3648]),0},
+	NID_pilotAttributeType27,10,&(lvalues[3604]),0},
+{"mXRecord","mXRecord",NID_mXRecord,10,&(lvalues[3614]),0},
+{"nSRecord","nSRecord",NID_nSRecord,10,&(lvalues[3624]),0},
+{"sOARecord","sOARecord",NID_sOARecord,10,&(lvalues[3634]),0},
+{"cNAMERecord","cNAMERecord",NID_cNAMERecord,10,&(lvalues[3644]),0},
 {"associatedDomain","associatedDomain",NID_associatedDomain,10,
-	&(lvalues[3658]),0},
+	&(lvalues[3654]),0},
 {"associatedName","associatedName",NID_associatedName,10,
-	&(lvalues[3668]),0},
+	&(lvalues[3664]),0},
 {"homePostalAddress","homePostalAddress",NID_homePostalAddress,10,
-	&(lvalues[3678]),0},
-{"personalTitle","personalTitle",NID_personalTitle,10,&(lvalues[3688]),0},
+	&(lvalues[3674]),0},
+{"personalTitle","personalTitle",NID_personalTitle,10,&(lvalues[3684]),0},
 {"mobileTelephoneNumber","mobileTelephoneNumber",
-	NID_mobileTelephoneNumber,10,&(lvalues[3698]),0},
+	NID_mobileTelephoneNumber,10,&(lvalues[3694]),0},
 {"pagerTelephoneNumber","pagerTelephoneNumber",
-	NID_pagerTelephoneNumber,10,&(lvalues[3708]),0},
+	NID_pagerTelephoneNumber,10,&(lvalues[3704]),0},
 {"friendlyCountryName","friendlyCountryName",NID_friendlyCountryName,
-	10,&(lvalues[3718]),0},
+	10,&(lvalues[3714]),0},
 {"organizationalStatus","organizationalStatus",
-	NID_organizationalStatus,10,&(lvalues[3728]),0},
-{"janetMailbox","janetMailbox",NID_janetMailbox,10,&(lvalues[3738]),0},
+	NID_organizationalStatus,10,&(lvalues[3724]),0},
+{"janetMailbox","janetMailbox",NID_janetMailbox,10,&(lvalues[3734]),0},
 {"mailPreferenceOption","mailPreferenceOption",
-	NID_mailPreferenceOption,10,&(lvalues[3748]),0},
-{"buildingName","buildingName",NID_buildingName,10,&(lvalues[3758]),0},
-{"dSAQuality","dSAQuality",NID_dSAQuality,10,&(lvalues[3768]),0},
+	NID_mailPreferenceOption,10,&(lvalues[3744]),0},
+{"buildingName","buildingName",NID_buildingName,10,&(lvalues[3754]),0},
+{"dSAQuality","dSAQuality",NID_dSAQuality,10,&(lvalues[3764]),0},
 {"singleLevelQuality","singleLevelQuality",NID_singleLevelQuality,10,
-	&(lvalues[3778]),0},
+	&(lvalues[3774]),0},
 {"subtreeMinimumQuality","subtreeMinimumQuality",
-	NID_subtreeMinimumQuality,10,&(lvalues[3788]),0},
+	NID_subtreeMinimumQuality,10,&(lvalues[3784]),0},
 {"subtreeMaximumQuality","subtreeMaximumQuality",
-	NID_subtreeMaximumQuality,10,&(lvalues[3798]),0},
+	NID_subtreeMaximumQuality,10,&(lvalues[3794]),0},
 {"personalSignature","personalSignature",NID_personalSignature,10,
-	&(lvalues[3808]),0},
-{"dITRedirect","dITRedirect",NID_dITRedirect,10,&(lvalues[3818]),0},
-{"audio","audio",NID_audio,10,&(lvalues[3828]),0},
+	&(lvalues[3804]),0},
+{"dITRedirect","dITRedirect",NID_dITRedirect,10,&(lvalues[3814]),0},
+{"audio","audio",NID_audio,10,&(lvalues[3824]),0},
 {"documentPublisher","documentPublisher",NID_documentPublisher,10,
-	&(lvalues[3838]),0},
+	&(lvalues[3834]),0},
 {"x500UniqueIdentifier","x500UniqueIdentifier",
-	NID_x500UniqueIdentifier,3,&(lvalues[3848]),0},
-{"mime-mhs","MIME MHS",NID_mime_mhs,5,&(lvalues[3851]),0},
+	NID_x500UniqueIdentifier,3,&(lvalues[3844]),0},
+{"mime-mhs","MIME MHS",NID_mime_mhs,5,&(lvalues[3847]),0},
 {"mime-mhs-headings","mime-mhs-headings",NID_mime_mhs_headings,6,
-	&(lvalues[3856]),0},
+	&(lvalues[3852]),0},
 {"mime-mhs-bodies","mime-mhs-bodies",NID_mime_mhs_bodies,6,
-	&(lvalues[3862]),0},
+	&(lvalues[3858]),0},
 {"id-hex-partial-message","id-hex-partial-message",
-	NID_id_hex_partial_message,7,&(lvalues[3868]),0},
+	NID_id_hex_partial_message,7,&(lvalues[3864]),0},
 {"id-hex-multipart-message","id-hex-multipart-message",
-	NID_id_hex_multipart_message,7,&(lvalues[3875]),0},
+	NID_id_hex_multipart_message,7,&(lvalues[3871]),0},
 {"generationQualifier","generationQualifier",NID_generationQualifier,
-	3,&(lvalues[3882]),0},
-{"pseudonym","pseudonym",NID_pseudonym,3,&(lvalues[3885]),0},
+	3,&(lvalues[3878]),0},
+{"pseudonym","pseudonym",NID_pseudonym,3,&(lvalues[3881]),0},
 {NULL,NULL,NID_undef,0,NULL,0},
 {"id-set","Secure Electronic Transactions",NID_id_set,2,
-	&(lvalues[3888]),0},
-{"set-ctype","content types",NID_set_ctype,3,&(lvalues[3890]),0},
-{"set-msgExt","message extensions",NID_set_msgExt,3,&(lvalues[3893]),0},
-{"set-attr","set-attr",NID_set_attr,3,&(lvalues[3896]),0},
-{"set-policy","set-policy",NID_set_policy,3,&(lvalues[3899]),0},
+	&(lvalues[3884]),0},
+{"set-ctype","content types",NID_set_ctype,3,&(lvalues[3886]),0},
+{"set-msgExt","message extensions",NID_set_msgExt,3,&(lvalues[3889]),0},
+{"set-attr","set-attr",NID_set_attr,3,&(lvalues[3892]),0},
+{"set-policy","set-policy",NID_set_policy,3,&(lvalues[3895]),0},
 {"set-certExt","certificate extensions",NID_set_certExt,3,
-	&(lvalues[3902]),0},
-{"set-brand","set-brand",NID_set_brand,3,&(lvalues[3905]),0},
-{"setct-PANData","setct-PANData",NID_setct_PANData,4,&(lvalues[3908]),0},
+	&(lvalues[3898]),0},
+{"set-brand","set-brand",NID_set_brand,3,&(lvalues[3901]),0},
+{"setct-PANData","setct-PANData",NID_setct_PANData,4,&(lvalues[3904]),0},
 {"setct-PANToken","setct-PANToken",NID_setct_PANToken,4,
-	&(lvalues[3912]),0},
-{"setct-PANOnly","setct-PANOnly",NID_setct_PANOnly,4,&(lvalues[3916]),0},
-{"setct-OIData","setct-OIData",NID_setct_OIData,4,&(lvalues[3920]),0},
-{"setct-PI","setct-PI",NID_setct_PI,4,&(lvalues[3924]),0},
-{"setct-PIData","setct-PIData",NID_setct_PIData,4,&(lvalues[3928]),0},
+	&(lvalues[3908]),0},
+{"setct-PANOnly","setct-PANOnly",NID_setct_PANOnly,4,&(lvalues[3912]),0},
+{"setct-OIData","setct-OIData",NID_setct_OIData,4,&(lvalues[3916]),0},
+{"setct-PI","setct-PI",NID_setct_PI,4,&(lvalues[3920]),0},
+{"setct-PIData","setct-PIData",NID_setct_PIData,4,&(lvalues[3924]),0},
 {"setct-PIDataUnsigned","setct-PIDataUnsigned",
-	NID_setct_PIDataUnsigned,4,&(lvalues[3932]),0},
+	NID_setct_PIDataUnsigned,4,&(lvalues[3928]),0},
 {"setct-HODInput","setct-HODInput",NID_setct_HODInput,4,
-	&(lvalues[3936]),0},
+	&(lvalues[3932]),0},
 {"setct-AuthResBaggage","setct-AuthResBaggage",
-	NID_setct_AuthResBaggage,4,&(lvalues[3940]),0},
+	NID_setct_AuthResBaggage,4,&(lvalues[3936]),0},
 {"setct-AuthRevReqBaggage","setct-AuthRevReqBaggage",
-	NID_setct_AuthRevReqBaggage,4,&(lvalues[3944]),0},
+	NID_setct_AuthRevReqBaggage,4,&(lvalues[3940]),0},
 {"setct-AuthRevResBaggage","setct-AuthRevResBaggage",
-	NID_setct_AuthRevResBaggage,4,&(lvalues[3948]),0},
+	NID_setct_AuthRevResBaggage,4,&(lvalues[3944]),0},
 {"setct-CapTokenSeq","setct-CapTokenSeq",NID_setct_CapTokenSeq,4,
-	&(lvalues[3952]),0},
+	&(lvalues[3948]),0},
 {"setct-PInitResData","setct-PInitResData",NID_setct_PInitResData,4,
-	&(lvalues[3956]),0},
-{"setct-PI-TBS","setct-PI-TBS",NID_setct_PI_TBS,4,&(lvalues[3960]),0},
+	&(lvalues[3952]),0},
+{"setct-PI-TBS","setct-PI-TBS",NID_setct_PI_TBS,4,&(lvalues[3956]),0},
 {"setct-PResData","setct-PResData",NID_setct_PResData,4,
-	&(lvalues[3964]),0},
+	&(lvalues[3960]),0},
 {"setct-AuthReqTBS","setct-AuthReqTBS",NID_setct_AuthReqTBS,4,
-	&(lvalues[3968]),0},
+	&(lvalues[3964]),0},
 {"setct-AuthResTBS","setct-AuthResTBS",NID_setct_AuthResTBS,4,
-	&(lvalues[3972]),0},
+	&(lvalues[3968]),0},
 {"setct-AuthResTBSX","setct-AuthResTBSX",NID_setct_AuthResTBSX,4,
-	&(lvalues[3976]),0},
+	&(lvalues[3972]),0},
 {"setct-AuthTokenTBS","setct-AuthTokenTBS",NID_setct_AuthTokenTBS,4,
-	&(lvalues[3980]),0},
+	&(lvalues[3976]),0},
 {"setct-CapTokenData","setct-CapTokenData",NID_setct_CapTokenData,4,
-	&(lvalues[3984]),0},
+	&(lvalues[3980]),0},
 {"setct-CapTokenTBS","setct-CapTokenTBS",NID_setct_CapTokenTBS,4,
-	&(lvalues[3988]),0},
+	&(lvalues[3984]),0},
 {"setct-AcqCardCodeMsg","setct-AcqCardCodeMsg",
-	NID_setct_AcqCardCodeMsg,4,&(lvalues[3992]),0},
+	NID_setct_AcqCardCodeMsg,4,&(lvalues[3988]),0},
 {"setct-AuthRevReqTBS","setct-AuthRevReqTBS",NID_setct_AuthRevReqTBS,
-	4,&(lvalues[3996]),0},
+	4,&(lvalues[3992]),0},
 {"setct-AuthRevResData","setct-AuthRevResData",
-	NID_setct_AuthRevResData,4,&(lvalues[4000]),0},
+	NID_setct_AuthRevResData,4,&(lvalues[3996]),0},
 {"setct-AuthRevResTBS","setct-AuthRevResTBS",NID_setct_AuthRevResTBS,
-	4,&(lvalues[4004]),0},
+	4,&(lvalues[4000]),0},
 {"setct-CapReqTBS","setct-CapReqTBS",NID_setct_CapReqTBS,4,
-	&(lvalues[4008]),0},
+	&(lvalues[4004]),0},
 {"setct-CapReqTBSX","setct-CapReqTBSX",NID_setct_CapReqTBSX,4,
-	&(lvalues[4012]),0},
+	&(lvalues[4008]),0},
 {"setct-CapResData","setct-CapResData",NID_setct_CapResData,4,
-	&(lvalues[4016]),0},
+	&(lvalues[4012]),0},
 {"setct-CapRevReqTBS","setct-CapRevReqTBS",NID_setct_CapRevReqTBS,4,
-	&(lvalues[4020]),0},
+	&(lvalues[4016]),0},
 {"setct-CapRevReqTBSX","setct-CapRevReqTBSX",NID_setct_CapRevReqTBSX,
-	4,&(lvalues[4024]),0},
+	4,&(lvalues[4020]),0},
 {"setct-CapRevResData","setct-CapRevResData",NID_setct_CapRevResData,
-	4,&(lvalues[4028]),0},
+	4,&(lvalues[4024]),0},
 {"setct-CredReqTBS","setct-CredReqTBS",NID_setct_CredReqTBS,4,
-	&(lvalues[4032]),0},
+	&(lvalues[4028]),0},
 {"setct-CredReqTBSX","setct-CredReqTBSX",NID_setct_CredReqTBSX,4,
-	&(lvalues[4036]),0},
+	&(lvalues[4032]),0},
 {"setct-CredResData","setct-CredResData",NID_setct_CredResData,4,
-	&(lvalues[4040]),0},
+	&(lvalues[4036]),0},
 {"setct-CredRevReqTBS","setct-CredRevReqTBS",NID_setct_CredRevReqTBS,
-	4,&(lvalues[4044]),0},
+	4,&(lvalues[4040]),0},
 {"setct-CredRevReqTBSX","setct-CredRevReqTBSX",
-	NID_setct_CredRevReqTBSX,4,&(lvalues[4048]),0},
+	NID_setct_CredRevReqTBSX,4,&(lvalues[4044]),0},
 {"setct-CredRevResData","setct-CredRevResData",
-	NID_setct_CredRevResData,4,&(lvalues[4052]),0},
+	NID_setct_CredRevResData,4,&(lvalues[4048]),0},
 {"setct-PCertReqData","setct-PCertReqData",NID_setct_PCertReqData,4,
-	&(lvalues[4056]),0},
+	&(lvalues[4052]),0},
 {"setct-PCertResTBS","setct-PCertResTBS",NID_setct_PCertResTBS,4,
-	&(lvalues[4060]),0},
+	&(lvalues[4056]),0},
 {"setct-BatchAdminReqData","setct-BatchAdminReqData",
-	NID_setct_BatchAdminReqData,4,&(lvalues[4064]),0},
+	NID_setct_BatchAdminReqData,4,&(lvalues[4060]),0},
 {"setct-BatchAdminResData","setct-BatchAdminResData",
-	NID_setct_BatchAdminResData,4,&(lvalues[4068]),0},
+	NID_setct_BatchAdminResData,4,&(lvalues[4064]),0},
 {"setct-CardCInitResTBS","setct-CardCInitResTBS",
-	NID_setct_CardCInitResTBS,4,&(lvalues[4072]),0},
+	NID_setct_CardCInitResTBS,4,&(lvalues[4068]),0},
 {"setct-MeAqCInitResTBS","setct-MeAqCInitResTBS",
-	NID_setct_MeAqCInitResTBS,4,&(lvalues[4076]),0},
+	NID_setct_MeAqCInitResTBS,4,&(lvalues[4072]),0},
 {"setct-RegFormResTBS","setct-RegFormResTBS",NID_setct_RegFormResTBS,
-	4,&(lvalues[4080]),0},
+	4,&(lvalues[4076]),0},
 {"setct-CertReqData","setct-CertReqData",NID_setct_CertReqData,4,
-	&(lvalues[4084]),0},
+	&(lvalues[4080]),0},
 {"setct-CertReqTBS","setct-CertReqTBS",NID_setct_CertReqTBS,4,
-	&(lvalues[4088]),0},
+	&(lvalues[4084]),0},
 {"setct-CertResData","setct-CertResData",NID_setct_CertResData,4,
-	&(lvalues[4092]),0},
+	&(lvalues[4088]),0},
 {"setct-CertInqReqTBS","setct-CertInqReqTBS",NID_setct_CertInqReqTBS,
-	4,&(lvalues[4096]),0},
+	4,&(lvalues[4092]),0},
 {"setct-ErrorTBS","setct-ErrorTBS",NID_setct_ErrorTBS,4,
-	&(lvalues[4100]),0},
+	&(lvalues[4096]),0},
 {"setct-PIDualSignedTBE","setct-PIDualSignedTBE",
-	NID_setct_PIDualSignedTBE,4,&(lvalues[4104]),0},
+	NID_setct_PIDualSignedTBE,4,&(lvalues[4100]),0},
 {"setct-PIUnsignedTBE","setct-PIUnsignedTBE",NID_setct_PIUnsignedTBE,
-	4,&(lvalues[4108]),0},
+	4,&(lvalues[4104]),0},
 {"setct-AuthReqTBE","setct-AuthReqTBE",NID_setct_AuthReqTBE,4,
-	&(lvalues[4112]),0},
+	&(lvalues[4108]),0},
 {"setct-AuthResTBE","setct-AuthResTBE",NID_setct_AuthResTBE,4,
-	&(lvalues[4116]),0},
+	&(lvalues[4112]),0},
 {"setct-AuthResTBEX","setct-AuthResTBEX",NID_setct_AuthResTBEX,4,
-	&(lvalues[4120]),0},
+	&(lvalues[4116]),0},
 {"setct-AuthTokenTBE","setct-AuthTokenTBE",NID_setct_AuthTokenTBE,4,
-	&(lvalues[4124]),0},
+	&(lvalues[4120]),0},
 {"setct-CapTokenTBE","setct-CapTokenTBE",NID_setct_CapTokenTBE,4,
-	&(lvalues[4128]),0},
+	&(lvalues[4124]),0},
 {"setct-CapTokenTBEX","setct-CapTokenTBEX",NID_setct_CapTokenTBEX,4,
-	&(lvalues[4132]),0},
+	&(lvalues[4128]),0},
 {"setct-AcqCardCodeMsgTBE","setct-AcqCardCodeMsgTBE",
-	NID_setct_AcqCardCodeMsgTBE,4,&(lvalues[4136]),0},
+	NID_setct_AcqCardCodeMsgTBE,4,&(lvalues[4132]),0},
 {"setct-AuthRevReqTBE","setct-AuthRevReqTBE",NID_setct_AuthRevReqTBE,
-	4,&(lvalues[4140]),0},
+	4,&(lvalues[4136]),0},
 {"setct-AuthRevResTBE","setct-AuthRevResTBE",NID_setct_AuthRevResTBE,
-	4,&(lvalues[4144]),0},
+	4,&(lvalues[4140]),0},
 {"setct-AuthRevResTBEB","setct-AuthRevResTBEB",
-	NID_setct_AuthRevResTBEB,4,&(lvalues[4148]),0},
+	NID_setct_AuthRevResTBEB,4,&(lvalues[4144]),0},
 {"setct-CapReqTBE","setct-CapReqTBE",NID_setct_CapReqTBE,4,
-	&(lvalues[4152]),0},
+	&(lvalues[4148]),0},
 {"setct-CapReqTBEX","setct-CapReqTBEX",NID_setct_CapReqTBEX,4,
-	&(lvalues[4156]),0},
+	&(lvalues[4152]),0},
 {"setct-CapResTBE","setct-CapResTBE",NID_setct_CapResTBE,4,
-	&(lvalues[4160]),0},
+	&(lvalues[4156]),0},
 {"setct-CapRevReqTBE","setct-CapRevReqTBE",NID_setct_CapRevReqTBE,4,
-	&(lvalues[4164]),0},
+	&(lvalues[4160]),0},
 {"setct-CapRevReqTBEX","setct-CapRevReqTBEX",NID_setct_CapRevReqTBEX,
-	4,&(lvalues[4168]),0},
+	4,&(lvalues[4164]),0},
 {"setct-CapRevResTBE","setct-CapRevResTBE",NID_setct_CapRevResTBE,4,
-	&(lvalues[4172]),0},
+	&(lvalues[4168]),0},
 {"setct-CredReqTBE","setct-CredReqTBE",NID_setct_CredReqTBE,4,
-	&(lvalues[4176]),0},
+	&(lvalues[4172]),0},
 {"setct-CredReqTBEX","setct-CredReqTBEX",NID_setct_CredReqTBEX,4,
-	&(lvalues[4180]),0},
+	&(lvalues[4176]),0},
 {"setct-CredResTBE","setct-CredResTBE",NID_setct_CredResTBE,4,
-	&(lvalues[4184]),0},
+	&(lvalues[4180]),0},
 {"setct-CredRevReqTBE","setct-CredRevReqTBE",NID_setct_CredRevReqTBE,
-	4,&(lvalues[4188]),0},
+	4,&(lvalues[4184]),0},
 {"setct-CredRevReqTBEX","setct-CredRevReqTBEX",
-	NID_setct_CredRevReqTBEX,4,&(lvalues[4192]),0},
+	NID_setct_CredRevReqTBEX,4,&(lvalues[4188]),0},
 {"setct-CredRevResTBE","setct-CredRevResTBE",NID_setct_CredRevResTBE,
-	4,&(lvalues[4196]),0},
+	4,&(lvalues[4192]),0},
 {"setct-BatchAdminReqTBE","setct-BatchAdminReqTBE",
-	NID_setct_BatchAdminReqTBE,4,&(lvalues[4200]),0},
+	NID_setct_BatchAdminReqTBE,4,&(lvalues[4196]),0},
 {"setct-BatchAdminResTBE","setct-BatchAdminResTBE",
-	NID_setct_BatchAdminResTBE,4,&(lvalues[4204]),0},
+	NID_setct_BatchAdminResTBE,4,&(lvalues[4200]),0},
 {"setct-RegFormReqTBE","setct-RegFormReqTBE",NID_setct_RegFormReqTBE,
-	4,&(lvalues[4208]),0},
+	4,&(lvalues[4204]),0},
 {"setct-CertReqTBE","setct-CertReqTBE",NID_setct_CertReqTBE,4,
-	&(lvalues[4212]),0},
+	&(lvalues[4208]),0},
 {"setct-CertReqTBEX","setct-CertReqTBEX",NID_setct_CertReqTBEX,4,
-	&(lvalues[4216]),0},
+	&(lvalues[4212]),0},
 {"setct-CertResTBE","setct-CertResTBE",NID_setct_CertResTBE,4,
-	&(lvalues[4220]),0},
+	&(lvalues[4216]),0},
 {"setct-CRLNotificationTBS","setct-CRLNotificationTBS",
-	NID_setct_CRLNotificationTBS,4,&(lvalues[4224]),0},
+	NID_setct_CRLNotificationTBS,4,&(lvalues[4220]),0},
 {"setct-CRLNotificationResTBS","setct-CRLNotificationResTBS",
-	NID_setct_CRLNotificationResTBS,4,&(lvalues[4228]),0},
+	NID_setct_CRLNotificationResTBS,4,&(lvalues[4224]),0},
 {"setct-BCIDistributionTBS","setct-BCIDistributionTBS",
-	NID_setct_BCIDistributionTBS,4,&(lvalues[4232]),0},
+	NID_setct_BCIDistributionTBS,4,&(lvalues[4228]),0},
 {"setext-genCrypt","generic cryptogram",NID_setext_genCrypt,4,
-	&(lvalues[4236]),0},
+	&(lvalues[4232]),0},
 {"setext-miAuth","merchant initiated auth",NID_setext_miAuth,4,
-	&(lvalues[4240]),0},
+	&(lvalues[4236]),0},
 {"setext-pinSecure","setext-pinSecure",NID_setext_pinSecure,4,
-	&(lvalues[4244]),0},
-{"setext-pinAny","setext-pinAny",NID_setext_pinAny,4,&(lvalues[4248]),0},
-{"setext-track2","setext-track2",NID_setext_track2,4,&(lvalues[4252]),0},
+	&(lvalues[4240]),0},
+{"setext-pinAny","setext-pinAny",NID_setext_pinAny,4,&(lvalues[4244]),0},
+{"setext-track2","setext-track2",NID_setext_track2,4,&(lvalues[4248]),0},
 {"setext-cv","additional verification",NID_setext_cv,4,
-	&(lvalues[4256]),0},
+	&(lvalues[4252]),0},
 {"set-policy-root","set-policy-root",NID_set_policy_root,4,
-	&(lvalues[4260]),0},
+	&(lvalues[4256]),0},
 {"setCext-hashedRoot","setCext-hashedRoot",NID_setCext_hashedRoot,4,
-	&(lvalues[4264]),0},
+	&(lvalues[4260]),0},
 {"setCext-certType","setCext-certType",NID_setCext_certType,4,
-	&(lvalues[4268]),0},
+	&(lvalues[4264]),0},
 {"setCext-merchData","setCext-merchData",NID_setCext_merchData,4,
-	&(lvalues[4272]),0},
+	&(lvalues[4268]),0},
 {"setCext-cCertRequired","setCext-cCertRequired",
-	NID_setCext_cCertRequired,4,&(lvalues[4276]),0},
+	NID_setCext_cCertRequired,4,&(lvalues[4272]),0},
 {"setCext-tunneling","setCext-tunneling",NID_setCext_tunneling,4,
-	&(lvalues[4280]),0},
+	&(lvalues[4276]),0},
 {"setCext-setExt","setCext-setExt",NID_setCext_setExt,4,
-	&(lvalues[4284]),0},
+	&(lvalues[4280]),0},
 {"setCext-setQualf","setCext-setQualf",NID_setCext_setQualf,4,
-	&(lvalues[4288]),0},
+	&(lvalues[4284]),0},
 {"setCext-PGWYcapabilities","setCext-PGWYcapabilities",
-	NID_setCext_PGWYcapabilities,4,&(lvalues[4292]),0},
+	NID_setCext_PGWYcapabilities,4,&(lvalues[4288]),0},
 {"setCext-TokenIdentifier","setCext-TokenIdentifier",
-	NID_setCext_TokenIdentifier,4,&(lvalues[4296]),0},
+	NID_setCext_TokenIdentifier,4,&(lvalues[4292]),0},
 {"setCext-Track2Data","setCext-Track2Data",NID_setCext_Track2Data,4,
-	&(lvalues[4300]),0},
+	&(lvalues[4296]),0},
 {"setCext-TokenType","setCext-TokenType",NID_setCext_TokenType,4,
-	&(lvalues[4304]),0},
+	&(lvalues[4300]),0},
 {"setCext-IssuerCapabilities","setCext-IssuerCapabilities",
-	NID_setCext_IssuerCapabilities,4,&(lvalues[4308]),0},
-{"setAttr-Cert","setAttr-Cert",NID_setAttr_Cert,4,&(lvalues[4312]),0},
+	NID_setCext_IssuerCapabilities,4,&(lvalues[4304]),0},
+{"setAttr-Cert","setAttr-Cert",NID_setAttr_Cert,4,&(lvalues[4308]),0},
 {"setAttr-PGWYcap","payment gateway capabilities",NID_setAttr_PGWYcap,
-	4,&(lvalues[4316]),0},
+	4,&(lvalues[4312]),0},
 {"setAttr-TokenType","setAttr-TokenType",NID_setAttr_TokenType,4,
-	&(lvalues[4320]),0},
+	&(lvalues[4316]),0},
 {"setAttr-IssCap","issuer capabilities",NID_setAttr_IssCap,4,
-	&(lvalues[4324]),0},
+	&(lvalues[4320]),0},
 {"set-rootKeyThumb","set-rootKeyThumb",NID_set_rootKeyThumb,5,
-	&(lvalues[4328]),0},
-{"set-addPolicy","set-addPolicy",NID_set_addPolicy,5,&(lvalues[4333]),0},
+	&(lvalues[4324]),0},
+{"set-addPolicy","set-addPolicy",NID_set_addPolicy,5,&(lvalues[4329]),0},
 {"setAttr-Token-EMV","setAttr-Token-EMV",NID_setAttr_Token_EMV,5,
-	&(lvalues[4338]),0},
+	&(lvalues[4334]),0},
 {"setAttr-Token-B0Prime","setAttr-Token-B0Prime",
-	NID_setAttr_Token_B0Prime,5,&(lvalues[4343]),0},
+	NID_setAttr_Token_B0Prime,5,&(lvalues[4339]),0},
 {"setAttr-IssCap-CVM","setAttr-IssCap-CVM",NID_setAttr_IssCap_CVM,5,
-	&(lvalues[4348]),0},
+	&(lvalues[4344]),0},
 {"setAttr-IssCap-T2","setAttr-IssCap-T2",NID_setAttr_IssCap_T2,5,
-	&(lvalues[4353]),0},
+	&(lvalues[4349]),0},
 {"setAttr-IssCap-Sig","setAttr-IssCap-Sig",NID_setAttr_IssCap_Sig,5,
-	&(lvalues[4358]),0},
+	&(lvalues[4354]),0},
 {"setAttr-GenCryptgrm","generate cryptogram",NID_setAttr_GenCryptgrm,
-	6,&(lvalues[4363]),0},
+	6,&(lvalues[4359]),0},
 {"setAttr-T2Enc","encrypted track 2",NID_setAttr_T2Enc,6,
-	&(lvalues[4369]),0},
+	&(lvalues[4365]),0},
 {"setAttr-T2cleartxt","cleartext track 2",NID_setAttr_T2cleartxt,6,
-	&(lvalues[4375]),0},
+	&(lvalues[4371]),0},
 {"setAttr-TokICCsig","ICC or token signature",NID_setAttr_TokICCsig,6,
-	&(lvalues[4381]),0},
+	&(lvalues[4377]),0},
 {"setAttr-SecDevSig","secure device signature",NID_setAttr_SecDevSig,
-	6,&(lvalues[4387]),0},
+	6,&(lvalues[4383]),0},
 {"set-brand-IATA-ATA","set-brand-IATA-ATA",NID_set_brand_IATA_ATA,4,
-	&(lvalues[4393]),0},
+	&(lvalues[4389]),0},
 {"set-brand-Diners","set-brand-Diners",NID_set_brand_Diners,4,
-	&(lvalues[4397]),0},
+	&(lvalues[4393]),0},
 {"set-brand-AmericanExpress","set-brand-AmericanExpress",
-	NID_set_brand_AmericanExpress,4,&(lvalues[4401]),0},
-{"set-brand-JCB","set-brand-JCB",NID_set_brand_JCB,4,&(lvalues[4405]),0},
+	NID_set_brand_AmericanExpress,4,&(lvalues[4397]),0},
+{"set-brand-JCB","set-brand-JCB",NID_set_brand_JCB,4,&(lvalues[4401]),0},
 {"set-brand-Visa","set-brand-Visa",NID_set_brand_Visa,4,
-	&(lvalues[4409]),0},
+	&(lvalues[4405]),0},
 {"set-brand-MasterCard","set-brand-MasterCard",
-	NID_set_brand_MasterCard,4,&(lvalues[4413]),0},
+	NID_set_brand_MasterCard,4,&(lvalues[4409]),0},
 {"set-brand-Novus","set-brand-Novus",NID_set_brand_Novus,5,
-	&(lvalues[4417]),0},
-{"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4422]),0},
+	&(lvalues[4413]),0},
+{"DES-CDMF","des-cdmf",NID_des_cdmf,8,&(lvalues[4418]),0},
 {"rsaOAEPEncryptionSET","rsaOAEPEncryptionSET",
-	NID_rsaOAEPEncryptionSET,9,&(lvalues[4430]),0},
-{"ITU-T","itu-t",NID_itu_t,1,&(lvalues[4439]),0},
-{"JOINT-ISO-ITU-T","joint-iso-itu-t",NID_joint_iso_itu_t,1,
-	&(lvalues[4440]),0},
+	NID_rsaOAEPEncryptionSET,9,&(lvalues[4426]),0},
+{"ITU-T","itu-t",NID_itu_t,0,NULL,0},
+{"JOINT-ISO-ITU-T","joint-iso-itu-t",NID_joint_iso_itu_t,0,NULL,0},
 {"international-organizations","International Organizations",
-	NID_international_organizations,1,&(lvalues[4441]),0},
+	NID_international_organizations,1,&(lvalues[4435]),0},
 {"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login,
-	10,&(lvalues[4442]),0},
+	10,&(lvalues[4436]),0},
 {"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10,
-	&(lvalues[4452]),0},
+	&(lvalues[4446]),0},
 {"AES-128-CFB1","aes-128-cfb1",NID_aes_128_cfb1,0,NULL,0},
 {"AES-192-CFB1","aes-192-cfb1",NID_aes_192_cfb1,0,NULL,0},
 {"AES-256-CFB1","aes-256-cfb1",NID_aes_256_cfb1,0,NULL,0},
@@ -1979,138 +1972,138 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 {"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL,0},
 {"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL,0},
 {"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL,0},
-{"street","streetAddress",NID_streetAddress,3,&(lvalues[4462]),0},
-{"postalCode","postalCode",NID_postalCode,3,&(lvalues[4465]),0},
-{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4468]),0},
+{"street","streetAddress",NID_streetAddress,3,&(lvalues[4456]),0},
+{"postalCode","postalCode",NID_postalCode,3,&(lvalues[4459]),0},
+{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4462]),0},
 {"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
-	&(lvalues[4475]),0},
+	&(lvalues[4469]),0},
 {"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8,
-	&(lvalues[4483]),0},
+	&(lvalues[4477]),0},
 {"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
-	&(lvalues[4491]),0},
+	&(lvalues[4485]),0},
 {"nameConstraints","X509v3 Name Constraints",NID_name_constraints,3,
-	&(lvalues[4499]),0},
-{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4502]),0},
+	&(lvalues[4493]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4496]),0},
 {"RSA-SHA256","sha256WithRSAEncryption",NID_sha256WithRSAEncryption,9,
-	&(lvalues[4510]),0},
+	&(lvalues[4504]),0},
 {"RSA-SHA384","sha384WithRSAEncryption",NID_sha384WithRSAEncryption,9,
-	&(lvalues[4519]),0},
+	&(lvalues[4513]),0},
 {"RSA-SHA512","sha512WithRSAEncryption",NID_sha512WithRSAEncryption,9,
-	&(lvalues[4528]),0},
+	&(lvalues[4522]),0},
 {"RSA-SHA224","sha224WithRSAEncryption",NID_sha224WithRSAEncryption,9,
-	&(lvalues[4537]),0},
-{"SHA256","sha256",NID_sha256,9,&(lvalues[4546]),0},
-{"SHA384","sha384",NID_sha384,9,&(lvalues[4555]),0},
-{"SHA512","sha512",NID_sha512,9,&(lvalues[4564]),0},
-{"SHA224","sha224",NID_sha224,9,&(lvalues[4573]),0},
+	&(lvalues[4531]),0},
+{"SHA256","sha256",NID_sha256,9,&(lvalues[4540]),0},
+{"SHA384","sha384",NID_sha384,9,&(lvalues[4549]),0},
+{"SHA512","sha512",NID_sha512,9,&(lvalues[4558]),0},
+{"SHA224","sha224",NID_sha224,9,&(lvalues[4567]),0},
 {"identified-organization","identified-organization",
-	NID_identified_organization,1,&(lvalues[4582]),0},
-{"certicom-arc","certicom-arc",NID_certicom_arc,3,&(lvalues[4583]),0},
-{"wap","wap",NID_wap,2,&(lvalues[4586]),0},
-{"wap-wsg","wap-wsg",NID_wap_wsg,3,&(lvalues[4588]),0},
+	NID_identified_organization,1,&(lvalues[4576]),0},
+{"certicom-arc","certicom-arc",NID_certicom_arc,3,&(lvalues[4577]),0},
+{"wap","wap",NID_wap,2,&(lvalues[4580]),0},
+{"wap-wsg","wap-wsg",NID_wap_wsg,3,&(lvalues[4582]),0},
 {"id-characteristic-two-basis","id-characteristic-two-basis",
-	NID_X9_62_id_characteristic_two_basis,8,&(lvalues[4591]),0},
-{"onBasis","onBasis",NID_X9_62_onBasis,9,&(lvalues[4599]),0},
-{"tpBasis","tpBasis",NID_X9_62_tpBasis,9,&(lvalues[4608]),0},
-{"ppBasis","ppBasis",NID_X9_62_ppBasis,9,&(lvalues[4617]),0},
-{"c2pnb163v1","c2pnb163v1",NID_X9_62_c2pnb163v1,8,&(lvalues[4626]),0},
-{"c2pnb163v2","c2pnb163v2",NID_X9_62_c2pnb163v2,8,&(lvalues[4634]),0},
-{"c2pnb163v3","c2pnb163v3",NID_X9_62_c2pnb163v3,8,&(lvalues[4642]),0},
-{"c2pnb176v1","c2pnb176v1",NID_X9_62_c2pnb176v1,8,&(lvalues[4650]),0},
-{"c2tnb191v1","c2tnb191v1",NID_X9_62_c2tnb191v1,8,&(lvalues[4658]),0},
-{"c2tnb191v2","c2tnb191v2",NID_X9_62_c2tnb191v2,8,&(lvalues[4666]),0},
-{"c2tnb191v3","c2tnb191v3",NID_X9_62_c2tnb191v3,8,&(lvalues[4674]),0},
-{"c2onb191v4","c2onb191v4",NID_X9_62_c2onb191v4,8,&(lvalues[4682]),0},
-{"c2onb191v5","c2onb191v5",NID_X9_62_c2onb191v5,8,&(lvalues[4690]),0},
-{"c2pnb208w1","c2pnb208w1",NID_X9_62_c2pnb208w1,8,&(lvalues[4698]),0},
-{"c2tnb239v1","c2tnb239v1",NID_X9_62_c2tnb239v1,8,&(lvalues[4706]),0},
-{"c2tnb239v2","c2tnb239v2",NID_X9_62_c2tnb239v2,8,&(lvalues[4714]),0},
-{"c2tnb239v3","c2tnb239v3",NID_X9_62_c2tnb239v3,8,&(lvalues[4722]),0},
-{"c2onb239v4","c2onb239v4",NID_X9_62_c2onb239v4,8,&(lvalues[4730]),0},
-{"c2onb239v5","c2onb239v5",NID_X9_62_c2onb239v5,8,&(lvalues[4738]),0},
-{"c2pnb272w1","c2pnb272w1",NID_X9_62_c2pnb272w1,8,&(lvalues[4746]),0},
-{"c2pnb304w1","c2pnb304w1",NID_X9_62_c2pnb304w1,8,&(lvalues[4754]),0},
-{"c2tnb359v1","c2tnb359v1",NID_X9_62_c2tnb359v1,8,&(lvalues[4762]),0},
-{"c2pnb368w1","c2pnb368w1",NID_X9_62_c2pnb368w1,8,&(lvalues[4770]),0},
-{"c2tnb431r1","c2tnb431r1",NID_X9_62_c2tnb431r1,8,&(lvalues[4778]),0},
-{"secp112r1","secp112r1",NID_secp112r1,5,&(lvalues[4786]),0},
-{"secp112r2","secp112r2",NID_secp112r2,5,&(lvalues[4791]),0},
-{"secp128r1","secp128r1",NID_secp128r1,5,&(lvalues[4796]),0},
-{"secp128r2","secp128r2",NID_secp128r2,5,&(lvalues[4801]),0},
-{"secp160k1","secp160k1",NID_secp160k1,5,&(lvalues[4806]),0},
-{"secp160r1","secp160r1",NID_secp160r1,5,&(lvalues[4811]),0},
-{"secp160r2","secp160r2",NID_secp160r2,5,&(lvalues[4816]),0},
-{"secp192k1","secp192k1",NID_secp192k1,5,&(lvalues[4821]),0},
-{"secp224k1","secp224k1",NID_secp224k1,5,&(lvalues[4826]),0},
-{"secp224r1","secp224r1",NID_secp224r1,5,&(lvalues[4831]),0},
-{"secp256k1","secp256k1",NID_secp256k1,5,&(lvalues[4836]),0},
-{"secp384r1","secp384r1",NID_secp384r1,5,&(lvalues[4841]),0},
-{"secp521r1","secp521r1",NID_secp521r1,5,&(lvalues[4846]),0},
-{"sect113r1","sect113r1",NID_sect113r1,5,&(lvalues[4851]),0},
-{"sect113r2","sect113r2",NID_sect113r2,5,&(lvalues[4856]),0},
-{"sect131r1","sect131r1",NID_sect131r1,5,&(lvalues[4861]),0},
-{"sect131r2","sect131r2",NID_sect131r2,5,&(lvalues[4866]),0},
-{"sect163k1","sect163k1",NID_sect163k1,5,&(lvalues[4871]),0},
-{"sect163r1","sect163r1",NID_sect163r1,5,&(lvalues[4876]),0},
-{"sect163r2","sect163r2",NID_sect163r2,5,&(lvalues[4881]),0},
-{"sect193r1","sect193r1",NID_sect193r1,5,&(lvalues[4886]),0},
-{"sect193r2","sect193r2",NID_sect193r2,5,&(lvalues[4891]),0},
-{"sect233k1","sect233k1",NID_sect233k1,5,&(lvalues[4896]),0},
-{"sect233r1","sect233r1",NID_sect233r1,5,&(lvalues[4901]),0},
-{"sect239k1","sect239k1",NID_sect239k1,5,&(lvalues[4906]),0},
-{"sect283k1","sect283k1",NID_sect283k1,5,&(lvalues[4911]),0},
-{"sect283r1","sect283r1",NID_sect283r1,5,&(lvalues[4916]),0},
-{"sect409k1","sect409k1",NID_sect409k1,5,&(lvalues[4921]),0},
-{"sect409r1","sect409r1",NID_sect409r1,5,&(lvalues[4926]),0},
-{"sect571k1","sect571k1",NID_sect571k1,5,&(lvalues[4931]),0},
-{"sect571r1","sect571r1",NID_sect571r1,5,&(lvalues[4936]),0},
+	NID_X9_62_id_characteristic_two_basis,8,&(lvalues[4585]),0},
+{"onBasis","onBasis",NID_X9_62_onBasis,9,&(lvalues[4593]),0},
+{"tpBasis","tpBasis",NID_X9_62_tpBasis,9,&(lvalues[4602]),0},
+{"ppBasis","ppBasis",NID_X9_62_ppBasis,9,&(lvalues[4611]),0},
+{"c2pnb163v1","c2pnb163v1",NID_X9_62_c2pnb163v1,8,&(lvalues[4620]),0},
+{"c2pnb163v2","c2pnb163v2",NID_X9_62_c2pnb163v2,8,&(lvalues[4628]),0},
+{"c2pnb163v3","c2pnb163v3",NID_X9_62_c2pnb163v3,8,&(lvalues[4636]),0},
+{"c2pnb176v1","c2pnb176v1",NID_X9_62_c2pnb176v1,8,&(lvalues[4644]),0},
+{"c2tnb191v1","c2tnb191v1",NID_X9_62_c2tnb191v1,8,&(lvalues[4652]),0},
+{"c2tnb191v2","c2tnb191v2",NID_X9_62_c2tnb191v2,8,&(lvalues[4660]),0},
+{"c2tnb191v3","c2tnb191v3",NID_X9_62_c2tnb191v3,8,&(lvalues[4668]),0},
+{"c2onb191v4","c2onb191v4",NID_X9_62_c2onb191v4,8,&(lvalues[4676]),0},
+{"c2onb191v5","c2onb191v5",NID_X9_62_c2onb191v5,8,&(lvalues[4684]),0},
+{"c2pnb208w1","c2pnb208w1",NID_X9_62_c2pnb208w1,8,&(lvalues[4692]),0},
+{"c2tnb239v1","c2tnb239v1",NID_X9_62_c2tnb239v1,8,&(lvalues[4700]),0},
+{"c2tnb239v2","c2tnb239v2",NID_X9_62_c2tnb239v2,8,&(lvalues[4708]),0},
+{"c2tnb239v3","c2tnb239v3",NID_X9_62_c2tnb239v3,8,&(lvalues[4716]),0},
+{"c2onb239v4","c2onb239v4",NID_X9_62_c2onb239v4,8,&(lvalues[4724]),0},
+{"c2onb239v5","c2onb239v5",NID_X9_62_c2onb239v5,8,&(lvalues[4732]),0},
+{"c2pnb272w1","c2pnb272w1",NID_X9_62_c2pnb272w1,8,&(lvalues[4740]),0},
+{"c2pnb304w1","c2pnb304w1",NID_X9_62_c2pnb304w1,8,&(lvalues[4748]),0},
+{"c2tnb359v1","c2tnb359v1",NID_X9_62_c2tnb359v1,8,&(lvalues[4756]),0},
+{"c2pnb368w1","c2pnb368w1",NID_X9_62_c2pnb368w1,8,&(lvalues[4764]),0},
+{"c2tnb431r1","c2tnb431r1",NID_X9_62_c2tnb431r1,8,&(lvalues[4772]),0},
+{"secp112r1","secp112r1",NID_secp112r1,5,&(lvalues[4780]),0},
+{"secp112r2","secp112r2",NID_secp112r2,5,&(lvalues[4785]),0},
+{"secp128r1","secp128r1",NID_secp128r1,5,&(lvalues[4790]),0},
+{"secp128r2","secp128r2",NID_secp128r2,5,&(lvalues[4795]),0},
+{"secp160k1","secp160k1",NID_secp160k1,5,&(lvalues[4800]),0},
+{"secp160r1","secp160r1",NID_secp160r1,5,&(lvalues[4805]),0},
+{"secp160r2","secp160r2",NID_secp160r2,5,&(lvalues[4810]),0},
+{"secp192k1","secp192k1",NID_secp192k1,5,&(lvalues[4815]),0},
+{"secp224k1","secp224k1",NID_secp224k1,5,&(lvalues[4820]),0},
+{"secp224r1","secp224r1",NID_secp224r1,5,&(lvalues[4825]),0},
+{"secp256k1","secp256k1",NID_secp256k1,5,&(lvalues[4830]),0},
+{"secp384r1","secp384r1",NID_secp384r1,5,&(lvalues[4835]),0},
+{"secp521r1","secp521r1",NID_secp521r1,5,&(lvalues[4840]),0},
+{"sect113r1","sect113r1",NID_sect113r1,5,&(lvalues[4845]),0},
+{"sect113r2","sect113r2",NID_sect113r2,5,&(lvalues[4850]),0},
+{"sect131r1","sect131r1",NID_sect131r1,5,&(lvalues[4855]),0},
+{"sect131r2","sect131r2",NID_sect131r2,5,&(lvalues[4860]),0},
+{"sect163k1","sect163k1",NID_sect163k1,5,&(lvalues[4865]),0},
+{"sect163r1","sect163r1",NID_sect163r1,5,&(lvalues[4870]),0},
+{"sect163r2","sect163r2",NID_sect163r2,5,&(lvalues[4875]),0},
+{"sect193r1","sect193r1",NID_sect193r1,5,&(lvalues[4880]),0},
+{"sect193r2","sect193r2",NID_sect193r2,5,&(lvalues[4885]),0},
+{"sect233k1","sect233k1",NID_sect233k1,5,&(lvalues[4890]),0},
+{"sect233r1","sect233r1",NID_sect233r1,5,&(lvalues[4895]),0},
+{"sect239k1","sect239k1",NID_sect239k1,5,&(lvalues[4900]),0},
+{"sect283k1","sect283k1",NID_sect283k1,5,&(lvalues[4905]),0},
+{"sect283r1","sect283r1",NID_sect283r1,5,&(lvalues[4910]),0},
+{"sect409k1","sect409k1",NID_sect409k1,5,&(lvalues[4915]),0},
+{"sect409r1","sect409r1",NID_sect409r1,5,&(lvalues[4920]),0},
+{"sect571k1","sect571k1",NID_sect571k1,5,&(lvalues[4925]),0},
+{"sect571r1","sect571r1",NID_sect571r1,5,&(lvalues[4930]),0},
 {"wap-wsg-idm-ecid-wtls1","wap-wsg-idm-ecid-wtls1",
-	NID_wap_wsg_idm_ecid_wtls1,5,&(lvalues[4941]),0},
+	NID_wap_wsg_idm_ecid_wtls1,5,&(lvalues[4935]),0},
 {"wap-wsg-idm-ecid-wtls3","wap-wsg-idm-ecid-wtls3",
-	NID_wap_wsg_idm_ecid_wtls3,5,&(lvalues[4946]),0},
+	NID_wap_wsg_idm_ecid_wtls3,5,&(lvalues[4940]),0},
 {"wap-wsg-idm-ecid-wtls4","wap-wsg-idm-ecid-wtls4",
-	NID_wap_wsg_idm_ecid_wtls4,5,&(lvalues[4951]),0},
+	NID_wap_wsg_idm_ecid_wtls4,5,&(lvalues[4945]),0},
 {"wap-wsg-idm-ecid-wtls5","wap-wsg-idm-ecid-wtls5",
-	NID_wap_wsg_idm_ecid_wtls5,5,&(lvalues[4956]),0},
+	NID_wap_wsg_idm_ecid_wtls5,5,&(lvalues[4950]),0},
 {"wap-wsg-idm-ecid-wtls6","wap-wsg-idm-ecid-wtls6",
-	NID_wap_wsg_idm_ecid_wtls6,5,&(lvalues[4961]),0},
+	NID_wap_wsg_idm_ecid_wtls6,5,&(lvalues[4955]),0},
 {"wap-wsg-idm-ecid-wtls7","wap-wsg-idm-ecid-wtls7",
-	NID_wap_wsg_idm_ecid_wtls7,5,&(lvalues[4966]),0},
+	NID_wap_wsg_idm_ecid_wtls7,5,&(lvalues[4960]),0},
 {"wap-wsg-idm-ecid-wtls8","wap-wsg-idm-ecid-wtls8",
-	NID_wap_wsg_idm_ecid_wtls8,5,&(lvalues[4971]),0},
+	NID_wap_wsg_idm_ecid_wtls8,5,&(lvalues[4965]),0},
 {"wap-wsg-idm-ecid-wtls9","wap-wsg-idm-ecid-wtls9",
-	NID_wap_wsg_idm_ecid_wtls9,5,&(lvalues[4976]),0},
+	NID_wap_wsg_idm_ecid_wtls9,5,&(lvalues[4970]),0},
 {"wap-wsg-idm-ecid-wtls10","wap-wsg-idm-ecid-wtls10",
-	NID_wap_wsg_idm_ecid_wtls10,5,&(lvalues[4981]),0},
+	NID_wap_wsg_idm_ecid_wtls10,5,&(lvalues[4975]),0},
 {"wap-wsg-idm-ecid-wtls11","wap-wsg-idm-ecid-wtls11",
-	NID_wap_wsg_idm_ecid_wtls11,5,&(lvalues[4986]),0},
+	NID_wap_wsg_idm_ecid_wtls11,5,&(lvalues[4980]),0},
 {"wap-wsg-idm-ecid-wtls12","wap-wsg-idm-ecid-wtls12",
-	NID_wap_wsg_idm_ecid_wtls12,5,&(lvalues[4991]),0},
-{"anyPolicy","X509v3 Any Policy",NID_any_policy,4,&(lvalues[4996]),0},
+	NID_wap_wsg_idm_ecid_wtls12,5,&(lvalues[4985]),0},
+{"anyPolicy","X509v3 Any Policy",NID_any_policy,4,&(lvalues[4990]),0},
 {"policyMappings","X509v3 Policy Mappings",NID_policy_mappings,3,
-	&(lvalues[5000]),0},
+	&(lvalues[4994]),0},
 {"inhibitAnyPolicy","X509v3 Inhibit Any Policy",
-	NID_inhibit_any_policy,3,&(lvalues[5003]),0},
+	NID_inhibit_any_policy,3,&(lvalues[4997]),0},
 {"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL,0},
 {"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL,0},
 {"CAMELLIA-128-CBC","camellia-128-cbc",NID_camellia_128_cbc,11,
-	&(lvalues[5006]),0},
+	&(lvalues[5000]),0},
 {"CAMELLIA-192-CBC","camellia-192-cbc",NID_camellia_192_cbc,11,
-	&(lvalues[5017]),0},
+	&(lvalues[5011]),0},
 {"CAMELLIA-256-CBC","camellia-256-cbc",NID_camellia_256_cbc,11,
-	&(lvalues[5028]),0},
+	&(lvalues[5022]),0},
 {"CAMELLIA-128-ECB","camellia-128-ecb",NID_camellia_128_ecb,8,
-	&(lvalues[5039]),0},
+	&(lvalues[5033]),0},
 {"CAMELLIA-192-ECB","camellia-192-ecb",NID_camellia_192_ecb,8,
-	&(lvalues[5047]),0},
+	&(lvalues[5041]),0},
 {"CAMELLIA-256-ECB","camellia-256-ecb",NID_camellia_256_ecb,8,
-	&(lvalues[5055]),0},
+	&(lvalues[5049]),0},
 {"CAMELLIA-128-CFB","camellia-128-cfb",NID_camellia_128_cfb128,8,
-	&(lvalues[5063]),0},
+	&(lvalues[5057]),0},
 {"CAMELLIA-192-CFB","camellia-192-cfb",NID_camellia_192_cfb128,8,
-	&(lvalues[5071]),0},
+	&(lvalues[5065]),0},
 {"CAMELLIA-256-CFB","camellia-256-cfb",NID_camellia_256_cfb128,8,
-	&(lvalues[5079]),0},
+	&(lvalues[5073]),0},
 {"CAMELLIA-128-CFB1","camellia-128-cfb1",NID_camellia_128_cfb1,0,NULL,0},
 {"CAMELLIA-192-CFB1","camellia-192-cfb1",NID_camellia_192_cfb1,0,NULL,0},
 {"CAMELLIA-256-CFB1","camellia-256-cfb1",NID_camellia_256_cfb1,0,NULL,0},
@@ -2118,284 +2111,284 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 {"CAMELLIA-192-CFB8","camellia-192-cfb8",NID_camellia_192_cfb8,0,NULL,0},
 {"CAMELLIA-256-CFB8","camellia-256-cfb8",NID_camellia_256_cfb8,0,NULL,0},
 {"CAMELLIA-128-OFB","camellia-128-ofb",NID_camellia_128_ofb128,8,
-	&(lvalues[5087]),0},
+	&(lvalues[5081]),0},
 {"CAMELLIA-192-OFB","camellia-192-ofb",NID_camellia_192_ofb128,8,
-	&(lvalues[5095]),0},
+	&(lvalues[5089]),0},
 {"CAMELLIA-256-OFB","camellia-256-ofb",NID_camellia_256_ofb128,8,
-	&(lvalues[5103]),0},
+	&(lvalues[5097]),0},
 {"subjectDirectoryAttributes","X509v3 Subject Directory Attributes",
-	NID_subject_directory_attributes,3,&(lvalues[5111]),0},
+	NID_subject_directory_attributes,3,&(lvalues[5105]),0},
 {"issuingDistributionPoint","X509v3 Issuing Distrubution Point",
-	NID_issuing_distribution_point,3,&(lvalues[5114]),0},
+	NID_issuing_distribution_point,3,&(lvalues[5108]),0},
 {"certificateIssuer","X509v3 Certificate Issuer",
-	NID_certificate_issuer,3,&(lvalues[5117]),0},
+	NID_certificate_issuer,3,&(lvalues[5111]),0},
 {NULL,NULL,NID_undef,0,NULL,0},
-{"KISA","kisa",NID_kisa,6,&(lvalues[5120]),0},
+{"KISA","kisa",NID_kisa,6,&(lvalues[5114]),0},
 {NULL,NULL,NID_undef,0,NULL,0},
 {NULL,NULL,NID_undef,0,NULL,0},
-{"SEED-ECB","seed-ecb",NID_seed_ecb,8,&(lvalues[5126]),0},
-{"SEED-CBC","seed-cbc",NID_seed_cbc,8,&(lvalues[5134]),0},
-{"SEED-OFB","seed-ofb",NID_seed_ofb128,8,&(lvalues[5142]),0},
-{"SEED-CFB","seed-cfb",NID_seed_cfb128,8,&(lvalues[5150]),0},
-{"HMAC-MD5","hmac-md5",NID_hmac_md5,8,&(lvalues[5158]),0},
-{"HMAC-SHA1","hmac-sha1",NID_hmac_sha1,8,&(lvalues[5166]),0},
+{"SEED-ECB","seed-ecb",NID_seed_ecb,8,&(lvalues[5120]),0},
+{"SEED-CBC","seed-cbc",NID_seed_cbc,8,&(lvalues[5128]),0},
+{"SEED-OFB","seed-ofb",NID_seed_ofb128,8,&(lvalues[5136]),0},
+{"SEED-CFB","seed-cfb",NID_seed_cfb128,8,&(lvalues[5144]),0},
+{"HMAC-MD5","hmac-md5",NID_hmac_md5,8,&(lvalues[5152]),0},
+{"HMAC-SHA1","hmac-sha1",NID_hmac_sha1,8,&(lvalues[5160]),0},
 {"id-PasswordBasedMAC","password based MAC",NID_id_PasswordBasedMAC,9,
-	&(lvalues[5174]),0},
+	&(lvalues[5168]),0},
 {"id-DHBasedMac","Diffie-Hellman based MAC",NID_id_DHBasedMac,9,
-	&(lvalues[5183]),0},
+	&(lvalues[5177]),0},
 {"id-it-suppLangTags","id-it-suppLangTags",NID_id_it_suppLangTags,8,
-	&(lvalues[5192]),0},
-{"caRepository","CA Repository",NID_caRepository,8,&(lvalues[5200]),0},
+	&(lvalues[5186]),0},
+{"caRepository","CA Repository",NID_caRepository,8,&(lvalues[5194]),0},
 {"id-smime-ct-compressedData","id-smime-ct-compressedData",
-	NID_id_smime_ct_compressedData,11,&(lvalues[5208]),0},
+	NID_id_smime_ct_compressedData,11,&(lvalues[5202]),0},
 {"id-ct-asciiTextWithCRLF","id-ct-asciiTextWithCRLF",
-	NID_id_ct_asciiTextWithCRLF,11,&(lvalues[5219]),0},
+	NID_id_ct_asciiTextWithCRLF,11,&(lvalues[5213]),0},
 {"id-aes128-wrap","id-aes128-wrap",NID_id_aes128_wrap,9,
-	&(lvalues[5230]),0},
+	&(lvalues[5224]),0},
 {"id-aes192-wrap","id-aes192-wrap",NID_id_aes192_wrap,9,
-	&(lvalues[5239]),0},
+	&(lvalues[5233]),0},
 {"id-aes256-wrap","id-aes256-wrap",NID_id_aes256_wrap,9,
-	&(lvalues[5248]),0},
+	&(lvalues[5242]),0},
 {"ecdsa-with-Recommended","ecdsa-with-Recommended",
-	NID_ecdsa_with_Recommended,7,&(lvalues[5257]),0},
+	NID_ecdsa_with_Recommended,7,&(lvalues[5251]),0},
 {"ecdsa-with-Specified","ecdsa-with-Specified",
-	NID_ecdsa_with_Specified,7,&(lvalues[5264]),0},
+	NID_ecdsa_with_Specified,7,&(lvalues[5258]),0},
 {"ecdsa-with-SHA224","ecdsa-with-SHA224",NID_ecdsa_with_SHA224,8,
-	&(lvalues[5271]),0},
+	&(lvalues[5265]),0},
 {"ecdsa-with-SHA256","ecdsa-with-SHA256",NID_ecdsa_with_SHA256,8,
-	&(lvalues[5279]),0},
+	&(lvalues[5273]),0},
 {"ecdsa-with-SHA384","ecdsa-with-SHA384",NID_ecdsa_with_SHA384,8,
-	&(lvalues[5287]),0},
+	&(lvalues[5281]),0},
 {"ecdsa-with-SHA512","ecdsa-with-SHA512",NID_ecdsa_with_SHA512,8,
-	&(lvalues[5295]),0},
-{"hmacWithMD5","hmacWithMD5",NID_hmacWithMD5,8,&(lvalues[5303]),0},
+	&(lvalues[5289]),0},
+{"hmacWithMD5","hmacWithMD5",NID_hmacWithMD5,8,&(lvalues[5297]),0},
 {"hmacWithSHA224","hmacWithSHA224",NID_hmacWithSHA224,8,
-	&(lvalues[5311]),0},
+	&(lvalues[5305]),0},
 {"hmacWithSHA256","hmacWithSHA256",NID_hmacWithSHA256,8,
-	&(lvalues[5319]),0},
+	&(lvalues[5313]),0},
 {"hmacWithSHA384","hmacWithSHA384",NID_hmacWithSHA384,8,
-	&(lvalues[5327]),0},
+	&(lvalues[5321]),0},
 {"hmacWithSHA512","hmacWithSHA512",NID_hmacWithSHA512,8,
-	&(lvalues[5335]),0},
+	&(lvalues[5329]),0},
 {"dsa_with_SHA224","dsa_with_SHA224",NID_dsa_with_SHA224,9,
-	&(lvalues[5343]),0},
+	&(lvalues[5337]),0},
 {"dsa_with_SHA256","dsa_with_SHA256",NID_dsa_with_SHA256,9,
-	&(lvalues[5352]),0},
-{"whirlpool","whirlpool",NID_whirlpool,6,&(lvalues[5361]),0},
-{"cryptopro","cryptopro",NID_cryptopro,5,&(lvalues[5367]),0},
-{"cryptocom","cryptocom",NID_cryptocom,5,&(lvalues[5372]),0},
+	&(lvalues[5346]),0},
+{"whirlpool","whirlpool",NID_whirlpool,6,&(lvalues[5355]),0},
+{"cryptopro","cryptopro",NID_cryptopro,5,&(lvalues[5361]),0},
+{"cryptocom","cryptocom",NID_cryptocom,5,&(lvalues[5366]),0},
 {"id-GostR3411-94-with-GostR3410-2001",
 	"GOST R 34.11-94 with GOST R 34.10-2001",
-	NID_id_GostR3411_94_with_GostR3410_2001,6,&(lvalues[5377]),0},
+	NID_id_GostR3411_94_with_GostR3410_2001,6,&(lvalues[5371]),0},
 {"id-GostR3411-94-with-GostR3410-94",
 	"GOST R 34.11-94 with GOST R 34.10-94",
-	NID_id_GostR3411_94_with_GostR3410_94,6,&(lvalues[5383]),0},
-{"md_gost94","GOST R 34.11-94",NID_id_GostR3411_94,6,&(lvalues[5389]),0},
+	NID_id_GostR3411_94_with_GostR3410_94,6,&(lvalues[5377]),0},
+{"md_gost94","GOST R 34.11-94",NID_id_GostR3411_94,6,&(lvalues[5383]),0},
 {"id-HMACGostR3411-94","HMAC GOST 34.11-94",NID_id_HMACGostR3411_94,6,
-	&(lvalues[5395]),0},
+	&(lvalues[5389]),0},
 {"gost2001","GOST R 34.10-2001",NID_id_GostR3410_2001,6,
-	&(lvalues[5401]),0},
-{"gost94","GOST R 34.10-94",NID_id_GostR3410_94,6,&(lvalues[5407]),0},
-{"gost89","GOST 28147-89",NID_id_Gost28147_89,6,&(lvalues[5413]),0},
+	&(lvalues[5395]),0},
+{"gost94","GOST R 34.10-94",NID_id_GostR3410_94,6,&(lvalues[5401]),0},
+{"gost89","GOST 28147-89",NID_id_Gost28147_89,6,&(lvalues[5407]),0},
 {"gost89-cnt","gost89-cnt",NID_gost89_cnt,0,NULL,0},
 {"gost-mac","GOST 28147-89 MAC",NID_id_Gost28147_89_MAC,6,
-	&(lvalues[5419]),0},
+	&(lvalues[5413]),0},
 {"prf-gostr3411-94","GOST R 34.11-94 PRF",NID_id_GostR3411_94_prf,6,
-	&(lvalues[5425]),0},
+	&(lvalues[5419]),0},
 {"id-GostR3410-2001DH","GOST R 34.10-2001 DH",NID_id_GostR3410_2001DH,
-	6,&(lvalues[5431]),0},
+	6,&(lvalues[5425]),0},
 {"id-GostR3410-94DH","GOST R 34.10-94 DH",NID_id_GostR3410_94DH,6,
-	&(lvalues[5437]),0},
+	&(lvalues[5431]),0},
 {"id-Gost28147-89-CryptoPro-KeyMeshing",
 	"id-Gost28147-89-CryptoPro-KeyMeshing",
-	NID_id_Gost28147_89_CryptoPro_KeyMeshing,7,&(lvalues[5443]),0},
+	NID_id_Gost28147_89_CryptoPro_KeyMeshing,7,&(lvalues[5437]),0},
 {"id-Gost28147-89-None-KeyMeshing","id-Gost28147-89-None-KeyMeshing",
-	NID_id_Gost28147_89_None_KeyMeshing,7,&(lvalues[5450]),0},
+	NID_id_Gost28147_89_None_KeyMeshing,7,&(lvalues[5444]),0},
 {"id-GostR3411-94-TestParamSet","id-GostR3411-94-TestParamSet",
-	NID_id_GostR3411_94_TestParamSet,7,&(lvalues[5457]),0},
+	NID_id_GostR3411_94_TestParamSet,7,&(lvalues[5451]),0},
 {"id-GostR3411-94-CryptoProParamSet",
 	"id-GostR3411-94-CryptoProParamSet",
-	NID_id_GostR3411_94_CryptoProParamSet,7,&(lvalues[5464]),0},
+	NID_id_GostR3411_94_CryptoProParamSet,7,&(lvalues[5458]),0},
 {"id-Gost28147-89-TestParamSet","id-Gost28147-89-TestParamSet",
-	NID_id_Gost28147_89_TestParamSet,7,&(lvalues[5471]),0},
+	NID_id_Gost28147_89_TestParamSet,7,&(lvalues[5465]),0},
 {"id-Gost28147-89-CryptoPro-A-ParamSet",
 	"id-Gost28147-89-CryptoPro-A-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_A_ParamSet,7,&(lvalues[5478]),0},
+	NID_id_Gost28147_89_CryptoPro_A_ParamSet,7,&(lvalues[5472]),0},
 {"id-Gost28147-89-CryptoPro-B-ParamSet",
 	"id-Gost28147-89-CryptoPro-B-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_B_ParamSet,7,&(lvalues[5485]),0},
+	NID_id_Gost28147_89_CryptoPro_B_ParamSet,7,&(lvalues[5479]),0},
 {"id-Gost28147-89-CryptoPro-C-ParamSet",
 	"id-Gost28147-89-CryptoPro-C-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_C_ParamSet,7,&(lvalues[5492]),0},
+	NID_id_Gost28147_89_CryptoPro_C_ParamSet,7,&(lvalues[5486]),0},
 {"id-Gost28147-89-CryptoPro-D-ParamSet",
 	"id-Gost28147-89-CryptoPro-D-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_D_ParamSet,7,&(lvalues[5499]),0},
+	NID_id_Gost28147_89_CryptoPro_D_ParamSet,7,&(lvalues[5493]),0},
 {"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
 	"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet,7,&(lvalues[5506]),
+	NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet,7,&(lvalues[5500]),
 	0},
 {"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
 	"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet,7,&(lvalues[5513]),
+	NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet,7,&(lvalues[5507]),
 	0},
 {"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
 	"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
-	NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet,7,&(lvalues[5520]),0},
+	NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet,7,&(lvalues[5514]),0},
 {"id-GostR3410-94-TestParamSet","id-GostR3410-94-TestParamSet",
-	NID_id_GostR3410_94_TestParamSet,7,&(lvalues[5527]),0},
+	NID_id_GostR3410_94_TestParamSet,7,&(lvalues[5521]),0},
 {"id-GostR3410-94-CryptoPro-A-ParamSet",
 	"id-GostR3410-94-CryptoPro-A-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_A_ParamSet,7,&(lvalues[5534]),0},
+	NID_id_GostR3410_94_CryptoPro_A_ParamSet,7,&(lvalues[5528]),0},
 {"id-GostR3410-94-CryptoPro-B-ParamSet",
 	"id-GostR3410-94-CryptoPro-B-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_B_ParamSet,7,&(lvalues[5541]),0},
+	NID_id_GostR3410_94_CryptoPro_B_ParamSet,7,&(lvalues[5535]),0},
 {"id-GostR3410-94-CryptoPro-C-ParamSet",
 	"id-GostR3410-94-CryptoPro-C-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_C_ParamSet,7,&(lvalues[5548]),0},
+	NID_id_GostR3410_94_CryptoPro_C_ParamSet,7,&(lvalues[5542]),0},
 {"id-GostR3410-94-CryptoPro-D-ParamSet",
 	"id-GostR3410-94-CryptoPro-D-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_D_ParamSet,7,&(lvalues[5555]),0},
+	NID_id_GostR3410_94_CryptoPro_D_ParamSet,7,&(lvalues[5549]),0},
 {"id-GostR3410-94-CryptoPro-XchA-ParamSet",
 	"id-GostR3410-94-CryptoPro-XchA-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,7,&(lvalues[5562]),0},
+	NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,7,&(lvalues[5556]),0},
 {"id-GostR3410-94-CryptoPro-XchB-ParamSet",
 	"id-GostR3410-94-CryptoPro-XchB-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,7,&(lvalues[5569]),0},
+	NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,7,&(lvalues[5563]),0},
 {"id-GostR3410-94-CryptoPro-XchC-ParamSet",
 	"id-GostR3410-94-CryptoPro-XchC-ParamSet",
-	NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,7,&(lvalues[5576]),0},
+	NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,7,&(lvalues[5570]),0},
 {"id-GostR3410-2001-TestParamSet","id-GostR3410-2001-TestParamSet",
-	NID_id_GostR3410_2001_TestParamSet,7,&(lvalues[5583]),0},
+	NID_id_GostR3410_2001_TestParamSet,7,&(lvalues[5577]),0},
 {"id-GostR3410-2001-CryptoPro-A-ParamSet",
 	"id-GostR3410-2001-CryptoPro-A-ParamSet",
-	NID_id_GostR3410_2001_CryptoPro_A_ParamSet,7,&(lvalues[5590]),0},
+	NID_id_GostR3410_2001_CryptoPro_A_ParamSet,7,&(lvalues[5584]),0},
 {"id-GostR3410-2001-CryptoPro-B-ParamSet",
 	"id-GostR3410-2001-CryptoPro-B-ParamSet",
-	NID_id_GostR3410_2001_CryptoPro_B_ParamSet,7,&(lvalues[5597]),0},
+	NID_id_GostR3410_2001_CryptoPro_B_ParamSet,7,&(lvalues[5591]),0},
 {"id-GostR3410-2001-CryptoPro-C-ParamSet",
 	"id-GostR3410-2001-CryptoPro-C-ParamSet",
-	NID_id_GostR3410_2001_CryptoPro_C_ParamSet,7,&(lvalues[5604]),0},
+	NID_id_GostR3410_2001_CryptoPro_C_ParamSet,7,&(lvalues[5598]),0},
 {"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
 	"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
-	NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet,7,&(lvalues[5611]),0},
+	NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet,7,&(lvalues[5605]),0},
 	
 {"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
 	"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
-	NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet,7,&(lvalues[5618]),0},
+	NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet,7,&(lvalues[5612]),0},
 	
 {"id-GostR3410-94-a","id-GostR3410-94-a",NID_id_GostR3410_94_a,7,
-	&(lvalues[5625]),0},
+	&(lvalues[5619]),0},
 {"id-GostR3410-94-aBis","id-GostR3410-94-aBis",
-	NID_id_GostR3410_94_aBis,7,&(lvalues[5632]),0},
+	NID_id_GostR3410_94_aBis,7,&(lvalues[5626]),0},
 {"id-GostR3410-94-b","id-GostR3410-94-b",NID_id_GostR3410_94_b,7,
-	&(lvalues[5639]),0},
+	&(lvalues[5633]),0},
 {"id-GostR3410-94-bBis","id-GostR3410-94-bBis",
-	NID_id_GostR3410_94_bBis,7,&(lvalues[5646]),0},
+	NID_id_GostR3410_94_bBis,7,&(lvalues[5640]),0},
 {"id-Gost28147-89-cc","GOST 28147-89 Cryptocom ParamSet",
-	NID_id_Gost28147_89_cc,8,&(lvalues[5653]),0},
+	NID_id_Gost28147_89_cc,8,&(lvalues[5647]),0},
 {"gost94cc","GOST 34.10-94 Cryptocom",NID_id_GostR3410_94_cc,8,
-	&(lvalues[5661]),0},
+	&(lvalues[5655]),0},
 {"gost2001cc","GOST 34.10-2001 Cryptocom",NID_id_GostR3410_2001_cc,8,
-	&(lvalues[5669]),0},
+	&(lvalues[5663]),0},
 {"id-GostR3411-94-with-GostR3410-94-cc",
 	"GOST R 34.11-94 with GOST R 34.10-94 Cryptocom",
-	NID_id_GostR3411_94_with_GostR3410_94_cc,8,&(lvalues[5677]),0},
+	NID_id_GostR3411_94_with_GostR3410_94_cc,8,&(lvalues[5671]),0},
 {"id-GostR3411-94-with-GostR3410-2001-cc",
 	"GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom",
-	NID_id_GostR3411_94_with_GostR3410_2001_cc,8,&(lvalues[5685]),0},
+	NID_id_GostR3411_94_with_GostR3410_2001_cc,8,&(lvalues[5679]),0},
 {"id-GostR3410-2001-ParamSet-cc",
 	"GOST R 3410-2001 Parameter Set Cryptocom",
-	NID_id_GostR3410_2001_ParamSet_cc,8,&(lvalues[5693]),0},
+	NID_id_GostR3410_2001_ParamSet_cc,8,&(lvalues[5687]),0},
 {"HMAC","hmac",NID_hmac,0,NULL,0},
 {"LocalKeySet","Microsoft Local Key set",NID_LocalKeySet,9,
-	&(lvalues[5701]),0},
+	&(lvalues[5695]),0},
 {"freshestCRL","X509v3 Freshest CRL",NID_freshest_crl,3,
-	&(lvalues[5710]),0},
+	&(lvalues[5704]),0},
 {"id-on-permanentIdentifier","Permanent Identifier",
-	NID_id_on_permanentIdentifier,8,&(lvalues[5713]),0},
-{"searchGuide","searchGuide",NID_searchGuide,3,&(lvalues[5721]),0},
+	NID_id_on_permanentIdentifier,8,&(lvalues[5707]),0},
+{"searchGuide","searchGuide",NID_searchGuide,3,&(lvalues[5715]),0},
 {"businessCategory","businessCategory",NID_businessCategory,3,
-	&(lvalues[5724]),0},
-{"postalAddress","postalAddress",NID_postalAddress,3,&(lvalues[5727]),0},
-{"postOfficeBox","postOfficeBox",NID_postOfficeBox,3,&(lvalues[5730]),0},
+	&(lvalues[5718]),0},
+{"postalAddress","postalAddress",NID_postalAddress,3,&(lvalues[5721]),0},
+{"postOfficeBox","postOfficeBox",NID_postOfficeBox,3,&(lvalues[5724]),0},
 {"physicalDeliveryOfficeName","physicalDeliveryOfficeName",
-	NID_physicalDeliveryOfficeName,3,&(lvalues[5733]),0},
+	NID_physicalDeliveryOfficeName,3,&(lvalues[5727]),0},
 {"telephoneNumber","telephoneNumber",NID_telephoneNumber,3,
-	&(lvalues[5736]),0},
-{"telexNumber","telexNumber",NID_telexNumber,3,&(lvalues[5739]),0},
+	&(lvalues[5730]),0},
+{"telexNumber","telexNumber",NID_telexNumber,3,&(lvalues[5733]),0},
 {"teletexTerminalIdentifier","teletexTerminalIdentifier",
-	NID_teletexTerminalIdentifier,3,&(lvalues[5742]),0},
+	NID_teletexTerminalIdentifier,3,&(lvalues[5736]),0},
 {"facsimileTelephoneNumber","facsimileTelephoneNumber",
-	NID_facsimileTelephoneNumber,3,&(lvalues[5745]),0},
-{"x121Address","x121Address",NID_x121Address,3,&(lvalues[5748]),0},
+	NID_facsimileTelephoneNumber,3,&(lvalues[5739]),0},
+{"x121Address","x121Address",NID_x121Address,3,&(lvalues[5742]),0},
 {"internationaliSDNNumber","internationaliSDNNumber",
-	NID_internationaliSDNNumber,3,&(lvalues[5751]),0},
+	NID_internationaliSDNNumber,3,&(lvalues[5745]),0},
 {"registeredAddress","registeredAddress",NID_registeredAddress,3,
-	&(lvalues[5754]),0},
+	&(lvalues[5748]),0},
 {"destinationIndicator","destinationIndicator",
-	NID_destinationIndicator,3,&(lvalues[5757]),0},
+	NID_destinationIndicator,3,&(lvalues[5751]),0},
 {"preferredDeliveryMethod","preferredDeliveryMethod",
-	NID_preferredDeliveryMethod,3,&(lvalues[5760]),0},
+	NID_preferredDeliveryMethod,3,&(lvalues[5754]),0},
 {"presentationAddress","presentationAddress",NID_presentationAddress,
-	3,&(lvalues[5763]),0},
+	3,&(lvalues[5757]),0},
 {"supportedApplicationContext","supportedApplicationContext",
-	NID_supportedApplicationContext,3,&(lvalues[5766]),0},
-{"member","member",NID_member,3,&(lvalues[5769]),0},
-{"owner","owner",NID_owner,3,&(lvalues[5772]),0},
-{"roleOccupant","roleOccupant",NID_roleOccupant,3,&(lvalues[5775]),0},
-{"seeAlso","seeAlso",NID_seeAlso,3,&(lvalues[5778]),0},
-{"userPassword","userPassword",NID_userPassword,3,&(lvalues[5781]),0},
+	NID_supportedApplicationContext,3,&(lvalues[5760]),0},
+{"member","member",NID_member,3,&(lvalues[5763]),0},
+{"owner","owner",NID_owner,3,&(lvalues[5766]),0},
+{"roleOccupant","roleOccupant",NID_roleOccupant,3,&(lvalues[5769]),0},
+{"seeAlso","seeAlso",NID_seeAlso,3,&(lvalues[5772]),0},
+{"userPassword","userPassword",NID_userPassword,3,&(lvalues[5775]),0},
 {"userCertificate","userCertificate",NID_userCertificate,3,
-	&(lvalues[5784]),0},
-{"cACertificate","cACertificate",NID_cACertificate,3,&(lvalues[5787]),0},
+	&(lvalues[5778]),0},
+{"cACertificate","cACertificate",NID_cACertificate,3,&(lvalues[5781]),0},
 {"authorityRevocationList","authorityRevocationList",
-	NID_authorityRevocationList,3,&(lvalues[5790]),0},
+	NID_authorityRevocationList,3,&(lvalues[5784]),0},
 {"certificateRevocationList","certificateRevocationList",
-	NID_certificateRevocationList,3,&(lvalues[5793]),0},
+	NID_certificateRevocationList,3,&(lvalues[5787]),0},
 {"crossCertificatePair","crossCertificatePair",
-	NID_crossCertificatePair,3,&(lvalues[5796]),0},
+	NID_crossCertificatePair,3,&(lvalues[5790]),0},
 {"enhancedSearchGuide","enhancedSearchGuide",NID_enhancedSearchGuide,
-	3,&(lvalues[5799]),0},
+	3,&(lvalues[5793]),0},
 {"protocolInformation","protocolInformation",NID_protocolInformation,
-	3,&(lvalues[5802]),0},
+	3,&(lvalues[5796]),0},
 {"distinguishedName","distinguishedName",NID_distinguishedName,3,
-	&(lvalues[5805]),0},
-{"uniqueMember","uniqueMember",NID_uniqueMember,3,&(lvalues[5808]),0},
+	&(lvalues[5799]),0},
+{"uniqueMember","uniqueMember",NID_uniqueMember,3,&(lvalues[5802]),0},
 {"houseIdentifier","houseIdentifier",NID_houseIdentifier,3,
-	&(lvalues[5811]),0},
+	&(lvalues[5805]),0},
 {"supportedAlgorithms","supportedAlgorithms",NID_supportedAlgorithms,
-	3,&(lvalues[5814]),0},
+	3,&(lvalues[5808]),0},
 {"deltaRevocationList","deltaRevocationList",NID_deltaRevocationList,
-	3,&(lvalues[5817]),0},
-{"dmdName","dmdName",NID_dmdName,3,&(lvalues[5820]),0},
+	3,&(lvalues[5811]),0},
+{"dmdName","dmdName",NID_dmdName,3,&(lvalues[5814]),0},
 {"id-alg-PWRI-KEK","id-alg-PWRI-KEK",NID_id_alg_PWRI_KEK,11,
-	&(lvalues[5823]),0},
+	&(lvalues[5817]),0},
 {"CMAC","cmac",NID_cmac,0,NULL,0},
-{"id-aes128-GCM","aes-128-gcm",NID_aes_128_gcm,9,&(lvalues[5834]),0},
-{"id-aes128-CCM","aes-128-ccm",NID_aes_128_ccm,9,&(lvalues[5843]),0},
+{"id-aes128-GCM","aes-128-gcm",NID_aes_128_gcm,9,&(lvalues[5828]),0},
+{"id-aes128-CCM","aes-128-ccm",NID_aes_128_ccm,9,&(lvalues[5837]),0},
 {"id-aes128-wrap-pad","id-aes128-wrap-pad",NID_id_aes128_wrap_pad,9,
-	&(lvalues[5852]),0},
-{"id-aes192-GCM","aes-192-gcm",NID_aes_192_gcm,9,&(lvalues[5861]),0},
-{"id-aes192-CCM","aes-192-ccm",NID_aes_192_ccm,9,&(lvalues[5870]),0},
+	&(lvalues[5846]),0},
+{"id-aes192-GCM","aes-192-gcm",NID_aes_192_gcm,9,&(lvalues[5855]),0},
+{"id-aes192-CCM","aes-192-ccm",NID_aes_192_ccm,9,&(lvalues[5864]),0},
 {"id-aes192-wrap-pad","id-aes192-wrap-pad",NID_id_aes192_wrap_pad,9,
-	&(lvalues[5879]),0},
-{"id-aes256-GCM","aes-256-gcm",NID_aes_256_gcm,9,&(lvalues[5888]),0},
-{"id-aes256-CCM","aes-256-ccm",NID_aes_256_ccm,9,&(lvalues[5897]),0},
+	&(lvalues[5873]),0},
+{"id-aes256-GCM","aes-256-gcm",NID_aes_256_gcm,9,&(lvalues[5882]),0},
+{"id-aes256-CCM","aes-256-ccm",NID_aes_256_ccm,9,&(lvalues[5891]),0},
 {"id-aes256-wrap-pad","id-aes256-wrap-pad",NID_id_aes256_wrap_pad,9,
-	&(lvalues[5906]),0},
+	&(lvalues[5900]),0},
 {"AES-128-CTR","aes-128-ctr",NID_aes_128_ctr,0,NULL,0},
 {"AES-192-CTR","aes-192-ctr",NID_aes_192_ctr,0,NULL,0},
 {"AES-256-CTR","aes-256-ctr",NID_aes_256_ctr,0,NULL,0},
 {"id-camellia128-wrap","id-camellia128-wrap",NID_id_camellia128_wrap,
-	11,&(lvalues[5915]),0},
+	11,&(lvalues[5909]),0},
 {"id-camellia192-wrap","id-camellia192-wrap",NID_id_camellia192_wrap,
-	11,&(lvalues[5926]),0},
+	11,&(lvalues[5920]),0},
 {"id-camellia256-wrap","id-camellia256-wrap",NID_id_camellia256_wrap,
-	11,&(lvalues[5937]),0},
+	11,&(lvalues[5931]),0},
 {"anyExtendedKeyUsage","Any Extended Key Usage",
-	NID_anyExtendedKeyUsage,4,&(lvalues[5948]),0},
-{"MGF1","mgf1",NID_mgf1,9,&(lvalues[5952]),0},
-{"RSASSA-PSS","rsassaPss",NID_rsassaPss,9,&(lvalues[5961]),0},
+	NID_anyExtendedKeyUsage,4,&(lvalues[5942]),0},
+{"MGF1","mgf1",NID_mgf1,9,&(lvalues[5946]),0},
+{"RSASSA-PSS","rsassaPss",NID_rsassaPss,9,&(lvalues[5955]),0},
 {"AES-128-XTS","aes-128-xts",NID_aes_128_xts,0,NULL,0},
 {"AES-256-XTS","aes-256-xts",NID_aes_256_xts,0,NULL,0},
 {"RC4-HMAC-MD5","rc4-hmac-md5",NID_rc4_hmac_md5,0,NULL,0},
@@ -2405,7 +2398,7 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 	NID_aes_192_cbc_hmac_sha1,0,NULL,0},
 {"AES-256-CBC-HMAC-SHA1","aes-256-cbc-hmac-sha1",
 	NID_aes_256_cbc_hmac_sha1,0,NULL,0},
-{"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5970]),0},
+{"RSAES-OAEP","rsaesOaep",NID_rsaesOaep,9,&(lvalues[5964]),0},
 };
 
 static const unsigned int sn_objs[NUM_SN]={
@@ -4242,15 +4235,15 @@ static const unsigned int ln_objs[NUM_LN]={
 
 static const unsigned int obj_objs[NUM_OBJ]={
  0,	/* OBJ_undef                        0 */
+181,	/* OBJ_iso                          1 */
 393,	/* OBJ_joint_iso_ccitt              OBJ_joint_iso_itu_t */
 404,	/* OBJ_ccitt                        OBJ_itu_t */
 645,	/* OBJ_itu_t                        0 */
+646,	/* OBJ_joint_iso_itu_t              2 */
 434,	/* OBJ_data                         0 9 */
-181,	/* OBJ_iso                          1 */
 182,	/* OBJ_member_body                  1 2 */
 379,	/* OBJ_org                          1 3 */
 676,	/* OBJ_identified_organization      1 3 */
-646,	/* OBJ_joint_iso_itu_t              2 */
 11,	/* OBJ_X500                         2 5 */
 647,	/* OBJ_international_organizations  2 23 */
 380,	/* OBJ_dod                          1 3 6 */
diff --git a/crypto/openssl/crypto/objects/obj_dat.pl b/crypto/openssl/crypto/objects/obj_dat.pl
index c67f71c3277b..86bcefb97af1 100644
--- a/crypto/openssl/crypto/objects/obj_dat.pl
+++ b/crypto/openssl/crypto/objects/obj_dat.pl
@@ -115,7 +115,7 @@ for ($i=0; $i<$n; $i++)
 		$out.="\"$sn\"";
 		$out.=","."\"$ln\"";
 		$out.=",NID_$nid{$i},";
-		if (defined($obj{$nid{$i}}))
+		if (defined($obj{$nid{$i}}) && $objd{$obj{$nid{$i}}} =~ /,/)
 			{
 			$v=$objd{$obj{$nid{$i}}};
 			$v =~ s/L//g;
diff --git a/crypto/openssl/crypto/objects/obj_xref.h b/crypto/openssl/crypto/objects/obj_xref.h
index e23938c29604..33cb24b0708b 100644
--- a/crypto/openssl/crypto/objects/obj_xref.h
+++ b/crypto/openssl/crypto/objects/obj_xref.h
@@ -43,9 +43,6 @@ static const nid_triple sigoid_srt[] =
 
 static const nid_triple * const sigoid_srt_xref[] =
 	{
-	&sigoid_srt[29],
-	&sigoid_srt[17],
-	&sigoid_srt[18],
 	&sigoid_srt[0],
 	&sigoid_srt[1],
 	&sigoid_srt[7],
diff --git a/crypto/openssl/crypto/objects/objxref.pl b/crypto/openssl/crypto/objects/objxref.pl
index 731d3ae22c27..6c4c832ab205 100755
--- a/crypto/openssl/crypto/objects/objxref.pl
+++ b/crypto/openssl/crypto/objects/objxref.pl
@@ -90,7 +90,10 @@ EOF
 
 foreach (@srt2)
 	{
-	my $x = $xref_tbl{$_}[2];
+	my ($p1, $p2, $x) = @{$xref_tbl{$_}};
+	# If digest or signature algorithm is "undef" then the algorithm
+	# needs special handling and is excluded from the cross reference table.
+	next if $p1 eq "undef" || $p2 eq "undef";
 	print "\t\&sigoid_srt\[$x\],\n";
 	}
 
diff --git a/crypto/openssl/crypto/ocsp/ocsp_ht.c b/crypto/openssl/crypto/ocsp/ocsp_ht.c
index af5fc16691d4..09eb855d4a08 100644
--- a/crypto/openssl/crypto/ocsp/ocsp_ht.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_ht.c
@@ -158,6 +158,8 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
 
 	OCSP_REQ_CTX *rctx;
 	rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
+	if (!rctx)
+		return NULL;
 	rctx->state = OHS_ERROR;
 	rctx->mem = BIO_new(BIO_s_mem());
 	rctx->io = io;
@@ -167,18 +169,21 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
 	else
 		rctx->iobuflen = OCSP_MAX_LINE_LEN;
 	rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
-	if (!rctx->iobuf)
-		return 0;
+	if (!rctx->mem || !rctx->iobuf)
+		goto err;
 	if (!path)
 		path = "/";
 
         if (BIO_printf(rctx->mem, post_hdr, path) <= 0)
-		return 0;
+		goto err;
 
 	if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
-		return 0;
+		goto err;
 
 	return rctx;
+	err:
+	OCSP_REQ_CTX_free(rctx);
+	return NULL;
 	}
 
 /* Parse the HTTP response. This will look like this:
@@ -490,6 +495,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
 
 	ctx = OCSP_sendreq_new(b, path, req, -1);
 
+	if (!ctx)
+		return NULL;
+
 	do
 		{
 		rv = OCSP_sendreq_nbio(&resp, ctx);
diff --git a/crypto/openssl/crypto/ocsp/ocsp_lib.c b/crypto/openssl/crypto/ocsp/ocsp_lib.c
index a94dc838eecb..5061c0578baa 100644
--- a/crypto/openssl/crypto/ocsp/ocsp_lib.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_lib.c
@@ -222,8 +222,19 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
 	if (!*ppath) goto mem_err;
 
+	p = host;
+	if(host[0] == '[')
+		{
+		/* ipv6 literal */
+		host++;
+		p = strchr(host, ']');
+		if(!p) goto parse_err;
+		*p = '\0';
+		p++;
+		}
+
 	/* Look for optional ':' for port number */
-	if ((p = strchr(host, ':')))
+	if ((p = strchr(p, ':')))
 		{
 		*p = 0;
 		port = p + 1;
diff --git a/crypto/openssl/crypto/ocsp/ocsp_vfy.c b/crypto/openssl/crypto/ocsp/ocsp_vfy.c
index 276718304dd2..fc0d4cc0f5f7 100644
--- a/crypto/openssl/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/openssl/crypto/ocsp/ocsp_vfy.c
@@ -436,8 +436,11 @@ static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm
 	if(!(flags & OCSP_NOINTERN))
 		{
 		signer = X509_find_by_subject(req->optionalSignature->certs, nm);
-		*psigner = signer;
-		return 1;
+		if (signer)
+			{
+			*psigner = signer;
+			return 1;
+			}
 		}
 
 	signer = X509_find_by_subject(certs, nm);
diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h
index b18f4da49661..7513d14c7530 100644
--- a/crypto/openssl/crypto/opensslconf.h
+++ b/crypto/openssl/crypto/opensslconf.h
@@ -1,6 +1,9 @@
 /* opensslconf.h */
 /* WARNING: Generated automatically from opensslconf.h.in by Configure. */
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
 /* OpenSSL was configured with the following options: */
 #ifndef OPENSSL_DOING_MAKEDEPEND
 
@@ -32,6 +35,9 @@
 #ifndef OPENSSL_NO_STORE
 # define OPENSSL_NO_STORE
 #endif
+#ifndef OPENSSL_NO_UNIT_TEST
+# define OPENSSL_NO_UNIT_TEST
+#endif
 
 #endif /* OPENSSL_DOING_MAKEDEPEND */
 
@@ -71,6 +77,9 @@
 # if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
 #  define NO_STORE
 # endif
+# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
+#  define NO_UNIT_TEST
+# endif
 #endif
 
 /* crypto/opensslconf.h.in */
@@ -227,3 +236,6 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 
 #endif /* DES_DEFAULT_OPTIONS */
 #endif /* HEADER_DES_LOCL_H */
+#ifdef  __cplusplus
+}
+#endif
diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h
index 617c4f3dae94..03adc615749a 100644
--- a/crypto/openssl/crypto/opensslv.h
+++ b/crypto/openssl/crypto/opensslv.h
@@ -1,6 +1,10 @@
 #ifndef HEADER_OPENSSLV_H
 #define HEADER_OPENSSLV_H
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 /* Numeric release version identifier:
  * MNNFFPPS: major minor fix patch status
  * The status nibble has one of the values 0 for development, 1 to e for betas
@@ -25,11 +29,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000105fL
+#define OPENSSL_VERSION_NUMBER	0x100010cfL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1e-fips 11 Feb 2013"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1l-fips 15 Jan 2015"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1e-freebsd 11 Feb 2013"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1l-freebsd 15 Jan 2015"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
@@ -86,4 +90,7 @@
 #define SHLIB_VERSION_NUMBER "7"
 
 
+#ifdef  __cplusplus
+}
+#endif
 #endif /* HEADER_OPENSSLV_H */
diff --git a/crypto/openssl/crypto/ossl_typ.h b/crypto/openssl/crypto/ossl_typ.h
index ea9227f6f95a..12cdd43be9dc 100644
--- a/crypto/openssl/crypto/ossl_typ.h
+++ b/crypto/openssl/crypto/ossl_typ.h
@@ -55,6 +55,10 @@
 #ifndef HEADER_OPENSSL_TYPES_H
 #define HEADER_OPENSSL_TYPES_H
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
 #include <openssl/e_os2.h>
 
 #ifdef NO_ASN1_TYPEDEFS
@@ -199,4 +203,7 @@ typedef struct ocsp_req_ctx_st OCSP_REQ_CTX;
 typedef struct ocsp_response_st OCSP_RESPONSE;
 typedef struct ocsp_responder_id_st OCSP_RESPID;
 
+#ifdef  __cplusplus
+}
+#endif
 #endif /* def HEADER_OPENSSL_TYPES_H */
diff --git a/crypto/openssl/crypto/pariscid.pl b/crypto/openssl/crypto/pariscid.pl
index 477ec9b87dd7..bfc56fdc7fc0 100755
--- a/crypto/openssl/crypto/pariscid.pl
+++ b/crypto/openssl/crypto/pariscid.pl
@@ -97,33 +97,33 @@ OPENSSL_cleanse
 	.PROC
 	.CALLINFO	NO_CALLS
 	.ENTRY
-	cmpib,*=	0,$len,Ldone
+	cmpib,*=	0,$len,L\$done
 	nop
-	cmpib,*>>=	15,$len,Little
+	cmpib,*>>=	15,$len,L\$ittle
 	ldi		$SIZE_T-1,%r1
 
-Lalign
+L\$align
 	and,*<>		$inp,%r1,%r28
-	b,n		Laligned
+	b,n		L\$aligned
 	stb		%r0,0($inp)
 	ldo		-1($len),$len
-	b		Lalign
+	b		L\$align
 	ldo		1($inp),$inp
 
-Laligned
+L\$aligned
 	andcm		$len,%r1,%r28
-Lot
+L\$ot
 	$ST		%r0,0($inp)
-	addib,*<>	-$SIZE_T,%r28,Lot
+	addib,*<>	-$SIZE_T,%r28,L\$ot
 	ldo		$SIZE_T($inp),$inp
 
 	and,*<>		$len,%r1,$len
-	b,n		Ldone
-Little
+	b,n		L\$done
+L\$ittle
 	stb		%r0,0($inp)
-	addib,*<>	-1,$len,Little
+	addib,*<>	-1,$len,L\$ittle
 	ldo		1($inp),$inp
-Ldone
+L\$done
 	bv		($rp)
 	.EXIT
 	nop
@@ -151,7 +151,7 @@ OPENSSL_instrument_bus
 	ldw		0($out),$tick
 	add		$diff,$tick,$tick
 	stw		$tick,0($out)
-Loop
+L\$oop
 	mfctl		%cr16,$tick
 	sub		$tick,$lasttick,$diff
 	copy		$tick,$lasttick
@@ -161,7 +161,7 @@ Loop
 	add		$diff,$tick,$tick
 	stw		$tick,0($out)
 
-	addib,<>	-1,$cnt,Loop
+	addib,<>	-1,$cnt,L\$oop
 	addi		4,$out,$out
 
 	bv		($rp)
@@ -190,14 +190,14 @@ OPENSSL_instrument_bus2
 	mfctl		%cr16,$tick
 	sub		$tick,$lasttick,$diff
 	copy		$tick,$lasttick
-Loop2
+L\$oop2
 	copy		$diff,$lastdiff
 	fdc		0($out)
 	ldw		0($out),$tick
 	add		$diff,$tick,$tick
 	stw		$tick,0($out)
 
-	addib,=		-1,$max,Ldone2
+	addib,=		-1,$max,L\$done2
 	nop
 
 	mfctl		%cr16,$tick
@@ -208,17 +208,18 @@ Loop2
 
 	ldi		1,%r1
 	xor		%r1,$tick,$tick
-	addb,<>		$tick,$cnt,Loop2
+	addb,<>		$tick,$cnt,L\$oop2
 	shladd,l	$tick,2,$out,$out
-Ldone2
+L\$done2
 	bv		($rp)
 	.EXIT
 	add		$rv,$cnt,$rv
 	.PROCEND
 ___
 }
-$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
-$code =~ s/,\*/,/gm if ($SIZE_T==4);
+$code =~ s/cmpib,\*/comib,/gm	if ($SIZE_T==4);
+$code =~ s/,\*/,/gm		if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm	if ($SIZE_T==8);
 print $code;
 close STDOUT;
 
diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c
index 1b2be527edde..cc7f24a9c1cf 100644
--- a/crypto/openssl/crypto/pem/pem_info.c
+++ b/crypto/openssl/crypto/pem/pem_info.c
@@ -167,6 +167,7 @@ start:
 #ifndef OPENSSL_NO_RSA
 			if (strcmp(name,PEM_STRING_RSA) == 0)
 			{
+			d2i=(D2I_OF(void))d2i_RSAPrivateKey;
 			if (xi->x_pkey != NULL) 
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
diff --git a/crypto/openssl/crypto/pem/pvkfmt.c b/crypto/openssl/crypto/pem/pvkfmt.c
index b1bf71a5daad..ae89f8281a82 100644
--- a/crypto/openssl/crypto/pem/pvkfmt.c
+++ b/crypto/openssl/crypto/pem/pvkfmt.c
@@ -759,6 +759,11 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
 		/* Copy BLOBHEADER across, decrypt rest */
 		memcpy(enctmp, p, 8);
 		p += 8;
+		if (keylen < 8)
+			{
+			PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
+			return NULL;
+			}
 		inlen = keylen - 8;
 		q = enctmp + 8;
 		if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
diff --git a/crypto/openssl/crypto/pkcs12/p12_crt.c b/crypto/openssl/crypto/pkcs12/p12_crt.c
index 96b131defa0c..35e8a4a8d4ba 100644
--- a/crypto/openssl/crypto/pkcs12/p12_crt.c
+++ b/crypto/openssl/crypto/pkcs12/p12_crt.c
@@ -90,7 +90,18 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
 	/* Set defaults */
 	if (!nid_cert)
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		else
+#endif
+#ifdef OPENSSL_NO_RC2
+		nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#else
 		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+#endif
+		}
 	if (!nid_key)
 		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 	if (!iter)
@@ -279,7 +290,11 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags,
 		free_safes = 0;
 
 	if (nid_safe == 0)
+#ifdef OPENSSL_NO_RC2
+		nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#else
 		nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
+#endif
 
 	if (nid_safe == -1)
 		p7 = PKCS12_pack_p7data(bags);
diff --git a/crypto/openssl/crypto/pkcs12/p12_kiss.c b/crypto/openssl/crypto/pkcs12/p12_kiss.c
index 206b1b0b18ab..c9b7ab61d1bd 100644
--- a/crypto/openssl/crypto/pkcs12/p12_kiss.c
+++ b/crypto/openssl/crypto/pkcs12/p12_kiss.c
@@ -269,7 +269,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 			int len, r;
 			unsigned char *data;
 			len = ASN1_STRING_to_UTF8(&data, fname);
-			if(len > 0) {
+			if(len >= 0) {
 				r = X509_alias_set1(x509, data, len);
 				OPENSSL_free(data);
 				if (!r)
diff --git a/crypto/openssl/crypto/pkcs7/Makefile b/crypto/openssl/crypto/pkcs7/Makefile
index 56dc6823d123..effe05fc043d 100644
--- a/crypto/openssl/crypto/pkcs7/Makefile
+++ b/crypto/openssl/crypto/pkcs7/Makefile
@@ -39,20 +39,6 @@ test:
 
 all:	lib
 
-testapps: enc dec sign verify
-
-enc: enc.o lib
-	$(CC) $(CFLAGS) -o enc enc.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
-
-dec: dec.o lib
-	$(CC) $(CFLAGS) -o dec dec.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
-
-sign: sign.o lib
-	$(CC) $(CFLAGS) -o sign sign.o $(PEX_LIBS) $(LIB) $(EX_LIBS)
-
-verify: verify.o example.o lib
-	$(CC) $(CFLAGS) -o verify verify.o $(PEX_LIBS) example.o $(LIB) $(EX_LIBS)
-
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
diff --git a/crypto/openssl/crypto/pkcs7/bio_ber.c b/crypto/openssl/crypto/pkcs7/bio_ber.c
deleted file mode 100644
index 31973fcd1fc5..000000000000
--- a/crypto/openssl/crypto/pkcs7/bio_ber.c
+++ /dev/null
@@ -1,466 +0,0 @@
-/* crypto/evp/bio_ber.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <errno.h>
-#include "cryptlib.h"
-#include <openssl/buffer.h>
-#include <openssl/evp.h>
-
-static int ber_write(BIO *h,char *buf,int num);
-static int ber_read(BIO *h,char *buf,int size);
-/*static int ber_puts(BIO *h,char *str); */
-/*static int ber_gets(BIO *h,char *str,int size); */
-static long ber_ctrl(BIO *h,int cmd,long arg1,char *arg2);
-static int ber_new(BIO *h);
-static int ber_free(BIO *data);
-static long ber_callback_ctrl(BIO *h,int cmd,void *(*fp)());
-#define BER_BUF_SIZE	(32)
-
-/* This is used to hold the state of the BER objects being read. */
-typedef struct ber_struct
-	{
-	int tag;
-	int class;
-	long length;
-	int inf;
-	int num_left;
-	int depth;
-	} BER_CTX;
-
-typedef struct bio_ber_struct
-	{
-	int tag;
-	int class;
-	long length;
-	int inf;
-
-	/* most of the following are used when doing non-blocking IO */
-	/* reading */
-	long num_left;	/* number of bytes still to read/write in block */
-	int depth;	/* used with indefinite encoding. */
-	int finished;	/* No more read data */
-
-	/* writting */ 
-	char *w_addr;
-	int w_offset;
-	int w_left;
-
-	int buf_len;
-	int buf_off;
-	unsigned char buf[BER_BUF_SIZE];
-	} BIO_BER_CTX;
-
-static BIO_METHOD methods_ber=
-	{
-	BIO_TYPE_CIPHER,"cipher",
-	ber_write,
-	ber_read,
-	NULL, /* ber_puts, */
-	NULL, /* ber_gets, */
-	ber_ctrl,
-	ber_new,
-	ber_free,
-	ber_callback_ctrl,
-	};
-
-BIO_METHOD *BIO_f_ber(void)
-	{
-	return(&methods_ber);
-	}
-
-static int ber_new(BIO *bi)
-	{
-	BIO_BER_CTX *ctx;
-
-	ctx=(BIO_BER_CTX *)OPENSSL_malloc(sizeof(BIO_BER_CTX));
-	if (ctx == NULL) return(0);
-
-	memset((char *)ctx,0,sizeof(BIO_BER_CTX));
-
-	bi->init=0;
-	bi->ptr=(char *)ctx;
-	bi->flags=0;
-	return(1);
-	}
-
-static int ber_free(BIO *a)
-	{
-	BIO_BER_CTX *b;
-
-	if (a == NULL) return(0);
-	b=(BIO_BER_CTX *)a->ptr;
-	OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX));
-	OPENSSL_free(a->ptr);
-	a->ptr=NULL;
-	a->init=0;
-	a->flags=0;
-	return(1);
-	}
-
-int bio_ber_get_header(BIO *bio, BIO_BER_CTX *ctx)
-	{
-	char buf[64];
-	int i,j,n;
-	int ret;
-	unsigned char *p;
-	unsigned long length
-	int tag;
-	int class;
-	long max;
-
-	BIO_clear_retry_flags(b);
-
-	/* Pack the buffer down if there is a hole at the front */
-	if (ctx->buf_off != 0)
-		{
-		p=ctx->buf;
-		j=ctx->buf_off;
-		n=ctx->buf_len-j;
-		for (i=0; i<n; i++)
-			{
-			p[0]=p[j];
-			p++;
-			}
-		ctx->buf_len-j;
-		ctx->buf_off=0;
-		}
-
-	/* If there is more room, read some more data */
-	i=BER_BUF_SIZE-ctx->buf_len;
-	if (i)
-		{
-		i=BIO_read(bio->next_bio,&(ctx->buf[ctx->buf_len]),i);
-		if (i <= 0)
-			{
-			BIO_copy_next_retry(b);
-			return(i);
-			}
-		else
-			ctx->buf_len+=i;
-		}
-
-	max=ctx->buf_len;
-	p=ctx->buf;
-	ret=ASN1_get_object(&p,&length,&tag,&class,max);
-
-	if (ret & 0x80)
-		{
-		if ((ctx->buf_len < BER_BUF_SIZE) &&
-			(ERR_GET_REASON(ERR_peek_error()) == ASN1_R_TOO_LONG))
-			{
-			ERR_clear_error(); /* clear the error */
-			BIO_set_retry_read(b);
-			}
-		return(-1);
-		}
-
-	/* We have no error, we have a header, so make use of it */
-
-	if ((ctx->tag  >= 0) && (ctx->tag != tag))
-		{
-		BIOerr(BIO_F_BIO_BER_GET_HEADER,BIO_R_TAG_MISMATCH);
-		sprintf(buf,"tag=%d, got %d",ctx->tag,tag);
-		ERR_add_error_data(1,buf);
-		return(-1);
-		}
-	if (ret & 0x01)
-	if (ret & V_ASN1_CONSTRUCTED)
-	}
-	
-static int ber_read(BIO *b, char *out, int outl)
-	{
-	int ret=0,i,n;
-	BIO_BER_CTX *ctx;
-
-	BIO_clear_retry_flags(b);
-
-	if (out == NULL) return(0);
-	ctx=(BIO_BER_CTX *)b->ptr;
-
-	if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
-
-	if (ctx->finished) return(0);
-
-again:
-	/* First see if we are half way through reading a block */
-	if (ctx->num_left > 0)
-		{
-		if (ctx->num_left < outl)
-			n=ctx->num_left;
-		else
-			n=outl;
-		i=BIO_read(b->next_bio,out,n);
-		if (i <= 0)
-			{
-			BIO_copy_next_retry(b);
-			return(i);
-			}
-		ctx->num_left-=i;
-		outl-=i;
-		ret+=i;
-		if (ctx->num_left <= 0)
-			{
-			ctx->depth--;
-			if (ctx->depth <= 0)
-				ctx->finished=1;
-			}
-		if (outl <= 0)
-			return(ret);
-		else
-			goto again;
-		}
-	else	/* we need to read another BER header */
-		{
-		}
-	}
-
-static int ber_write(BIO *b, char *in, int inl)
-	{
-	int ret=0,n,i;
-	BIO_ENC_CTX *ctx;
-
-	ctx=(BIO_ENC_CTX *)b->ptr;
-	ret=inl;
-
-	BIO_clear_retry_flags(b);
-	n=ctx->buf_len-ctx->buf_off;
-	while (n > 0)
-		{
-		i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
-		if (i <= 0)
-			{
-			BIO_copy_next_retry(b);
-			return(i);
-			}
-		ctx->buf_off+=i;
-		n-=i;
-		}
-	/* at this point all pending data has been written */
-
-	if ((in == NULL) || (inl <= 0)) return(0);
-
-	ctx->buf_off=0;
-	while (inl > 0)
-		{
-		n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
-		EVP_CipherUpdate(&(ctx->cipher),
-			(unsigned char *)ctx->buf,&ctx->buf_len,
-			(unsigned char *)in,n);
-		inl-=n;
-		in+=n;
-
-		ctx->buf_off=0;
-		n=ctx->buf_len;
-		while (n > 0)
-			{
-			i=BIO_write(b->next_bio,&(ctx->buf[ctx->buf_off]),n);
-			if (i <= 0)
-				{
-				BIO_copy_next_retry(b);
-				return(i);
-				}
-			n-=i;
-			ctx->buf_off+=i;
-			}
-		ctx->buf_len=0;
-		ctx->buf_off=0;
-		}
-	BIO_copy_next_retry(b);
-	return(ret);
-	}
-
-static long ber_ctrl(BIO *b, int cmd, long num, char *ptr)
-	{
-	BIO *dbio;
-	BIO_ENC_CTX *ctx,*dctx;
-	long ret=1;
-	int i;
-
-	ctx=(BIO_ENC_CTX *)b->ptr;
-
-	switch (cmd)
-		{
-	case BIO_CTRL_RESET:
-		ctx->ok=1;
-		ctx->finished=0;
-		EVP_CipherInit_ex(&(ctx->cipher),NULL,NULL,NULL,NULL,
-			ctx->cipher.berrypt);
-		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		break;
-	case BIO_CTRL_EOF:	/* More to read */
-		if (ctx->cont <= 0)
-			ret=1;
-		else
-			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		break;
-	case BIO_CTRL_WPENDING:
-		ret=ctx->buf_len-ctx->buf_off;
-		if (ret <= 0)
-			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		break;
-	case BIO_CTRL_PENDING: /* More to read in buffer */
-		ret=ctx->buf_len-ctx->buf_off;
-		if (ret <= 0)
-			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		break;
-	case BIO_CTRL_FLUSH:
-		/* do a final write */
-again:
-		while (ctx->buf_len != ctx->buf_off)
-			{
-			i=ber_write(b,NULL,0);
-			if (i < 0)
-				{
-				ret=i;
-				break;
-				}
-			}
-
-		if (!ctx->finished)
-			{
-			ctx->finished=1;
-			ctx->buf_off=0;
-			ret=EVP_CipherFinal_ex(&(ctx->cipher),
-				(unsigned char *)ctx->buf,
-				&(ctx->buf_len));
-			ctx->ok=(int)ret;
-			if (ret <= 0) break;
-
-			/* push out the bytes */
-			goto again;
-			}
-		
-		/* Finally flush the underlying BIO */
-		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		break;
-	case BIO_C_GET_CIPHER_STATUS:
-		ret=(long)ctx->ok;
-		break;
-	case BIO_C_DO_STATE_MACHINE:
-		BIO_clear_retry_flags(b);
-		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		BIO_copy_next_retry(b);
-		break;
-
-	case BIO_CTRL_DUP:
-		dbio=(BIO *)ptr;
-		dctx=(BIO_ENC_CTX *)dbio->ptr;
-		memcpy(&(dctx->cipher),&(ctx->cipher),sizeof(ctx->cipher));
-		dbio->init=1;
-		break;
-	default:
-		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
-		break;
-		}
-	return(ret);
-	}
-
-static long ber_callback_ctrl(BIO *b, int cmd, void *(*fp)())
-	{
-	long ret=1;
-
-	if (b->next_bio == NULL) return(0);
-	switch (cmd)
-		{
-	default:
-		ret=BIO_callback_ctrl(b->next_bio,cmd,fp);
-		break;
-		}
-	return(ret);
-	}
-
-/*
-void BIO_set_cipher_ctx(b,c)
-BIO *b;
-EVP_CIPHER_ctx *c;
-	{
-	if (b == NULL) return;
-
-	if ((b->callback != NULL) &&
-		(b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
-		return;
-
-	b->init=1;
-	ctx=(BIO_ENC_CTX *)b->ptr;
-	memcpy(ctx->cipher,c,sizeof(EVP_CIPHER_CTX));
-	
-	if (b->callback != NULL)
-		b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
-	}
-*/
-
-void BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *k, unsigned char *i,
-	     int e)
-	{
-	BIO_ENC_CTX *ctx;
-
-	if (b == NULL) return;
-
-	if ((b->callback != NULL) &&
-		(b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,0L) <= 0))
-		return;
-
-	b->init=1;
-	ctx=(BIO_ENC_CTX *)b->ptr;
-	EVP_CipherInit_ex(&(ctx->cipher),c,NULL,k,i,e);
-	
-	if (b->callback != NULL)
-		b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
-	}
-
diff --git a/crypto/openssl/crypto/pkcs7/dec.c b/crypto/openssl/crypto/pkcs7/dec.c
deleted file mode 100644
index 6752ec568a91..000000000000
--- a/crypto/openssl/crypto/pkcs7/dec.c
+++ /dev/null
@@ -1,248 +0,0 @@
-/* crypto/pkcs7/verify.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/bio.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include <openssl/asn1.h>
-
-int verify_callback(int ok, X509_STORE_CTX *ctx);
-
-BIO *bio_err=NULL;
-
-int main(argc,argv)
-int argc;
-char *argv[];
-	{
-	char *keyfile=NULL;
-	BIO *in;
-	EVP_PKEY *pkey;
-	X509 *x509;
-	PKCS7 *p7;
-	PKCS7_SIGNER_INFO *si;
-	X509_STORE_CTX cert_ctx;
-	X509_STORE *cert_store=NULL;
-	BIO *data,*detached=NULL,*p7bio=NULL;
-	char buf[1024*4];
-	unsigned char *pp;
-	int i,printit=0;
-	STACK_OF(PKCS7_SIGNER_INFO) *sk;
-
-	OpenSSL_add_all_algorithms();
-	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-
-	data=BIO_new(BIO_s_file());
-	pp=NULL;
-	while (argc > 1)
-		{
-		argc--;
-		argv++;
-		if (strcmp(argv[0],"-p") == 0)
-			{
-			printit=1;
-			}
-		else if ((strcmp(argv[0],"-k") == 0) && (argc >= 2)) {
-			keyfile = argv[1];
-			argc-=1;
-			argv+=1;
-		} else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
-			{
-			detached=BIO_new(BIO_s_file());
-			if (!BIO_read_filename(detached,argv[1]))
-				goto err;
-			argc-=1;
-			argv+=1;
-			}
-		else break;
-		}
-
-	 if (!BIO_read_filename(data,argv[0])) goto err; 
-
-	if(!keyfile) {
-		fprintf(stderr, "No private key file specified\n");
-		goto err;
-	}
-
-        if ((in=BIO_new_file(keyfile,"r")) == NULL) goto err;
-        if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
-        BIO_reset(in);
-        if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL)
-		goto err;
-        BIO_free(in);
-
-	if (pp == NULL)
-		BIO_set_fp(data,stdin,BIO_NOCLOSE);
-
-
-	/* Load the PKCS7 object from a file */
-	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
-
-
-
-	/* This stuff is being setup for certificate verification.
-	 * When using SSL, it could be replaced with a 
-	 * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
-	cert_store=X509_STORE_new();
-	X509_STORE_set_default_paths(cert_store);
-	X509_STORE_load_locations(cert_store,NULL,"../../certs");
-	X509_STORE_set_verify_cb_func(cert_store,verify_callback);
-
-	ERR_clear_error();
-
-	/* We need to process the data */
-	/* We cannot support detached encryption */
-	p7bio=PKCS7_dataDecode(p7,pkey,detached,x509);
-
-	if (p7bio == NULL)
-		{
-		printf("problems decoding\n");
-		goto err;
-		}
-
-	/* We now have to 'read' from p7bio to calculate digests etc. */
-	for (;;)
-		{
-		i=BIO_read(p7bio,buf,sizeof(buf));
-		/* print it? */
-		if (i <= 0) break;
-		fwrite(buf,1, i, stdout);
-		}
-
-	/* We can now verify signatures */
-	sk=PKCS7_get_signer_info(p7);
-	if (sk == NULL)
-		{
-		fprintf(stderr, "there are no signatures on this data\n");
-		}
-	else
-		{
-		/* Ok, first we need to, for each subject entry,
-		 * see if we can verify */
-		ERR_clear_error();
-		for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
-			{
-			si=sk_PKCS7_SIGNER_INFO_value(sk,i);
-			i=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
-			if (i <= 0)
-				goto err;
-			else
-				fprintf(stderr,"Signature verified\n");
-			}
-		}
-	X509_STORE_free(cert_store);
-
-	exit(0);
-err:
-	ERR_load_crypto_strings();
-	ERR_print_errors_fp(stderr);
-	exit(1);
-	}
-
-/* should be X509 * but we can just have them as char *. */
-int verify_callback(int ok, X509_STORE_CTX *ctx)
-	{
-	char buf[256];
-	X509 *err_cert;
-	int err,depth;
-
-	err_cert=X509_STORE_CTX_get_current_cert(ctx);
-	err=	X509_STORE_CTX_get_error(ctx);
-	depth=	X509_STORE_CTX_get_error_depth(ctx);
-
-	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
-	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
-	if (!ok)
-		{
-		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
-			X509_verify_cert_error_string(err));
-		if (depth < 6)
-			{
-			ok=1;
-			X509_STORE_CTX_set_error(ctx,X509_V_OK);
-			}
-		else
-			{
-			ok=0;
-			X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
-			}
-		}
-	switch (ctx->error)
-		{
-	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
-		BIO_printf(bio_err,"issuer= %s\n",buf);
-		break;
-	case X509_V_ERR_CERT_NOT_YET_VALID:
-	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-		BIO_printf(bio_err,"notBefore=");
-		ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
-		BIO_printf(bio_err,"\n");
-		break;
-	case X509_V_ERR_CERT_HAS_EXPIRED:
-	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-		BIO_printf(bio_err,"notAfter=");
-		ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
-		BIO_printf(bio_err,"\n");
-		break;
-		}
-	BIO_printf(bio_err,"verify return:%d\n",ok);
-	return(ok);
-	}
diff --git a/crypto/openssl/crypto/pkcs7/des.pem b/crypto/openssl/crypto/pkcs7/des.pem
deleted file mode 100644
index 62d1657e3e79..000000000000
--- a/crypto/openssl/crypto/pkcs7/des.pem
+++ /dev/null
@@ -1,15 +0,0 @@
-
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEC2vXI1xQDW6lUHM3zQ
-/9uBEBOO5A3TtkrklAXq7v01gsIC21t52qSk36REXY+slhNZ0OQ349tgkTsoETHFLoEwMIHw
-AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
-QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
-CSqGSIb3DQEBAQUABEB8ujxbabxXUYJhopuDm3oDq4JNqX6Io4p3ro+ShqfIndsXTZ1v5a2N
-WtLLCWlHn/habjBwZ/DgQgcKASbZ7QxNMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
-oAQIbsL5v1wX98KggAQoAaJ4WHm68fXY1WE5OIjfVBIDpO1K+i8dmKhjnAjrjoyZ9Bwc8rDL
-lgQg4CXb805h5xl+GfvSwUaHJayte1m2mcOhs3J2YyqbQ+MEIMIiJQccmhO3oDKm36CFvYR8
-5PjpclVcZyX2ngbwPFMnBAgy0clOAE6UKAAAAAAAAAAAAAA=
-
diff --git a/crypto/openssl/crypto/pkcs7/doc b/crypto/openssl/crypto/pkcs7/doc
deleted file mode 100644
index d2e8b7b2a3df..000000000000
--- a/crypto/openssl/crypto/pkcs7/doc
+++ /dev/null
@@ -1,24 +0,0 @@
-int PKCS7_set_content_type(PKCS7 *p7, int type);
-Call to set the type of PKCS7 object we are working on
-
-int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
-	EVP_MD *dgst);
-Use this to setup a signer info
-There will also be functions to add signed and unsigned attributes.
-
-int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
-Add a signer info to the content.
-
-int PKCS7_add_certificae(PKCS7 *p7, X509 *x509);
-int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
-
-----
-
-p7=PKCS7_new();
-PKCS7_set_content_type(p7,NID_pkcs7_signed);
-
-signer=PKCS7_SINGNER_INFO_new();
-PKCS7_SIGNER_INFO_set(signer,x509,pkey,EVP_md5());
-PKCS7_add_signer(py,signer);
-
-we are now setup.
diff --git a/crypto/openssl/crypto/pkcs7/enc.c b/crypto/openssl/crypto/pkcs7/enc.c
deleted file mode 100644
index 7417f8a4e00b..000000000000
--- a/crypto/openssl/crypto/pkcs7/enc.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* crypto/pkcs7/enc.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/bio.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-
-int main(argc,argv)
-int argc;
-char *argv[];
-	{
-	X509 *x509;
-	PKCS7 *p7;
-	BIO *in;
-	BIO *data,*p7bio;
-	char buf[1024*4];
-	int i;
-	int nodetach=1;
-	char *keyfile = NULL;
-	const EVP_CIPHER *cipher=NULL;
-	STACK_OF(X509) *recips=NULL;
-
-	OpenSSL_add_all_algorithms();
-
-	data=BIO_new(BIO_s_file());
-	while(argc > 1)
-		{
-		if (strcmp(argv[1],"-nd") == 0)
-			{
-			nodetach=1;
-			argv++; argc--;
-			}
-		else if ((strcmp(argv[1],"-c") == 0) && (argc >= 2)) {
-			if(!(cipher = EVP_get_cipherbyname(argv[2]))) {
-				fprintf(stderr, "Unknown cipher %s\n", argv[2]);
-				goto err;
-			}
-			argc-=2;
-			argv+=2;
-		} else if ((strcmp(argv[1],"-k") == 0) && (argc >= 2)) {
-			keyfile = argv[2];
-			argc-=2;
-			argv+=2;
-			if (!(in=BIO_new_file(keyfile,"r"))) goto err;
-			if (!(x509=PEM_read_bio_X509(in,NULL,NULL,NULL)))
-				goto err;
-			if(!recips) recips = sk_X509_new_null();
-			sk_X509_push(recips, x509);
-			BIO_free(in);
-		} else break;
-	}
-
-	if(!recips) {
-		fprintf(stderr, "No recipients\n");
-		goto err;
-	}
-
-	if (!BIO_read_filename(data,argv[1])) goto err;
-
-	p7=PKCS7_new();
-#if 0
-	BIO_reset(in);
-	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL)) == NULL) goto err;
-	BIO_free(in);
-	PKCS7_set_type(p7,NID_pkcs7_signedAndEnveloped);
-	 
-	if (PKCS7_add_signature(p7,x509,pkey,EVP_sha1()) == NULL) goto err;
-	/* we may want to add more */
-	PKCS7_add_certificate(p7,x509);
-#else
-	PKCS7_set_type(p7,NID_pkcs7_enveloped);
-#endif
-	if(!cipher)	{
-#ifndef OPENSSL_NO_DES
-		cipher = EVP_des_ede3_cbc();
-#else
-		fprintf(stderr, "No cipher selected\n");
-		goto err;
-#endif
-	}
-
-	if (!PKCS7_set_cipher(p7,cipher)) goto err;
-	for(i = 0; i < sk_X509_num(recips); i++) {
-		if (!PKCS7_add_recipient(p7,sk_X509_value(recips, i))) goto err;
-	}
-	sk_X509_pop_free(recips, X509_free);
-
-	/* Set the content of the signed to 'data' */
-	/* PKCS7_content_new(p7,NID_pkcs7_data); not used in envelope */
-
-	/* could be used, but not in this version :-)
-	if (!nodetach) PKCS7_set_detached(p7,1);
-	*/
-
-	if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;
-
-	for (;;)
-		{
-		i=BIO_read(data,buf,sizeof(buf));
-		if (i <= 0) break;
-		BIO_write(p7bio,buf,i);
-		}
-	BIO_flush(p7bio);
-
-	if (!PKCS7_dataFinal(p7,p7bio)) goto err;
-	BIO_free(p7bio);
-
-	PEM_write_PKCS7(stdout,p7);
-	PKCS7_free(p7);
-
-	exit(0);
-err:
-	ERR_load_crypto_strings();
-	ERR_print_errors_fp(stderr);
-	exit(1);
-	}
-
diff --git a/crypto/openssl/crypto/pkcs7/es1.pem b/crypto/openssl/crypto/pkcs7/es1.pem
deleted file mode 100644
index 47112a238fd2..000000000000
--- a/crypto/openssl/crypto/pkcs7/es1.pem
+++ /dev/null
@@ -1,66 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqGSIb3DQEBAQUABEDWak0y/5XZJhQJeCLo
-KECcHXkTEbjzYkYNHIinbiPmRK4QbNfs9z2mA3z/c2ykQ4eAqFR2jyNrUMN/+I5XEiv6MIHw
-AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
-QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
-CSqGSIb3DQEBAQUABEAWg9+KgtCjc77Jdj1Ve4wGgHjVHbbSYEA1ZqKFDoi15vSr9hfpHmC4
-ycZzcRo16JkTfolefiHZzmyjVz94vSN6MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
-oAQI7X4Tk4mcbV6ggASBsHl1mCaJ3RhXWlNPCgCRU53d7M5x6TDZRkvwdtdvW96m1lupT03F
-XtonkBqk7oMkH7kGfs5/REQOPjx0QE2Ixmgt1W3szum82EZwA7pZNppcraK7W/odw/7bYZO+
-II3HPmRklE2N9qiu1LPaPUsnYogkO6SennyeL5tZ382vBweL/8pnG0qsbT1OBb65v+llnsjT
-pa1T/p+fIx/iJJGE6K9fYFokC6gXLQ6ozXRdOu5oBDB8mPCYYvAqKycidM/MrGGUkpEtS4f0
-lS31PwQi5YTim8Ig3/TOwVpPX32i46FTuEIEIMHkD/OvpfwCCzXUHHJnKnKUAUvIsSY3vGBs
-8ezpUDfBBBj9LHDy32hZ2tQilkDefP5VM2LLdrWgamYEgfiyITQvn08Ul5lQOQxbFKBheFq5
-otCCN4MR+w5eq12xQu6y+f9z0159ag2ru87D0lLtUtXXtCELbO1nUkT2sJ0k/iDs9TOXr6Cx
-go1XKYho83hlkXYiCteVizdAbgVGNsNRD4wtIdajsorET/LuJECgp11YeL9w1dlDB0HLEZfi
-XCsUphH4jGagba3hDeUSibnjSiJlN0ukfuQurBBbI2UkBAujiEAubKPn7C1FZJRSw6CPPX5t
-KEpmcqT1JNk6LO8Js6/1sCmmBh1VGCy1+EuTI9J1p7Dagf4nQ8cHitoCRpHuKZlFHnZyv7tw
-Rn/KOhHaYP2VzAh40gQIvKMAAWh9oFsEEIMwIoOmLwLH5wf+8QdbDhoECH8HwZt9a12dBAjL
-r4j2zlvtfgQIt7nmEM3wz1EECKlc3EIy1irCBBCAKINcermK3A+jI6ISN2RzBFA3dsh/xwMu
-l61aWMBBZzEz/SF92k6n35KZhCC0d6fIVC/1WMv0fnCwQ8oEDynSre216VEFiYKBaQLJe5o/
-mTAxC7Ht3goXnuc+i1FItOkLrgRI/wyvTICEn2WsNZiMADnGaee2bqPnUopo+VMGexJEtCPk
-l0ZNlDJGquPDkpUwaEtecVZzCNyVPYyyF4J/l8rmGDhDdYUIC8IKBEg/ip/E0BuubBLWVbv+
-HRl4QrnGpyCyeXRXXK603QP3sT1Zbbm1v5pI/loOhVHi724LmtXHSyp5qv9MDcxE1PoX10LY
-gBRtlwwESPeCF8bK5jk4xIQMhK5NMHj1Y1KQWTZ9NGITBL4hjRq2qp4Qk5GIpGgOVPopAuCo
-TIyPikpqBRNtLSPRSsDs6QPUPzWBh6JgxwRQblnDKKUkxUcnJiD4i9QtGa/ZabMn4KxtNOBL
-5JSh1nJkaLXCZY070131WWPAByLcd5TiXq8x84pmzV5NNk4tiMpoXhJNsx8e4rskQQlKd6ME
-SCe2eYDHKcKPX3WJbUzhrJSQ92/aWnI2iUY8WQ+kSNyiZ2QUjyuUg9Z66g/0d2STlvPOBHT/
-y5ODP2CwbcWX4QmCbUc9TT66fQRIrRVuwvtOfnUueyGgYhJ3HpAJfVaB/7kap5bj7Fi/azW4
-9JDfd1bC/W9h0Kyk7RO2gxvE0hIHc26mZJHTm9MNP5D328MnM2MdBEjKjQBtgrp+lFIii7MP
-nGHFTKUkG4WAIZJCf/CsT+p6/SW0qG71Me/YcSw5STB24j+a+HgMV8RVIeUlkP4z0IWWrSoB
-Gh4d/Z0EUMCVHs/HZ/bWgiyhtHpvuVAzidm8D81p1LJ5BQX5/5f/m+q5+fS/npL27dTEbNqs
-LSB6ij3MZAi7LwHWpTn9zWnDajCMEj9vlaV7mcKtHK5iBEg85agFi1h3MvicqLtoFe5hVv9T
-tG0j6CRkjkixPzivltlrf44KHv14gLM0XJxCGyq7vd3l8QYr3+9at0zNnX/yqTiBnsnE5dUE
-SIgrYuz87M2gi/ER9PcDoTtONH3+CkcqVy03q/Sj8cVWD/b1KgEhqnNOfc8Ak9PctyR/ItcR
-8Me5XVn1GJKkQJk4O29fxvgNoAQIrIESvUWGshAEQByXiFoFTDUByjTlgjcy77H1lrH+y3P/
-wAInJjJAut9kCNyGJV0PA4kdPB5USWltuO6t8gk4Pd2YBMl09zqUWkAEUCjFrtZ3mapjcGZI
-uQTASKR5LSjXoWxTT5gae/+64MerF/oCEeO3ehRTpjnPrsiRDo0rWIQTaj9+Nro8Z2xtWstw
-RnfoAHIxV1lEamPwjsceBEi2SD9hiifFeO5ECiVoaE1FdXUXhU+jwYAMx6jHWO9hMkYzS9pM
-Y3IyWR5ybtOjiQgkUdvRJPUPGf5DVVMPnymGX25aDh5PYpIESPbsM9akCpOOVuscywcUswmU
-o7dXvlB48WWCfg/al3BQKAZbn5ZXtWNwpUZkrEdHsrxAVv3rxRcdkT3Z1fzUbIuYkLJN200o
-WgRIJvn6RO8KEj7/HOg2sYuuM8nz1kR0TSgwX7/0y/7JfjBa0JIlP7o75sNJscE8oyoIMzuy
-Dvn6/U9g3BCDXn83A/s+ke60qn9gBFC6NAeLOlXal1YVWYhMQNOqCyUfAjiXBTawaysQb1Mk
-YgeNlF8xuEFcUQWIP+vNG7FJ5JPMaMRL4YEoaQ3sVFhYOERJR1cSb+8xt4QCYtBKQgRIUOmJ
-CHW5o1hXJWJiTkZK2qWFcEMzTINSj5EpYFySr8aVBjkRnI7vxegRT/+XZZXoYedQ3UNsnGI3
-DdkWii5VzX0PNF6C60pfBEiVpausYuX7Wjb3Lfm8cBj7GgN69i6Pm2gxtobVcmpo2nS4D714
-ePyhlX9n8kJ6QAcqWMRj22smDPrHVGNTizfzHBh5zNllK9gESJizILOWI327og3ZWp+qUht5
-kNDJCzMK7Z09UAy+h+vq0VTQuEo3FgLzVdqkJujjSL4Nx97lXg51AovrEn3nd4evydwcjKLX
-1wRIo72NaeWuUEQ+rt1SlCsOJ7k1ioJSqhrPOfvwcaFcb4beVet1JWiy4yvowTjLDGbUje2s
-xjrlVt4BJWI/uA6jbQsrxSe89ADZBAi5YAlR4qszeAQIXD3VSBVKbRUECNTtyvw9vvqXBAhb
-IZNn4H4cxgQI+XW7GkfL+ekECCCCg2reMyGDBAh1PYqkg3lw3gQQkNlggEPU+BH8eh7Gm7n7
-7AQIjC5EWbkil5cEEKcpuqwTWww/X89KnQAg8TcECJPomqHvrlZFBBiRSuIiHpmN+PaujXpv
-qZV2VhjkB2j09GEECOIdv8AVOJgKBAjlHgIqAD9jZQQIXHbs44+wogcEIGGqTACRJxrhMcMG
-X8drNjksIPt+snxTXUBIkTVpZWoABAh6unXPTyIr8QQgBF8xKoX27MWk7iTNmkSNZggZXa2a
-DWCGHSYLngbSOHIECD9XmO6VsvTgBAjfqB70CEW4WwQIVIBkbCocznUEEHB/zFXy/sR4OYHe
-UfbNPnIEEDWBB/NTCLMGE+o8BfyujcAECFik7GQnnF9VBBAhLXExQeWAofZNc6NtN7qZBCC1
-gVIS3ruTwKltmcrgx3heT3M8ZJhCfWa+6KzchnmKygQQ+1NL5sSzR4m/fdrqxHFyUAQYCT2x
-PamQr3wK3h0lyZER+4H0zPM86AhFBBC3CkmvL2vjflMfujnzPBVpBBge9rMbI5+0q9DLrTiT
-5F3AIgXLpD8PQWAECHkHVo6RomV3BAgMbi8E271UeAQIqtS8wnI3XngECG3TWmOMb3/iBEha
-y+mvCS6I3n3JfL8e1B5P4qX9/czJRaERLuKpGNjLiL4A+zxN0LZ0UHd0qfmJjwOTxAx3iJAC
-lGXX4nB9ATYPUT5EU+o1Y4sECN01pP6vWNIdBDAsiE0Ts8/9ltJlqX2B3AoOM4qOt9EaCjXf
-lB+aEmrhtjUwuZ6GqS5Ke7P6XnakTk4ECCLIMatNdootAAAAAAAAAAAAAA==
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/example.c b/crypto/openssl/crypto/pkcs7/example.c
deleted file mode 100644
index 2953d04b5c90..000000000000
--- a/crypto/openssl/crypto/pkcs7/example.c
+++ /dev/null
@@ -1,329 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/pkcs7.h>
-#include <openssl/asn1_mac.h>
-#include <openssl/x509.h>
-
-int add_signed_time(PKCS7_SIGNER_INFO *si)
-	{
-	ASN1_UTCTIME *sign_time;
-
-	/* The last parameter is the amount to add/subtract from the current
-	 * time (in seconds) */
-	sign_time=X509_gmtime_adj(NULL,0);
-	PKCS7_add_signed_attribute(si,NID_pkcs9_signingTime,
-		V_ASN1_UTCTIME,(char *)sign_time);
-	return(1);
-	}
-
-ASN1_UTCTIME *get_signed_time(PKCS7_SIGNER_INFO *si)
-	{
-	ASN1_TYPE *so;
-
-	so=PKCS7_get_signed_attribute(si,NID_pkcs9_signingTime);
-	if (so->type == V_ASN1_UTCTIME)
-	    return so->value.utctime;
-	return NULL;
-	}
-	
-static int signed_string_nid= -1;
-
-void add_signed_string(PKCS7_SIGNER_INFO *si, char *str)
-	{
-	ASN1_OCTET_STRING *os;
-
-	/* To a an object of OID 1.2.3.4.5, which is an octet string */
-	if (signed_string_nid == -1)
-		signed_string_nid=
-			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
-	os=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os,(unsigned char*)str,strlen(str));
-	/* When we add, we do not free */
-	PKCS7_add_signed_attribute(si,signed_string_nid,
-		V_ASN1_OCTET_STRING,(char *)os);
-	}
-
-int get_signed_string(PKCS7_SIGNER_INFO *si, char *buf, int len)
-	{
-	ASN1_TYPE *so;
-	ASN1_OCTET_STRING *os;
-	int i;
-
-	if (signed_string_nid == -1)
-		signed_string_nid=
-			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
-	/* To retrieve */
-	so=PKCS7_get_signed_attribute(si,signed_string_nid);
-	if (so != NULL)
-		{
-		if (so->type == V_ASN1_OCTET_STRING)
-			{
-			os=so->value.octet_string;
-			i=os->length;
-			if ((i+1) > len)
-				i=len-1;
-			memcpy(buf,os->data,i);
-			return(i);
-			}
-		}
-	return(0);
-	}
-
-static int signed_seq2string_nid= -1;
-/* ########################################### */
-int add_signed_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
-	{
-	/* To add an object of OID 1.9.999, which is a sequence containing
-	 * 2 octet strings */
-	unsigned char *p;
-	ASN1_OCTET_STRING *os1,*os2;
-	ASN1_STRING *seq;
-	unsigned char *data;
-	int i,total;
-
-	if (signed_seq2string_nid == -1)
-		signed_seq2string_nid=
-			OBJ_create("1.9.9999","OID_example","Our example OID");
-
-	os1=ASN1_OCTET_STRING_new();
-	os2=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os1,(unsigned char*)str1,strlen(str1));
-	ASN1_OCTET_STRING_set(os2,(unsigned char*)str1,strlen(str1));
-	i =i2d_ASN1_OCTET_STRING(os1,NULL);
-	i+=i2d_ASN1_OCTET_STRING(os2,NULL);
-	total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
-
-	data=malloc(total);
-	p=data;
-	ASN1_put_object(&p,1,i,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-	i2d_ASN1_OCTET_STRING(os1,&p);
-	i2d_ASN1_OCTET_STRING(os2,&p);
-
-	seq=ASN1_STRING_new();
-	ASN1_STRING_set(seq,data,total);
-	free(data);
-	ASN1_OCTET_STRING_free(os1);
-	ASN1_OCTET_STRING_free(os2);
-
-	PKCS7_add_signed_attribute(si,signed_seq2string_nid,
-		V_ASN1_SEQUENCE,(char *)seq);
-	return(1);
-	}
-
-/* For this case, I will malloc the return strings */
-int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2)
-	{
-	ASN1_TYPE *so;
-
-	if (signed_seq2string_nid == -1)
-		signed_seq2string_nid=
-			OBJ_create("1.9.9999","OID_example","Our example OID");
-	/* To retrieve */
-	so=PKCS7_get_signed_attribute(si,signed_seq2string_nid);
-	if (so && (so->type == V_ASN1_SEQUENCE))
-		{
-		ASN1_const_CTX c;
-		ASN1_STRING *s;
-		long length;
-		ASN1_OCTET_STRING *os1,*os2;
-
-		s=so->value.sequence;
-		c.p=ASN1_STRING_data(s);
-		c.max=c.p+ASN1_STRING_length(s);
-		if (!asn1_GetSequence(&c,&length)) goto err;
-		/* Length is the length of the seqence */
-
-		c.q=c.p;
-		if ((os1=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
-			goto err;
-		c.slen-=(c.p-c.q);
-
-		c.q=c.p;
-		if ((os2=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
-			goto err;
-		c.slen-=(c.p-c.q);
-
-		if (!asn1_const_Finish(&c)) goto err;
-		*str1=malloc(os1->length+1);
-		*str2=malloc(os2->length+1);
-		memcpy(*str1,os1->data,os1->length);
-		memcpy(*str2,os2->data,os2->length);
-		(*str1)[os1->length]='\0';
-		(*str2)[os2->length]='\0';
-		ASN1_OCTET_STRING_free(os1);
-		ASN1_OCTET_STRING_free(os2);
-		return(1);
-		}
-err:
-	return(0);
-	}
-
-
-/* #######################################
- * THE OTHER WAY TO DO THINGS
- * #######################################
- */
-X509_ATTRIBUTE *create_time(void)
-	{
-	ASN1_UTCTIME *sign_time;
-	X509_ATTRIBUTE *ret;
-
-	/* The last parameter is the amount to add/subtract from the current
-	 * time (in seconds) */
-	sign_time=X509_gmtime_adj(NULL,0);
-	ret=X509_ATTRIBUTE_create(NID_pkcs9_signingTime,
-		V_ASN1_UTCTIME,(char *)sign_time);
-	return(ret);
-	}
-
-ASN1_UTCTIME *sk_get_time(STACK_OF(X509_ATTRIBUTE) *sk)
-	{
-	ASN1_TYPE *so;
-	PKCS7_SIGNER_INFO si;
-
-	si.auth_attr=sk;
-	so=PKCS7_get_signed_attribute(&si,NID_pkcs9_signingTime);
-	if (so->type == V_ASN1_UTCTIME)
-	    return so->value.utctime;
-	return NULL;
-	}
-	
-X509_ATTRIBUTE *create_string(char *str)
-	{
-	ASN1_OCTET_STRING *os;
-	X509_ATTRIBUTE *ret;
-
-	/* To a an object of OID 1.2.3.4.5, which is an octet string */
-	if (signed_string_nid == -1)
-		signed_string_nid=
-			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
-	os=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os,(unsigned char*)str,strlen(str));
-	/* When we add, we do not free */
-	ret=X509_ATTRIBUTE_create(signed_string_nid,
-		V_ASN1_OCTET_STRING,(char *)os);
-	return(ret);
-	}
-
-int sk_get_string(STACK_OF(X509_ATTRIBUTE) *sk, char *buf, int len)
-	{
-	ASN1_TYPE *so;
-	ASN1_OCTET_STRING *os;
-	int i;
-	PKCS7_SIGNER_INFO si;
-
-	si.auth_attr=sk;
-
-	if (signed_string_nid == -1)
-		signed_string_nid=
-			OBJ_create("1.2.3.4.5","OID_example","Our example OID");
-	/* To retrieve */
-	so=PKCS7_get_signed_attribute(&si,signed_string_nid);
-	if (so != NULL)
-		{
-		if (so->type == V_ASN1_OCTET_STRING)
-			{
-			os=so->value.octet_string;
-			i=os->length;
-			if ((i+1) > len)
-				i=len-1;
-			memcpy(buf,os->data,i);
-			return(i);
-			}
-		}
-	return(0);
-	}
-
-X509_ATTRIBUTE *add_seq2string(PKCS7_SIGNER_INFO *si, char *str1, char *str2)
-	{
-	/* To add an object of OID 1.9.999, which is a sequence containing
-	 * 2 octet strings */
-	unsigned char *p;
-	ASN1_OCTET_STRING *os1,*os2;
-	ASN1_STRING *seq;
-	X509_ATTRIBUTE *ret;
-	unsigned char *data;
-	int i,total;
-
-	if (signed_seq2string_nid == -1)
-		signed_seq2string_nid=
-			OBJ_create("1.9.9999","OID_example","Our example OID");
-
-	os1=ASN1_OCTET_STRING_new();
-	os2=ASN1_OCTET_STRING_new();
-	ASN1_OCTET_STRING_set(os1,(unsigned char*)str1,strlen(str1));
-	ASN1_OCTET_STRING_set(os2,(unsigned char*)str1,strlen(str1));
-	i =i2d_ASN1_OCTET_STRING(os1,NULL);
-	i+=i2d_ASN1_OCTET_STRING(os2,NULL);
-	total=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
-
-	data=malloc(total);
-	p=data;
-	ASN1_put_object(&p,1,i,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-	i2d_ASN1_OCTET_STRING(os1,&p);
-	i2d_ASN1_OCTET_STRING(os2,&p);
-
-	seq=ASN1_STRING_new();
-	ASN1_STRING_set(seq,data,total);
-	free(data);
-	ASN1_OCTET_STRING_free(os1);
-	ASN1_OCTET_STRING_free(os2);
-
-	ret=X509_ATTRIBUTE_create(signed_seq2string_nid,
-		V_ASN1_SEQUENCE,(char *)seq);
-	return(ret);
-	}
-
-/* For this case, I will malloc the return strings */
-int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2)
-	{
-	ASN1_TYPE *so;
-	PKCS7_SIGNER_INFO si;
-
-	if (signed_seq2string_nid == -1)
-		signed_seq2string_nid=
-			OBJ_create("1.9.9999","OID_example","Our example OID");
-
-	si.auth_attr=sk;
-	/* To retrieve */
-	so=PKCS7_get_signed_attribute(&si,signed_seq2string_nid);
-	if (so->type == V_ASN1_SEQUENCE)
-		{
-		ASN1_const_CTX c;
-		ASN1_STRING *s;
-		long length;
-		ASN1_OCTET_STRING *os1,*os2;
-
-		s=so->value.sequence;
-		c.p=ASN1_STRING_data(s);
-		c.max=c.p+ASN1_STRING_length(s);
-		if (!asn1_GetSequence(&c,&length)) goto err;
-		/* Length is the length of the seqence */
-
-		c.q=c.p;
-		if ((os1=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
-			goto err;
-		c.slen-=(c.p-c.q);
-
-		c.q=c.p;
-		if ((os2=d2i_ASN1_OCTET_STRING(NULL,&c.p,c.slen)) == NULL) 
-			goto err;
-		c.slen-=(c.p-c.q);
-
-		if (!asn1_const_Finish(&c)) goto err;
-		*str1=malloc(os1->length+1);
-		*str2=malloc(os2->length+1);
-		memcpy(*str1,os1->data,os1->length);
-		memcpy(*str2,os2->data,os2->length);
-		(*str1)[os1->length]='\0';
-		(*str2)[os2->length]='\0';
-		ASN1_OCTET_STRING_free(os1);
-		ASN1_OCTET_STRING_free(os2);
-		return(1);
-		}
-err:
-	return(0);
-	}
-
-
diff --git a/crypto/openssl/crypto/pkcs7/info.pem b/crypto/openssl/crypto/pkcs7/info.pem
deleted file mode 100644
index 989baf87096a..000000000000
--- a/crypto/openssl/crypto/pkcs7/info.pem
+++ /dev/null
@@ -1,57 +0,0 @@
-issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
-subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
-serial :047D
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1149 (0x47d)
-        Signature Algorithm: md5withRSAEncryption
-        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
-        Validity
-            Not Before: May 13 05:40:58 1998 GMT
-            Not After : May 12 05:40:58 2000 GMT
-        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Modulus:
-                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
-                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
-                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
-                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
-                    e7:e7:0c:4d:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Comment: 
-                Generated with SSLeay
-    Signature Algorithm: md5withRSAEncryption
-        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
-        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
-        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
-        50:74:ad:92:cb:4e:90:e5:fa:7d
-
------BEGIN CERTIFICATE-----
-MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
-MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
-ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
-IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
-NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
-aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
-9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
-lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
-hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
-UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
-4A3ZItobUHStkstOkOX6fQ==
------END CERTIFICATE-----
-
------BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
-mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
-fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
-zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
-p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
-bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
-IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
------END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/infokey.pem b/crypto/openssl/crypto/pkcs7/infokey.pem
deleted file mode 100644
index 1e2acc954d2a..000000000000
--- a/crypto/openssl/crypto/pkcs7/infokey.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
-mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
-fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
-zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
-p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
-bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
-IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
------END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/p7/a1 b/crypto/openssl/crypto/pkcs7/p7/a1
deleted file mode 100644
index 56ca94376265..000000000000
--- a/crypto/openssl/crypto/pkcs7/p7/a1
+++ /dev/null
@@ -1,2 +0,0 @@
-j,H>_æá_­DôzEîLœ	VJ³ß觬¤””E3ûáYäx%_Àk
-3ê)DLScñ8%ôM
\ No newline at end of file
diff --git a/crypto/openssl/crypto/pkcs7/p7/a2 b/crypto/openssl/crypto/pkcs7/p7/a2
deleted file mode 100644
index 23d8fb5e93b9..000000000000
--- a/crypto/openssl/crypto/pkcs7/p7/a2
+++ /dev/null
@@ -1 +0,0 @@
-k~@a”,NâM͹¼	
<O( KP—騠¤K²>­×U¿o_½
BqrmÎ?Ù t?t÷�Ï�éId2‰Š
\ No newline at end of file
diff --git a/crypto/openssl/crypto/pkcs7/p7/cert.p7c b/crypto/openssl/crypto/pkcs7/p7/cert.p7c
deleted file mode 100644
index 2b75ec05f7d8..000000000000
--- a/crypto/openssl/crypto/pkcs7/p7/cert.p7c
+++ /dev/null
diff --git a/crypto/openssl/crypto/pkcs7/p7/smime.p7m b/crypto/openssl/crypto/pkcs7/p7/smime.p7m
deleted file mode 100644
index 2b6e6f82ba3f..000000000000
--- a/crypto/openssl/crypto/pkcs7/p7/smime.p7m
+++ /dev/null
diff --git a/crypto/openssl/crypto/pkcs7/p7/smime.p7s b/crypto/openssl/crypto/pkcs7/p7/smime.p7s
deleted file mode 100644
index 2b5d4fb0e3b6..000000000000
--- a/crypto/openssl/crypto/pkcs7/p7/smime.p7s
+++ /dev/null
diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c
index 77fda3b82a07..d91aa116a993 100644
--- a/crypto/openssl/crypto/pkcs7/pk7_doit.c
+++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c
@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 		{
 	case NID_pkcs7_signed:
 		data_body=PKCS7_get_octet_string(p7->d.sign->contents);
+		if (!PKCS7_is_detached(p7) && data_body == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE);
+			goto err;
+			}
 		md_sk=p7->d.sign->md_algs;
 		break;
 	case NID_pkcs7_signedAndEnveloped:
@@ -928,6 +933,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
 	if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
 		goto err;
 	OPENSSL_free(abuf);
+	abuf = NULL;
 	if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
 		goto err;
 	abuf = OPENSSL_malloc(siglen);
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7.h b/crypto/openssl/crypto/pkcs7/pkcs7.h
index e4d443193c43..5d54c4ac2723 100644
--- a/crypto/openssl/crypto/pkcs7/pkcs7.h
+++ b/crypto/openssl/crypto/pkcs7/pkcs7.h
@@ -233,10 +233,6 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 		(OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
 #define PKCS7_type_is_data(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_data)
 #define PKCS7_type_is_digest(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_digest)
-#define PKCS7_type_is_encrypted(a) \
-		(OBJ_obj2nid((a)->type) == NID_pkcs7_encrypted)
-
-#define PKCS7_type_is_digest(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_digest)
 
 #define PKCS7_set_detached(p,v) \
 		PKCS7_ctrl(p,PKCS7_OP_SET_DETACHED_SIGNATURE,v,NULL)
@@ -453,6 +449,7 @@ void ERR_load_PKCS7_strings(void);
 #define PKCS7_R_ERROR_SETTING_CIPHER			 121
 #define PKCS7_R_INVALID_MIME_TYPE			 131
 #define PKCS7_R_INVALID_NULL_POINTER			 143
+#define PKCS7_R_INVALID_SIGNED_DATA_TYPE		 155
 #define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
 #define PKCS7_R_MIME_PARSE_ERROR			 133
 #define PKCS7_R_MIME_SIG_PARSE_ERROR			 134
diff --git a/crypto/openssl/crypto/pkcs7/pkcs7err.c b/crypto/openssl/crypto/pkcs7/pkcs7err.c
index d0af32a265df..f3db08e007a9 100644
--- a/crypto/openssl/crypto/pkcs7/pkcs7err.c
+++ b/crypto/openssl/crypto/pkcs7/pkcs7err.c
@@ -1,6 +1,6 @@
 /* crypto/pkcs7/pkcs7err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]=
 {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
 {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
 {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"},
 {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
 {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
 {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
diff --git a/crypto/openssl/crypto/pkcs7/server.pem b/crypto/openssl/crypto/pkcs7/server.pem
deleted file mode 100644
index 750aac209468..000000000000
--- a/crypto/openssl/crypto/pkcs7/server.pem
+++ /dev/null
@@ -1,24 +0,0 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
------BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQAwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzQ2WhcNOTgwNjA5
-MTM1NzQ2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
-cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
-Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB4TMR2CvacKE9wAsu9jyCX8YiW
-mgCM+YoP6kt4Zkj2z5IRfm7WrycKsnpnOR+tGeqAjkCeZ6/36o9l91RvPnN1VJ/i
-xQv2df0KFeMr00IkDdTNAdIWqFkSsZTAY2QAdgenb7MB1joejquYzO2DQIO7+wpH
-irObpESxAZLySCmPPg==
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
-TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
-OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
-gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
-rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
-PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
-vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
------END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/sign.c b/crypto/openssl/crypto/pkcs7/sign.c
deleted file mode 100644
index 8b59885f7ea1..000000000000
--- a/crypto/openssl/crypto/pkcs7/sign.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* crypto/pkcs7/sign.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/bio.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-
-int main(argc,argv)
-int argc;
-char *argv[];
-	{
-	X509 *x509;
-	EVP_PKEY *pkey;
-	PKCS7 *p7;
-	PKCS7_SIGNER_INFO *si;
-	BIO *in;
-	BIO *data,*p7bio;
-	char buf[1024*4];
-	int i;
-	int nodetach=0;
-
-#ifndef OPENSSL_NO_MD2
-	EVP_add_digest(EVP_md2());
-#endif
-#ifndef OPENSSL_NO_MD5
-	EVP_add_digest(EVP_md5());
-#endif
-#ifndef OPENSSL_NO_SHA1
-	EVP_add_digest(EVP_sha1());
-#endif
-#ifndef OPENSSL_NO_MDC2
-	EVP_add_digest(EVP_mdc2());
-#endif
-
-	data=BIO_new(BIO_s_file());
-again:
-	if (argc > 1)
-		{
-		if (strcmp(argv[1],"-nd") == 0)
-			{
-			nodetach=1;
-			argv++; argc--;
-			goto again;
-			}
-		if (!BIO_read_filename(data,argv[1]))
-			goto err;
-		}
-	else
-		BIO_set_fp(data,stdin,BIO_NOCLOSE);
-
-	if ((in=BIO_new_file("server.pem","r")) == NULL) goto err;
-	if ((x509=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) goto err;
-	BIO_reset(in);
-	if ((pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL)) == NULL) goto err;
-	BIO_free(in);
-
-	p7=PKCS7_new();
-	PKCS7_set_type(p7,NID_pkcs7_signed);
-	 
-	si=PKCS7_add_signature(p7,x509,pkey,EVP_sha1());
-	if (si == NULL) goto err;
-
-	/* If you do this then you get signing time automatically added */
-	PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
-						OBJ_nid2obj(NID_pkcs7_data));
-
-	/* we may want to add more */
-	PKCS7_add_certificate(p7,x509);
-
-	/* Set the content of the signed to 'data' */
-	PKCS7_content_new(p7,NID_pkcs7_data);
-
-	if (!nodetach)
-		PKCS7_set_detached(p7,1);
-
-	if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;
-
-	for (;;)
-		{
-		i=BIO_read(data,buf,sizeof(buf));
-		if (i <= 0) break;
-		BIO_write(p7bio,buf,i);
-		}
-
-	if (!PKCS7_dataFinal(p7,p7bio)) goto err;
-	BIO_free(p7bio);
-
-	PEM_write_PKCS7(stdout,p7);
-	PKCS7_free(p7);
-
-	exit(0);
-err:
-	ERR_load_crypto_strings();
-	ERR_print_errors_fp(stderr);
-	exit(1);
-	}
-
diff --git a/crypto/openssl/crypto/pkcs7/t/3des.pem b/crypto/openssl/crypto/pkcs7/t/3des.pem
deleted file mode 100644
index b2b5081a10ec..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/3des.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEC2vXI1xQDW6lUHM3zQ
-/9uBEBOO5A3TtkrklAXq7v01gsIC21t52qSk36REXY+slhNZ0OQ349tgkTsoETHFLoEwMIHw
-AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
-QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR9MA0G
-CSqGSIb3DQEBAQUABEB8ujxbabxXUYJhopuDm3oDq4JNqX6Io4p3ro+ShqfIndsXTZ1v5a2N
-WtLLCWlHn/habjBwZ/DgQgcKASbZ7QxNMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
-oAQIbsL5v1wX98KggAQoAaJ4WHm68fXY1WE5OIjfVBIDpO1K+i8dmKhjnAjrjoyZ9Bwc8rDL
-lgQg4CXb805h5xl+GfvSwUaHJayte1m2mcOhs3J2YyqbQ+MEIMIiJQccmhO3oDKm36CFvYR8
-5PjpclVcZyX2ngbwPFMnBAgy0clOAE6UKAAAAAAAAAAAAAA=
------END PKCS7-----
-
diff --git a/crypto/openssl/crypto/pkcs7/t/3dess.pem b/crypto/openssl/crypto/pkcs7/t/3dess.pem
deleted file mode 100644
index 23f013516a51..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/3dess.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN PKCS7-----
-MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
-BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
-ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
-AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
-gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
-ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
-A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
-dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
-hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
-hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
-igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
-syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
-kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
-MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
-TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
-BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
-mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
-8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
-ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
-BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
-REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
-AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
-CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
-SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
-BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
-9CWR6g==
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/c.pem b/crypto/openssl/crypto/pkcs7/t/c.pem
deleted file mode 100644
index a4b55e321a5c..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/c.pem
+++ /dev/null
@@ -1,48 +0,0 @@
-issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
-subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
-serial :047D
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1149 (0x47d)
-        Signature Algorithm: md5withRSAEncryption
-        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
-        Validity
-            Not Before: May 13 05:40:58 1998 GMT
-            Not After : May 12 05:40:58 2000 GMT
-        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Modulus:
-                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
-                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
-                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
-                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
-                    e7:e7:0c:4d:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Comment: 
-                Generated with SSLeay
-    Signature Algorithm: md5withRSAEncryption
-        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
-        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
-        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
-        50:74:ad:92:cb:4e:90:e5:fa:7d
-
------BEGIN CERTIFICATE-----
-MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
-MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
-ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
-IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
-NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
-aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
-9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
-lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
-hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
-UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
-4A3ZItobUHStkstOkOX6fQ==
------END CERTIFICATE-----
-
diff --git a/crypto/openssl/crypto/pkcs7/t/ff b/crypto/openssl/crypto/pkcs7/t/ff
deleted file mode 100644
index 23f013516a51..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/ff
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN PKCS7-----
-MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
-BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
-ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
-AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
-gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
-ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
-A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
-dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
-hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
-hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
-igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
-syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
-kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
-MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
-TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
-BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
-mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
-8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
-ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
-BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
-REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
-AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
-CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
-SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
-BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
-9CWR6g==
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-e b/crypto/openssl/crypto/pkcs7/t/msie-e
deleted file mode 100644
index aafae69fc9d8..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-e
+++ /dev/null
@@ -1,20 +0,0 @@
-
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
-BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
-aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABECMzu8y
-wQ/qZbO8cAGMRBF+mPruv3+Dvb9aWNZ2k8njUgqF6mcdhVB2MkGcsG3memRXJBixvMYWVkU3qK4Z
-VuKsMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
-BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
-SIb3DQEBAQUABEBcWwYFHJbJGhiztt7lzue3Lc9CH5WAbyR+2BZ3uv+JxZfRs1PuaWPOwRa0Vgs3
-YwSJoRfxQj2Gk0wFqG1qt6d1MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQI8vRlP/Nx
-2iSggASCAZhR5srxyspy7DfomRJ9ff8eMCtaNwEoEx7G25PZRonC57hBvGoScLtEPU3Wp9FEbPN7
-oJESeC+AqMTyTLNy8aQsyC5s53E9UkoIvg62ekYZBbXZqXsrxx4PhiiX3NH8GVh42phB0Chjw0nK
-HZeRDmxGY3Cmk+J+l0uVKxbNIfJIKOguLBnhqmnKH/PrnzDt591u0ULy2aTLqRm+4/1Yat/QPb6J
-eoKGwNPBbS9ogBdrCNCp9ZFg3Xar2AtQHzyTQIfYeH3SRQUpKmRm5U5o9p5emgEdT+ZfJm/J4tSH
-OmbgAFsbHQakA4MBZ4J5qfDJhOA2g5lWk1hIeu5Dn/AaLRZd0yz3oY0Ieo/erPWx/bCqtBzYbMe9
-qSFTedKlbc9EGe3opOTdBZVzK8KH3w3zsy5luxKdOUG59YYb5F1IZiWGiDyuo/HuacX+griu5LeD
-bEzOtZnko+TZXvWIko30fD79j3T4MRRhWXbgj2HKza+4vJ0mzcC/1+GPsJjAEAA/JgIEDU4w6/DI
-/HQHhLAO3G+9xKD7MvmrzkoAAAAAAAAAAAAA
-
-
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-e.pem b/crypto/openssl/crypto/pkcs7/t/msie-e.pem
deleted file mode 100644
index a2a5e24e7426..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-e.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHA6CAMIIDkAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
-bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
-aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
-uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQIzO7zLBD+pls7xwAYxEEX6Y+u6/f4O9
-v1pY1naTyeNSCoXqZx2FUHYyQZywbeZ6ZFckGLG8xhZWRTeorhlW4qwwgfACAQAw
-gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
-EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
-GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
-QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQFxbBgUclskaGLO23uXO57ctz0If
-lYBvJH7YFne6/4nFl9GzU+5pY87BFrRWCzdjBImhF/FCPYaTTAWobWq3p3UwggHD
-BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECPL0ZT/zcdokgIIBmFHmyvHK
-ynLsN+iZEn19/x4wK1o3ASgTHsbbk9lGicLnuEG8ahJwu0Q9Tdan0URs83ugkRJ4
-L4CoxPJMs3LxpCzILmzncT1SSgi+DrZ6RhkFtdmpeyvHHg+GKJfc0fwZWHjamEHQ
-KGPDScodl5EObEZjcKaT4n6XS5UrFs0h8kgo6C4sGeGqacof8+ufMO3n3W7RQvLZ
-pMupGb7j/Vhq39A9vol6gobA08FtL2iAF2sI0Kn1kWDddqvYC1AfPJNAh9h4fdJF
-BSkqZGblTmj2nl6aAR1P5l8mb8ni1Ic6ZuAAWxsdBqQDgwFngnmp8MmE4DaDmVaT
-WEh67kOf8BotFl3TLPehjQh6j96s9bH9sKq0HNhsx72pIVN50qVtz0QZ7eik5N0F
-lXMrwoffDfOzLmW7Ep05Qbn1hhvkXUhmJYaIPK6j8e5pxf6CuK7kt4NsTM61meSj
-5Nle9YiSjfR8Pv2PdPgxFGFZduCPYcrNr7i8nSbNwL/X4Y+wmMAQAD8mAgQNTjDr
-8Mj8dAeEsA7cb73EoPsy+avOSgAAAAA=
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-01 b/crypto/openssl/crypto/pkcs7/t/msie-enc-01
deleted file mode 100644
index 2c93ab646268..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-enc-01
+++ /dev/null
@@ -1,62 +0,0 @@
-
-MIAGCSqGSIb3DQEHA6CAMIACAQAxgfMwgfACAQAwgZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYD
-VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0
-IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMT
-EkRFTU8gWkVSTyBWQUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQKvMaW8xh6oF/X+CJivz
-IZV7yHxlp4O3NHQtWG0A8MOZB+CtKlU7/6g5e/a9Du/TOqxRMqtYRp63pa2Q/mM4IYMwgAYJ
-KoZIhvcNAQcBMBoGCCqGSIb3DQMCMA4CAgCgBAifz6RvzOPYlKCABIGwxtGA/FLBBRs1wbBP
-gDCbSG0yCwjJNsFg89/k6xuXo8c5YTwsw8+XlIVq03navpew6XxxzY090rD2OJ0t6HA6GqrI
-pd8WiSh/Atqn0yfLFmkLqgIAPRfzxUxqUocxLpQsLIFp2YNUGE+yps+UZmIjw/WHfdqrcWTm
-STSvKuy3UkIJZCkGDBpTvqk4BFaHh4oTXEpgpNY+GKxjf9TDN9GQPqQZR7sgQki4t2g4/Saq
-Kl4EMISgluk6swdND0tiHY7v5d6YR29ePCl2/STJ98eJpWkEEC22GNNvOy7ru/Rv2He4MgQg
-optd7sk9MMd9xhJppg7CcH/yDx//HrtgpOcWmn6VxpgECFqon4uXkQtIBIH4PaNclFn7/hLx
-Pw2VmBGaC0SYF3U1jyN96EBxdjqy8Aa6ByMXYDW5BcfqniD5mYXfw+b81lh1kutxaPaV4YJ9
-ZlRUW752N7VHo/fG0/fukoe5W9a8kIhgLpygllb/GP4oSF4wM6n1/OgRzZj2IWFiobKO4d/t
-Mnh+C+PoEVAuFZcxQwi9GqvsK5OoIjVwNx0XcVSOl1TTYS9SwC7ugMBCab73JiruC24pL78Y
-M+NaIpIQ3On4DokJA2ZHtjBjZIxF4tKA144RvFN6pBd6TVE5XM6KD/Vh9bjSmujtEAfdQ3Te
-dvKJsbZuu0stErbvWcRy11I328l557EECAJT7d44OJ3rBBBj6bnnx6dDU2SRqp2CEoQaBAhK
-RBuyhNxkygQIOY9/NhwqAJAECOvX0Zd0DqgoBAjobPpMHhVV3gQQWLU2vEoZ51BwzxdzCmxO
-wwQI4oKfudaNqoAESKzBNAqv5kGumHOlMKsRfrs7jZCcSaOuEj97pYx08FLEgF23cav39MOQ
-NUEM1dNU+EYslL4o3RoSHRjUgPU+2t9c0prS9A/bPARIEOP94PynaTNxwHi3VTK7SzuQmgzA
-4n942E9joSiqsQPlsKAb3sPUaLC3SuUxSjNBgfpvD0bmrA/5h+WZoYXvIogFpwjkSmnFBEie
-0lh5Ov1aRrvCw5/j3Q/W/4ZtN5U+aeVBJMtA8n0Mxd5kPxHbNVh4oGprZ6wEegV8ht3voyZa
-mZ5Cyxc8ffMYnM/JJI6/oEYEUEMyyiS5FnYyvxKzfMtyn2lZ2st9nZGNNgMc9N62r5HgNbdD
-FHuRdKKzV+8kQfuMc3mOPpK1t9TFY+QgrxiB5p6S7VooI97YtP3PbfknszCEBEh4PdXYbbaR
-3AacN3Q5kYYmWsq3WW6xgrg0mmEGosGvwSQxBBuiXZrxScCa4ivEq05UZwyShePvKduOvnUE
-2zDO6IXFLZxhTZAESEm9/FovLgGAiJ7iMGmYvsISLJScwG4n+wrSaQNQXizs9N3ykys54wBN
-d/+BQ4F7pncHhDQ2Dyt5MekB8Y8iNOocUTFCu524vQRIaWCXmXP3vU7D21dp0XnAMzRQJ565
-JV3aHRoY7XDa4LePa7PP9ywyafOE5yCW7ndqx3J+2JhTDvSFsW8/q3H3iyeFhykuJVS6BFDK
-6CmKbnyyjOfE2iLGJmTFa905V2KrVDCmlEu/xyGMs80yTyZC+ySzM83FMVvLEQmSzcTNUZVp
-DfA1kNXbXkPouBXXT6g8r8JCRljaKKABmgRIlMheOJQRUUU4cgvhMreXPayhq5Ao4VMSCkA5
-hYRCBczm4Di/MMohF0SxIsdRY6gY9CPnrBXAsY6h1RbR7Tw0iQZmeXi52DCiBEj0by+SYMAa
-9z0CReIzl8JLL6EVIFz8kFxlkGWjr4dnOzhhPOq/mCpp0WxbavDfdhE87MdXJZBnLwoT62QG
-955HlAoEQBOGJbcESCgd5XSirZ9Y3AbCfuKOqoMBvEUGn+w/pMaqnGvnr5FZhuBDKrhRXqtx
-QsxA//drGUxsrZOuSL/0+fbvo7n2h1Z8Ny86jOvVZAQIAjw2l1Yc5RAESNc9i3I8pKEOVQf/
-UBczJ0NR9aTEF80dRg2lpXwD0ho4N0AvSiVbgxC7cPZHQwIqvq9LHRUs/4n+Vu3SVYU3cAxo
-lUTiCGUSlARIF+TD57SI5+RI+MNtnD9rs4E1ml51YoHGWFj3UPriDmY0FKEwIgqtMXMY3fZ9
-Kq8d83bjDzxwbDX7WwR7KbSeJWT42pCz7kM+BEjjPsOnZHuusXT3x2rrsBnYtYsbt98mSFiS
-KzTtFmXfkOBbCQdit1P76QnYJ1aXMGs6zP6GypQTadK/zYWvlm38QkVwueaJ0woESKW2pqKA
-70h2UMDHOrpepU1lj0YMzmotDHSTU3L909VvUMNg9uqfrQ6mSkb9j5Tl8oF2otOw5EzA1Yda
-KPmgsv62RWLYl80wXQRQwG0e/mgG75jp9lOhJdVXqcYbQpS9viwVaVkwH+69mu/bQI4gjoEs
-UYX6O71Re2z+cYhcm9UrK+DXuSFBXQOIlAFxKMW4B0apd6fU84FsZLMESOorXE5OE0A2B2ji
-J8QI0Exk4hUvWrMNJfUZwFyS7E05xV9ORuX1xmsKqkT4tVR5Nqln4vhvAY860VBoloz0CDkd
-8seSBEjeMgRI9FvpYuflIeHg9urkwp6N+1f0DrJJhJY9ZQ0HTQhziJmIfvbEjNqCl7hEC28+
-F8I5tuViLgfSwcFFCvnS6WFoN4X6QdFdqMCbBEjdlI1c+IQGA/IuTDMJYCuQ/v+8BG5ZeWVH
-icPZmXfRat9eFK1dGKAJef6+Tf9HPuDjSpDyffrifsp7Dc34lmm7GN1+ON3ZMtwEUNm6epb8
-1RKWjoI7jIKUV/M2p/0eeGSqs4b06KF/VR6dBwsJVL5DpnTsp3MV4j/CAOlRdSPZ5++tsKbM
-aplk+ceqQtpEFz1MYTtVV4+rlrWaBEA1okJyNZ5/tNOwM7B+XfOZ0xw+uyVi9v4byTZM2Qds
-J+d3YGYLAugTGHISLqQEerD8/gGK+/SL06b2gNedXPHtBAiBKX+Mdy3wFQQIqE9gVgvrFNUE
-CKKoTFoMGqnPBAjDPgLCklNfrwQI3Ek1vSq68w8ECBodu2FOZJVkBAgzwjfSr2N9WQQQTCoQ
-KkAbrS9tnjXn1I3+ZwQIrPx3eINo/YUECIeYWCFskxlYBAiDUdvZXwD3vgQIkEyZbbZWbUUE
-CH4+odl1Isk3BBj68fkqJ0fKJRWVLWuW/O3VE4BOPKwFlaIECFseVTdDUho8BAj+cOKvV2WA
-hgQgaXr+wwq+ItblG0Qxz8IVUXX6PV2mIdHwz4SCCvnCsaIECJhBYxdfLI/XBCDswamPn9MR
-yXi2HVQBineV+GtWVkIoZ2dCLFB9mQRMoAQI0nUR5a5AOJoECA+AunKlAlx8BAi5RtFeF4g1
-FQQIz/ie+16LlQcECOmNuVg5DXjMBAjH2nkfpXZgWwQIVdLuO/+kuHAECO/5rEHmyI9vBBD4
-16BU4Rd3YerDQnHtrwOQBCCkho1XxK5Maz8KLCNi20wvcGt8wsIXlj2h5q9ITBq7IgQQvKVY
-4OfJ7bKbItP2dylwQgQYPIGxwkkbRXNraONYvN19G8UdF35rFOuIBAjf0sKz/618ZQQIxObr
-xJkRe0sECIC+ssnjEb2NBBBI+XM4OntVWGsRV9Td3sFgBAinGwIroo8O0gQQMGAwgc9PaLaG
-gBCiwSTrYQQIVHjfCQgOtygEUIoraFoANfhZgIShpOd/RRxFU4/7xZR5tMdGoYz/g0thR0lM
-+Hi88FtFD4mAh/Oat4Ri8B7bv04aokjN2UHz6nPbHHjZ8zIqpbYTCy043GNZBAhOqjyB2JbD
-NwQoR23XCYD9x6E20ChHJRXmaHwyMdYXKl5CUxypl7ois+sy2D7jDukS3wQIsTyyPgJi0GsA
-AAAAAAAAAAAA
-
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-01.pem b/crypto/openssl/crypto/pkcs7/t/msie-enc-01.pem
deleted file mode 100644
index 9abf00b2f245..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-enc-01.pem
+++ /dev/null
@@ -1,66 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHA6CAMIILyAIBADGB8zCB8AIBADCBmTCBkjELMAkGA1UEBhMC
-QVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYD
-VQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
-TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBAgIEbjANBgkq
-hkiG9w0BAQEFAARAq8xpbzGHqgX9f4ImK/MhlXvIfGWng7c0dC1YbQDww5kH4K0q
-VTv/qDl79r0O79M6rFEyq1hGnrelrZD+YzghgzCCCssGCSqGSIb3DQEHATAaBggq
-hkiG9w0DAjAOAgIAoAQIn8+kb8zj2JSAggqgxtGA/FLBBRs1wbBPgDCbSG0yCwjJ
-NsFg89/k6xuXo8c5YTwsw8+XlIVq03navpew6XxxzY090rD2OJ0t6HA6GqrIpd8W
-iSh/Atqn0yfLFmkLqgIAPRfzxUxqUocxLpQsLIFp2YNUGE+yps+UZmIjw/WHfdqr
-cWTmSTSvKuy3UkIJZCkGDBpTvqk4BFaHh4oTXEpgpNY+GKxjf9TDN9GQPqQZR7sg
-Qki4t2g4/SaqKl6EoJbpOrMHTQ9LYh2O7+XemEdvXjwpdv0kyffHiaVpBBAtthjT
-bzsu67v0b9h3uDKim13uyT0wx33GEmmmDsJwf/IPH/8eu2Ck5xaafpXGmFqon4uX
-kQtIPaNclFn7/hLxPw2VmBGaC0SYF3U1jyN96EBxdjqy8Aa6ByMXYDW5BcfqniD5
-mYXfw+b81lh1kutxaPaV4YJ9ZlRUW752N7VHo/fG0/fukoe5W9a8kIhgLpygllb/
-GP4oSF4wM6n1/OgRzZj2IWFiobKO4d/tMnh+C+PoEVAuFZcxQwi9GqvsK5OoIjVw
-Nx0XcVSOl1TTYS9SwC7ugMBCab73JiruC24pL78YM+NaIpIQ3On4DokJA2ZHtjBj
-ZIxF4tKA144RvFN6pBd6TVE5XM6KD/Vh9bjSmujtEAfdQ3TedvKJsbZuu0stErbv
-WcRy11I328l557ECU+3eODid62PpuefHp0NTZJGqnYIShBpKRBuyhNxkyjmPfzYc
-KgCQ69fRl3QOqCjobPpMHhVV3li1NrxKGedQcM8XcwpsTsPigp+51o2qgKzBNAqv
-5kGumHOlMKsRfrs7jZCcSaOuEj97pYx08FLEgF23cav39MOQNUEM1dNU+EYslL4o
-3RoSHRjUgPU+2t9c0prS9A/bPBDj/eD8p2kzccB4t1Uyu0s7kJoMwOJ/eNhPY6Eo
-qrED5bCgG97D1Giwt0rlMUozQYH6bw9G5qwP+YflmaGF7yKIBacI5EppxZ7SWHk6
-/VpGu8LDn+PdD9b/hm03lT5p5UEky0DyfQzF3mQ/Eds1WHigamtnrAR6BXyG3e+j
-JlqZnkLLFzx98xicz8kkjr+gRkMyyiS5FnYyvxKzfMtyn2lZ2st9nZGNNgMc9N62
-r5HgNbdDFHuRdKKzV+8kQfuMc3mOPpK1t9TFY+QgrxiB5p6S7VooI97YtP3Pbfkn
-szCEeD3V2G22kdwGnDd0OZGGJlrKt1lusYK4NJphBqLBr8EkMQQbol2a8UnAmuIr
-xKtOVGcMkoXj7ynbjr51BNswzuiFxS2cYU2QSb38Wi8uAYCInuIwaZi+whIslJzA
-bif7CtJpA1BeLOz03fKTKznjAE13/4FDgXumdweENDYPK3kx6QHxjyI06hxRMUK7
-nbi9aWCXmXP3vU7D21dp0XnAMzRQJ565JV3aHRoY7XDa4LePa7PP9ywyafOE5yCW
-7ndqx3J+2JhTDvSFsW8/q3H3iyeFhykuJVS6yugpim58soznxNoixiZkxWvdOVdi
-q1QwppRLv8chjLPNMk8mQvskszPNxTFbyxEJks3EzVGVaQ3wNZDV215D6LgV10+o
-PK/CQkZY2iigAZqUyF44lBFRRThyC+Eyt5c9rKGrkCjhUxIKQDmFhEIFzObgOL8w
-yiEXRLEix1FjqBj0I+esFcCxjqHVFtHtPDSJBmZ5eLnYMKL0by+SYMAa9z0CReIz
-l8JLL6EVIFz8kFxlkGWjr4dnOzhhPOq/mCpp0WxbavDfdhE87MdXJZBnLwoT62QG
-955HlAoEQBOGJbcoHeV0oq2fWNwGwn7ijqqDAbxFBp/sP6TGqpxr56+RWYbgQyq4
-UV6rcULMQP/3axlMbK2Trki/9Pn276O59odWfDcvOozr1WQCPDaXVhzlENc9i3I8
-pKEOVQf/UBczJ0NR9aTEF80dRg2lpXwD0ho4N0AvSiVbgxC7cPZHQwIqvq9LHRUs
-/4n+Vu3SVYU3cAxolUTiCGUSlBfkw+e0iOfkSPjDbZw/a7OBNZpedWKBxlhY91D6
-4g5mNBShMCIKrTFzGN32fSqvHfN24w88cGw1+1sEeym0niVk+NqQs+5DPuM+w6dk
-e66xdPfHauuwGdi1ixu33yZIWJIrNO0WZd+Q4FsJB2K3U/vpCdgnVpcwazrM/obK
-lBNp0r/Nha+WbfxCRXC55onTCqW2pqKA70h2UMDHOrpepU1lj0YMzmotDHSTU3L9
-09VvUMNg9uqfrQ6mSkb9j5Tl8oF2otOw5EzA1YdaKPmgsv62RWLYl80wXcBtHv5o
-Bu+Y6fZToSXVV6nGG0KUvb4sFWlZMB/uvZrv20COII6BLFGF+ju9UXts/nGIXJvV
-Kyvg17khQV0DiJQBcSjFuAdGqXen1POBbGSz6itcTk4TQDYHaOInxAjQTGTiFS9a
-sw0l9RnAXJLsTTnFX05G5fXGawqqRPi1VHk2qWfi+G8BjzrRUGiWjPQIOR3yx5IE
-SN4y9FvpYuflIeHg9urkwp6N+1f0DrJJhJY9ZQ0HTQhziJmIfvbEjNqCl7hEC28+
-F8I5tuViLgfSwcFFCvnS6WFoN4X6QdFdqMCb3ZSNXPiEBgPyLkwzCWArkP7/vARu
-WXllR4nD2Zl30WrfXhStXRigCXn+vk3/Rz7g40qQ8n364n7Kew3N+JZpuxjdfjjd
-2TLc2bp6lvzVEpaOgjuMgpRX8zan/R54ZKqzhvTooX9VHp0HCwlUvkOmdOyncxXi
-P8IA6VF1I9nn762wpsxqmWT5x6pC2kQXPUxhO1VXj6uWtZo1okJyNZ5/tNOwM7B+
-XfOZ0xw+uyVi9v4byTZM2QdsJ+d3YGYLAugTGHISLqQEerD8/gGK+/SL06b2gNed
-XPHtgSl/jHct8BWoT2BWC+sU1aKoTFoMGqnPwz4CwpJTX6/cSTW9KrrzDxodu2FO
-ZJVkM8I30q9jfVlMKhAqQButL22eNefUjf5nrPx3eINo/YWHmFghbJMZWINR29lf
-APe+kEyZbbZWbUV+PqHZdSLJN/rx+SonR8olFZUta5b87dUTgE48rAWVolseVTdD
-Uho8/nDir1dlgIZpev7DCr4i1uUbRDHPwhVRdfo9XaYh0fDPhIIK+cKxophBYxdf
-LI/X7MGpj5/TEcl4th1UAYp3lfhrVlZCKGdnQixQfZkETKDSdRHlrkA4mg+AunKl
-Alx8uUbRXheINRXP+J77XouVB+mNuVg5DXjMx9p5H6V2YFtV0u47/6S4cO/5rEHm
-yI9v+NegVOEXd2Hqw0Jx7a8DkKSGjVfErkxrPwosI2LbTC9wa3zCwheWPaHmr0hM
-GrsivKVY4OfJ7bKbItP2dylwQjyBscJJG0Vza2jjWLzdfRvFHRd+axTriN/SwrP/
-rXxlxObrxJkRe0uAvrLJ4xG9jUj5czg6e1VYaxFX1N3ewWCnGwIroo8O0jBgMIHP
-T2i2hoAQosEk62FUeN8JCA63KIoraFoANfhZgIShpOd/RRxFU4/7xZR5tMdGoYz/
-g0thR0lM+Hi88FtFD4mAh/Oat4Ri8B7bv04aokjN2UHz6nPbHHjZ8zIqpbYTCy04
-3GNZTqo8gdiWwzdHbdcJgP3HoTbQKEclFeZofDIx1hcqXkJTHKmXuiKz6zLYPuMO
-6RLfsTyyPgJi0GsAAAAA
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-02 b/crypto/openssl/crypto/pkcs7/t/msie-enc-02
deleted file mode 100644
index 70170559651f..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-enc-02
+++ /dev/null
@@ -1,90 +0,0 @@
-
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
-BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
-aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABEACr4tn
-kSzvo3aIlHfJLGbfokNCV6FjdDP1vQhL+kdXONqcFCEf9ReETCvaHslIr/Wepc5j2hjZselzgqLn
-rM1ZMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
-BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
-SIb3DQEBAQUABEBanBxKOvUoRn3DiFY55lly2TPu2Cv+dI/GLrzW6qvnUMZPWGPGaUlPyWLMZrXJ
-xGXZUiRJKTBwDu91fnodUEK9MIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQImxKZEDWP
-EuOggASCBACBi1bX/qc3geqFyfRpX7JyIo/g4CDr62GlwvassAGlIO8zJ5Z/UDIIooeV6QS4D4OW
-PymKd0WXhwcJI0yBcJTWEoxND27LM7CWFJpA07AoxVCRHTOPgm794NynLecNUOqVTFyS4CRuLhVG
-PAk0nFZG/RE2yMtx4rAkSiVgOexES7wq/xWuoDSSmuTMNQOTbKfkEKqdFLkM/d62gD2wnaph7vKk
-PPK82wdZP8rF3nUUC5c4ahbNoa8g+5B3tIF/Jz3ZZK3vGLU0IWO+i7W451dna13MglDDjXOeikNl
-XLsQdAVo0nsjfGu+f66besJojPzysNA+IEZl6gNWUetl9lim4SqrxubUExdS2rmXnXXmEuEW/HC7
-dlTAeYq5Clqx5id6slhC2C2oegMww3XH9yxHw6OqzvXY6pVPEScEtBMQLgaKFQT+m2SRtbTVFG7c
-QcnUODyVB1IbpQTF1DHeeOX1W/HfpWZym8dzkti6SCyeumHmqO406xDiIMVKtHOqM86nEHuAMZsr
-cLy+ey6TEJvR6S4N8QRzng8JJDZDTJXQN6q84aEudsnOrw2KyOVwPpI6ey4qBsHUgQ8kAFy5lsQa
-WV45h6exgUwbBcKLgPZGFj+OdD2RKJsTb83/UqbJS5Q/lGXhzBlnaYucyJxEprRxbntmcnOEPFJe
-+tRDUwOTd7qlJljdhIJL+uDcooL9Ahgo6Cwep6tduekv2cSEohJeTE8Dvy34YRhMbLvnFNdmnpNy
-rNZDYVVxxaKoyd2AfB8NPFZh1VdAYfI3R1QAQ2kXEef5NNIfVQfMzD9akJn4RP+Kv32Qaxm4FrnK
-xmwRyGJShavIBc2ax+F1r1+NZXuSBHn5vfoRTxOk0ST4dXsw74dnlYUMRaSu4qqUdM9jsXSyeX4Z
-gQgkR2bkaYO6ezFgenFIa7QWVw8rXZAEZ5aibCxbnY1VE41PYIvhlLdbFJhH9gY22s+fFAuwnzyA
-SRjC40A9aAEItRlaPStWSGiqlLRgNkBBwdpv2l2YPBd2QzHx6ek6XGrvRJuAC+Nh62rtQKwpNH54
-YAOHW55maBFW2SQ3TF+cZ6NbbqhCmHTyyR7mcSYc9sXSVDWEhYKQ1iyU870zhHWVpvglZizZetJC
-ZFjYex3b1ngVdcgargOvpPq9urCKKi2mbkqv/EFpzSWGXkKSpfCG/XfMnEOtkNrB8S06vnk2JcJB
-OBqJot+uuSH5hOg0vTpxX2DuONJSiWSWyfRE/lTfJJFXwhod7SXclUyXPeSyibcSic2hVAzDmwjD
-31js/j2k02PI/agPhr3UQ8cMgcNAiaoCKbNaWfn6BGbCAbTchxzUlo2cSJiLlrX2IDZmfXbXmZCo
-m1smWIG+BIIEALiuAxDb6dWLAYyVBoN9hYI4AiPeZAY9MtvQ6AV8o2/EFm6PvYGXy3Hei5830CH0
-PBeX7Kdd6ff1y33TW/l5qSkIL1ULTGR7okFfJePHDmq1dFt6/JOMptiQ8WSu7CsJQvZ9VTFXeYFc
-ZqCPPZc1NrPegNK70Zf9QxWIbDAevJ5KLBf1c6j8pU2/6LnvDY6VjaTvYSgr7vTR8eVzH4Rm77W0
-iOHxg5VcODv6cGSVyuvbX8UAGo8Cmb58ERDtBDJBQXVpWKLNAuDJ9GX8n2zNkpjZLbPSkcmuhqGa
-BJBE/BaCTkUQWlY9dIbRtEnxIU1mfbPPdx1Ppa8DqGDjSOsQdKcKYNNZtayEw++EIpmpdBNsKphC
-fB8UEK2Wkk4ZVW+qyGoi/r0MFsvO1NmSOOZ0o/jy/YHmoeURHhPy97AO3eVTkEAa5CfJEJybmo56
-7CDw/FwoGAUCgsoz7rlxzMudr/IhHIH+APinncxXlHO2ecvHD9i8DaHGA8tVifgsUhqQoZieULut
-eF94O5UAxOkv41UZssYTwN4nYrN1QkesZl3BX4ORS4EE30/PQ23ARf3WZptZrCJevGm2ZYzGeh8x
-g17mCDfiLO+bff4qP/4mC96Pu4ia6j4to5BwKIJS/+DCuoD8WeSKF4pugXQkMUiHdQnNnVP9Sp2O
-/4ly5mO8JzrQC59V2bnTNBqPhpno8kfJvK5TypPSVC+bTzern3rJ6UceB3srcn9zxKx9GdNydJQj
-yWjv8ec3n3d1nuQwhz5Q053NBhIjwoGg3Go7LO6i78ZOlpF7dcoAO13NfHLyNjnyHCaiWtVRTct9
-rLf5vN00urSn8YJngHk1eTKK8nHGIcOg6YdYDOD2nE5XwRijKmieG8Xa3eKRzfbL06GrBQENle6J
-mC131bp3cRVxpjq+o6RAbGoMm4yICsL4eTarCQrsyHmoPHqr91UHo91avyxU7knWmEhX27ybmsrs
-8aeZwPHixL14TeyhruCqRVvkf1Ks7P+z8MPUboGNqQe2WLN8ktCGEr15O8MJR/em86G03Jfo4oaw
-/DVUH5RwLT6acedOGuzMh/2r8BcmemhVQ8/cWvV4YJ0tOW4hzyVHC5hQf8sZ3LzxXLH6Ohnrbprh
-xvrdbaSdChWZDDP0bCCbxEhkwuBkBeKZrMbwRTP+TPTPYLVTH/CmKLzKh/114tkGkyO3hHS4qExU
-V39F2Sj4mylx+hD0+20D9pntpNi7htccGlOm6yNM69at/3+kLgJJyoIlaxLcCUYHNMifDt+T3p/t
-5U4XmD53uUQ6M8dvj/udqPekNSUfse15yrd9pjOt5PcJuqW28q0sFHf9pHIgz3XZFMe5PD7ppw6r
-S+C6Ir4PrYIEggQA7ZDVtiCm+BbtNNB/UJm79/OQ5mp5bTI0kPmDeycaWTa0Ojpum+c/dpG/iJOB
-DICj7jHOXSHT7JlGyX6aSFJUltucAnZvwzhPDmdDaIDiKSk85GqgdDWVfGosSCX9Ph/T3WpIxnwf
-WSDRtIHkWTjly+pe4yy5K6/XISy/L5Zh/fhiI5fjHjgzmlibs2ru4nVw6hBhUvlSSe2BEs5d9h/y
-NH8Wy3qvb2D3jh7hkepFtZJGNTHp8ZUC7Ns2JIpQYObsaxdI65i3mMOu7fRwI+0/4ejsWhP6KCEi
-LgwvLg0qM82ma6YB7qHAHboaczRVEffDcJUG4a5uycB0DoZFn+uEaEFyili20hCn4hVfsqUQk2PT
-8Mo1tSl5e30xI1YJZrRgiJm9nHRX6fLizngP+ILJLPHZsPvlSVIfY+/v/FR8feKOjaGhyGF51BAx
-aM2NIQ4jMP5/X+U5gQybi0E6u7rroDhaHsKmCMgXqszwXWCpedA/sEbeHpiTC59YlPPSlIOMc9vP
-Ko/mQCfWy/9icUaIfKQldvkllUxxNkqu6AbIpHVscbAEzSPs5xbQXU8EZNNCDisFnnpY3nQ3eLnl
-m89saTJxRb7NWHRMlmPv7qgD7uMIq3vdOGA7i5wT9MeoNIgK1/DsgH30s6RWjJy4YyyLmRTXPzbj
-hbQVpEmiMRbEidIvUx2OjKVxVQIcgtLsa2lvHQ4XL1cpLr5GVtOgy0fMg5OCDUUDsvjgjgLQ3P2U
-p2nVY5FM6/QpPc5DTLuuR9ekI2/c9Biz09RtcYDUQK2ajdo8h1IyKqHFoB7h48OXxXKKY94DY0TG
-x6PonB/epj8orAw4QKmm5M0vXYwBOqRymCTHTqOJGObdLx1euFFyqguzHJOU2gAGZI0z9Lg1yRuF
-yhdPZyuniIcmtLNxRZ1duYHErcAyX56qndmLXt7UVkATai/rIMuoJLfAsUnVuTUS5p7tJM754UZT
-7lTcXvDJgOUNnBRaIcxC3pxvbrYDJ2iFJ72xkxUP2p74gucqg25XnCVmQuLg6zDDxF6CLuw9isxy
-Xg4pkneMN//7fpp8GYl9nyZm2yqYYM+jcw0fcVc64L+X4w/gL3H2UMGgxIHSJp7HIG7VKHtXrNyj
-dPXXPVUsMsAAimqOr0Lr2sZWirfuivLaPTqhbkvG5PF7K3gT80AOIcd/6EIHBy2hZ7ukfjHmdP4L
-yQOhTQklaKzGHI0mypq0uFLWJOUlZnVrMiLP1xrWkpC8Ro9eo6mfjjQ45z8adC43a47klwTEzvod
-3rNEFIGJJUEjAN3mbqie7IxoSJknBBJK0D9lZEQ8lZWlq7vuN8JdqPM6xh155jMVsPwjLK6Tzkj5
-BpRD9Tgm3u6HPQSCBADgkWEN75Mu9TGosXY0xm1k6K6sPv8L949CrLWo4r1I2LA072bTGvQP28Vs
-hUA76jgcT1ocC++9PoktIK10YCq5w+FfMAQ04KeCXuAdmiY2iAT4Slea61PMCMta3mVGyLUZCLEm
-P+I0UKR5mlO0fGEcjU9j8TmbjZqxNFqloLsU7oSi7Os0EtYHkdAVrExUyOc/ZDie6fBjdLTmLdCm
-bE9JNwjlbXypdTZupGgLNhKGDIskUAAMwZYayI6YfSIMkNCeAYTnjOuGZZ1msCXGXsfMBR1sfUIj
-9UeGjwD8gq+UVVHX/oeoH/m0eJ5ppqi3+nUlgc9DvpYsC/Fg0G2KuYb9B+VJ+a4GMzQSPREoFtQp
-B9dtLkBb7Ha/hpGWTIdqzW0eAo5llyN8FNvl2Fu2IcLaNmWFO69gLjRKQopp0dvFOuwAVI6fvGDj
-p1WigoNbFZl8N+iiWmzKOjoG2ZLbez1clZCms/JPJrXhEMMOxWpVzkQyN336VWHmGgMcjaKCGSeA
-2nnESIGuiCXMrkHlGfabYIsKcHFCo2t13uXyZPf0zSPTkuD0Eh92wqC9pvA3gvrrCUfo9Mn3bs+e
-KWKmDlpcs8mDn032oIg+zrQhIduMqXVn3evzeVM3B5MBOGMvg51/SXg7R+MC/463juQQEb9IVe/I
-YGnO//oWm9lw/377Af/qH+FnN02obJw1FvesQIs9e5RHNQykKbO+vmVJQl1nd9DZWrHDNO7/80Yz
-2hCm7Tws5nSRN2iFlyRaYJHr7ypxkU2rCak2r6ua7XDwu1qU2RT3+qPjT1RuxQ2oTlHyGkKPMZGC
-Rc+CSWz5aeeCmHZVwdb3nC8YpfsujMiYqygLeuQ82pjKuR7DIKGmnfcOLdv5F+Ek2Wyy0D98iSgk
-+aoQGYLhL9llU13pn21uRsDY5uGcXiIw1IETFlTdgENEv8futZuJsegrp7fmFXyNoNyFNyypeDrM
-6ZqR4vKxFjg3tKKeVpkw/W4EAklzMxmNiazGNDBHsnYV3rwPlKa+HeeE2YxnsKwGLCNgRYUXTaJk
-461vS160z3dvh/mLfdZ7MYCkmO3bNE3ELUDAw7YQkSuo9ujzdFKte9LC34sjg9fOex3ThAg5Y50n
-wYm4zBmGM7yEqL8O6QgnM6tIDFS9XryDaLNzcGhMWqMvhzO6sC/AA2WfLgwS517Cp03IkJQWqG9q
-w52+E+GAtpioJfczEhlv9BrhjttdugRSjJrG8SYVYE4zG3Aur5eNBoGaALIOHOtPw8+JovQmIWcF
-oaJ/WQuglFrWtew51IK6F8RiHAOBVavZOuZcO7tV+5enVfreOd0rX8ZOy4hYmHhmF1hOrrWOn+Ee
-E0SYKonXN01BM9xMBIIBSLCvNAppnGPTUGjwbMJRg1VJ2KMiBWH5oJp8tyfIAxMuWFdtaLYbRSOD
-XbOAshPVK8JAY8DQDkzqaCTAkLTfSRAt9yY6SbUpMsRv7xa8nMZNJBJzJT9b/wNjgiOJgaGuJMkV
-2g/DX2jfP3PrMM/Sbnz7edORXHj1Pa5XTT8nG5MS0FuZgvevdq3o/gVVAz+ZCKOH3ShMzZvfp01l
-SX5gaJTflmU6cdNwtn2yZ6IScF7OrjUeA9iEoSVR9dQcA+4lB3RAG3LMwcnxXY35D7+PMJzHIZdF
-cSnq+n03ACY2/E/T31iijRH29rvYHGI+mP/ieYs45iq4fTWo6i1HofeWLdP0fX7xW3XO0/hWYFiw
-BxKu66whAbRhaib3XJNvetVs25ToYXyiDpjG+cd5rCMei8sGQwTBj9Zeh0URoeMW1inTP0JvCmMU
-rZgAAAAAAAAAAAAA
-
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-enc-02.pem b/crypto/openssl/crypto/pkcs7/t/msie-enc-02.pem
deleted file mode 100644
index 279c5d830b07..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-enc-02.pem
+++ /dev/null
@@ -1,106 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHA6CAMIITQAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
-bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
-aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
-uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQAKvi2eRLO+jdoiUd8ksZt+iQ0JXoWN0
-M/W9CEv6R1c42pwUIR/1F4RMK9oeyUiv9Z6lzmPaGNmx6XOCoueszVkwgfACAQAw
-gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
-EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
-GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
-QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQFqcHEo69ShGfcOIVjnmWXLZM+7Y
-K/50j8YuvNbqq+dQxk9YY8ZpSU/JYsxmtcnEZdlSJEkpMHAO73V+eh1QQr0wghFz
-BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECJsSmRA1jxLjgIIRSIGLVtf+
-pzeB6oXJ9GlfsnIij+DgIOvrYaXC9qywAaUg7zMnln9QMgiih5XpBLgPg5Y/KYp3
-RZeHBwkjTIFwlNYSjE0PbsszsJYUmkDTsCjFUJEdM4+Cbv3g3Kct5w1Q6pVMXJLg
-JG4uFUY8CTScVkb9ETbIy3HisCRKJWA57ERLvCr/Fa6gNJKa5Mw1A5Nsp+QQqp0U
-uQz93raAPbCdqmHu8qQ88rzbB1k/ysXedRQLlzhqFs2hryD7kHe0gX8nPdlkre8Y
-tTQhY76LtbjnV2drXcyCUMONc56KQ2VcuxB0BWjSeyN8a75/rpt6wmiM/PKw0D4g
-RmXqA1ZR62X2WKbhKqvG5tQTF1LauZeddeYS4Rb8cLt2VMB5irkKWrHmJ3qyWELY
-Lah6AzDDdcf3LEfDo6rO9djqlU8RJwS0ExAuBooVBP6bZJG1tNUUbtxBydQ4PJUH
-UhulBMXUMd545fVb8d+lZnKbx3OS2LpILJ66Yeao7jTrEOIgxUq0c6ozzqcQe4Ax
-mytwvL57LpMQm9HpLg3xBHOeDwkkNkNMldA3qrzhoS52yc6vDYrI5XA+kjp7LioG
-wdSBDyQAXLmWxBpZXjmHp7GBTBsFwouA9kYWP450PZEomxNvzf9SpslLlD+UZeHM
-GWdpi5zInESmtHFue2Zyc4Q8Ul761ENTA5N3uqUmWN2Egkv64Nyigv0CGCjoLB6n
-q1256S/ZxISiEl5MTwO/LfhhGExsu+cU12aek3Ks1kNhVXHFoqjJ3YB8Hw08VmHV
-V0Bh8jdHVABDaRcR5/k00h9VB8zMP1qQmfhE/4q/fZBrGbgWucrGbBHIYlKFq8gF
-zZrH4XWvX41le5IEefm9+hFPE6TRJPh1ezDvh2eVhQxFpK7iqpR0z2OxdLJ5fhmB
-CCRHZuRpg7p7MWB6cUhrtBZXDytdkARnlqJsLFudjVUTjU9gi+GUt1sUmEf2Bjba
-z58UC7CfPIBJGMLjQD1oAQi1GVo9K1ZIaKqUtGA2QEHB2m/aXZg8F3ZDMfHp6Tpc
-au9Em4AL42Hrau1ArCk0fnhgA4dbnmZoEVbZJDdMX5xno1tuqEKYdPLJHuZxJhz2
-xdJUNYSFgpDWLJTzvTOEdZWm+CVmLNl60kJkWNh7HdvWeBV1yBquA6+k+r26sIoq
-LaZuSq/8QWnNJYZeQpKl8Ib9d8ycQ62Q2sHxLTq+eTYlwkE4Gomi3665IfmE6DS9
-OnFfYO440lKJZJbJ9ET+VN8kkVfCGh3tJdyVTJc95LKJtxKJzaFUDMObCMPfWOz+
-PaTTY8j9qA+GvdRDxwyBw0CJqgIps1pZ+foEZsIBtNyHHNSWjZxImIuWtfYgNmZ9
-dteZkKibWyZYgb64rgMQ2+nViwGMlQaDfYWCOAIj3mQGPTLb0OgFfKNvxBZuj72B
-l8tx3oufN9Ah9DwXl+ynXen39ct901v5eakpCC9VC0xke6JBXyXjxw5qtXRbevyT
-jKbYkPFkruwrCUL2fVUxV3mBXGagjz2XNTaz3oDSu9GX/UMViGwwHryeSiwX9XOo
-/KVNv+i57w2OlY2k72EoK+700fHlcx+EZu+1tIjh8YOVXDg7+nBklcrr21/FABqP
-Apm+fBEQ7QQyQUF1aViizQLgyfRl/J9szZKY2S2z0pHJroahmgSQRPwWgk5FEFpW
-PXSG0bRJ8SFNZn2zz3cdT6WvA6hg40jrEHSnCmDTWbWshMPvhCKZqXQTbCqYQnwf
-FBCtlpJOGVVvqshqIv69DBbLztTZkjjmdKP48v2B5qHlER4T8vewDt3lU5BAGuQn
-yRCcm5qOeuwg8PxcKBgFAoLKM+65cczLna/yIRyB/gD4p53MV5RztnnLxw/YvA2h
-xgPLVYn4LFIakKGYnlC7rXhfeDuVAMTpL+NVGbLGE8DeJ2KzdUJHrGZdwV+DkUuB
-BN9Pz0NtwEX91mabWawiXrxptmWMxnofMYNe5gg34izvm33+Kj/+Jgvej7uImuo+
-LaOQcCiCUv/gwrqA/FnkiheKboF0JDFIh3UJzZ1T/Uqdjv+JcuZjvCc60AufVdm5
-0zQaj4aZ6PJHybyuU8qT0lQvm083q596yelHHgd7K3J/c8SsfRnTcnSUI8lo7/Hn
-N593dZ7kMIc+UNOdzQYSI8KBoNxqOyzuou/GTpaRe3XKADtdzXxy8jY58hwmolrV
-UU3Lfay3+bzdNLq0p/GCZ4B5NXkyivJxxiHDoOmHWAzg9pxOV8EYoyponhvF2t3i
-kc32y9OhqwUBDZXuiZgtd9W6d3EVcaY6vqOkQGxqDJuMiArC+Hk2qwkK7Mh5qDx6
-q/dVB6PdWr8sVO5J1phIV9u8m5rK7PGnmcDx4sS9eE3soa7gqkVb5H9SrOz/s/DD
-1G6BjakHtlizfJLQhhK9eTvDCUf3pvOhtNyX6OKGsPw1VB+UcC0+mnHnThrszIf9
-q/AXJnpoVUPP3Fr1eGCdLTluIc8lRwuYUH/LGdy88Vyx+joZ626a4cb63W2knQoV
-mQwz9Gwgm8RIZMLgZAXimazG8EUz/kz0z2C1Ux/wpii8yof9deLZBpMjt4R0uKhM
-VFd/Rdko+JspcfoQ9PttA/aZ7aTYu4bXHBpTpusjTOvWrf9/pC4CScqCJWsS3AlG
-BzTInw7fk96f7eVOF5g+d7lEOjPHb4/7naj3pDUlH7Htecq3faYzreT3CbqltvKt
-LBR3/aRyIM912RTHuTw+6acOq0vguiK+D62C7ZDVtiCm+BbtNNB/UJm79/OQ5mp5
-bTI0kPmDeycaWTa0Ojpum+c/dpG/iJOBDICj7jHOXSHT7JlGyX6aSFJUltucAnZv
-wzhPDmdDaIDiKSk85GqgdDWVfGosSCX9Ph/T3WpIxnwfWSDRtIHkWTjly+pe4yy5
-K6/XISy/L5Zh/fhiI5fjHjgzmlibs2ru4nVw6hBhUvlSSe2BEs5d9h/yNH8Wy3qv
-b2D3jh7hkepFtZJGNTHp8ZUC7Ns2JIpQYObsaxdI65i3mMOu7fRwI+0/4ejsWhP6
-KCEiLgwvLg0qM82ma6YB7qHAHboaczRVEffDcJUG4a5uycB0DoZFn+uEaEFyili2
-0hCn4hVfsqUQk2PT8Mo1tSl5e30xI1YJZrRgiJm9nHRX6fLizngP+ILJLPHZsPvl
-SVIfY+/v/FR8feKOjaGhyGF51BAxaM2NIQ4jMP5/X+U5gQybi0E6u7rroDhaHsKm
-CMgXqszwXWCpedA/sEbeHpiTC59YlPPSlIOMc9vPKo/mQCfWy/9icUaIfKQldvkl
-lUxxNkqu6AbIpHVscbAEzSPs5xbQXU8EZNNCDisFnnpY3nQ3eLnlm89saTJxRb7N
-WHRMlmPv7qgD7uMIq3vdOGA7i5wT9MeoNIgK1/DsgH30s6RWjJy4YyyLmRTXPzbj
-hbQVpEmiMRbEidIvUx2OjKVxVQIcgtLsa2lvHQ4XL1cpLr5GVtOgy0fMg5OCDUUD
-svjgjgLQ3P2Up2nVY5FM6/QpPc5DTLuuR9ekI2/c9Biz09RtcYDUQK2ajdo8h1Iy
-KqHFoB7h48OXxXKKY94DY0TGx6PonB/epj8orAw4QKmm5M0vXYwBOqRymCTHTqOJ
-GObdLx1euFFyqguzHJOU2gAGZI0z9Lg1yRuFyhdPZyuniIcmtLNxRZ1duYHErcAy
-X56qndmLXt7UVkATai/rIMuoJLfAsUnVuTUS5p7tJM754UZT7lTcXvDJgOUNnBRa
-IcxC3pxvbrYDJ2iFJ72xkxUP2p74gucqg25XnCVmQuLg6zDDxF6CLuw9isxyXg4p
-kneMN//7fpp8GYl9nyZm2yqYYM+jcw0fcVc64L+X4w/gL3H2UMGgxIHSJp7HIG7V
-KHtXrNyjdPXXPVUsMsAAimqOr0Lr2sZWirfuivLaPTqhbkvG5PF7K3gT80AOIcd/
-6EIHBy2hZ7ukfjHmdP4LyQOhTQklaKzGHI0mypq0uFLWJOUlZnVrMiLP1xrWkpC8
-Ro9eo6mfjjQ45z8adC43a47klwTEzvod3rNEFIGJJUEjAN3mbqie7IxoSJknBBJK
-0D9lZEQ8lZWlq7vuN8JdqPM6xh155jMVsPwjLK6Tzkj5BpRD9Tgm3u6HPeCRYQ3v
-ky71MaixdjTGbWTorqw+/wv3j0KstajivUjYsDTvZtMa9A/bxWyFQDvqOBxPWhwL
-770+iS0grXRgKrnD4V8wBDTgp4Je4B2aJjaIBPhKV5rrU8wIy1reZUbItRkIsSY/
-4jRQpHmaU7R8YRyNT2PxOZuNmrE0WqWguxTuhKLs6zQS1geR0BWsTFTI5z9kOJ7p
-8GN0tOYt0KZsT0k3COVtfKl1Nm6kaAs2EoYMiyRQAAzBlhrIjph9IgyQ0J4BhOeM
-64ZlnWawJcZex8wFHWx9QiP1R4aPAPyCr5RVUdf+h6gf+bR4nmmmqLf6dSWBz0O+
-liwL8WDQbYq5hv0H5Un5rgYzNBI9ESgW1CkH120uQFvsdr+GkZZMh2rNbR4CjmWX
-I3wU2+XYW7Yhwto2ZYU7r2AuNEpCimnR28U67ABUjp+8YOOnVaKCg1sVmXw36KJa
-bMo6OgbZktt7PVyVkKaz8k8mteEQww7FalXORDI3ffpVYeYaAxyNooIZJ4DaecRI
-ga6IJcyuQeUZ9ptgiwpwcUKja3Xe5fJk9/TNI9OS4PQSH3bCoL2m8DeC+usJR+j0
-yfduz54pYqYOWlyzyYOfTfagiD7OtCEh24ypdWfd6/N5UzcHkwE4Yy+DnX9JeDtH
-4wL/jreO5BARv0hV78hgac7/+hab2XD/fvsB/+of4Wc3TahsnDUW96xAiz17lEc1
-DKQps76+ZUlCXWd30NlascM07v/zRjPaEKbtPCzmdJE3aIWXJFpgkevvKnGRTasJ
-qTavq5rtcPC7WpTZFPf6o+NPVG7FDahOUfIaQo8xkYJFz4JJbPlp54KYdlXB1vec
-Lxil+y6MyJirKAt65DzamMq5HsMgoaad9w4t2/kX4STZbLLQP3yJKCT5qhAZguEv
-2WVTXemfbW5GwNjm4ZxeIjDUgRMWVN2AQ0S/x+61m4mx6Cunt+YVfI2g3IU3LKl4
-OszpmpHi8rEWODe0op5WmTD9bgQCSXMzGY2JrMY0MEeydhXevA+Upr4d54TZjGew
-rAYsI2BFhRdNomTjrW9LXrTPd2+H+Yt91nsxgKSY7ds0TcQtQMDDthCRK6j26PN0
-Uq170sLfiyOD1857HdOECDljnSfBibjMGYYzvISovw7pCCczq0gMVL1evINos3Nw
-aExaoy+HM7qwL8ADZZ8uDBLnXsKnTciQlBaob2rDnb4T4YC2mKgl9zMSGW/0GuGO
-2126BFKMmsbxJhVgTjMbcC6vl40GgZoAsg4c60/Dz4mi9CYhZwWhon9ZC6CUWta1
-7DnUgroXxGIcA4FVq9k65lw7u1X7l6dV+t453Stfxk7LiFiYeGYXWE6utY6f4R4T
-RJgqidc3TUEz3EywrzQKaZxj01Bo8GzCUYNVSdijIgVh+aCafLcnyAMTLlhXbWi2
-G0Ujg12zgLIT1SvCQGPA0A5M6mgkwJC030kQLfcmOkm1KTLEb+8WvJzGTSQScyU/
-W/8DY4IjiYGhriTJFdoPw19o3z9z6zDP0m58+3nTkVx49T2uV00/JxuTEtBbmYL3
-r3at6P4FVQM/mQijh90oTM2b36dNZUl+YGiU35ZlOnHTcLZ9smeiEnBezq41HgPY
-hKElUfXUHAPuJQd0QBtyzMHJ8V2N+Q+/jzCcxyGXRXEp6vp9NwAmNvxP099Yoo0R
-9va72BxiPpj/4nmLOOYquH01qOotR6H3li3T9H1+8Vt1ztP4VmBYsAcSruusIQG0
-YWom91yTb3rVbNuU6GF8og6YxvnHeawjHovLBkMEwY/WXodFEaHjFtYp0z9Cbwpj
-FK2YAAAAAA==
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-s-a-e b/crypto/openssl/crypto/pkcs7/t/msie-s-a-e
deleted file mode 100644
index 0067794d7081..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-s-a-e
+++ /dev/null
@@ -1,91 +0,0 @@
-
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHCMIHMAgEAMHYwYjERMA8GA1UEBxMISW50ZXJuZXQxFzAV
-BgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5k
-aXZpZHVhbCBTdWJzY3JpYmVyAhBgQJiC3qfbCbjdj5INYLnKMA0GCSqGSIb3DQEBAQUABECjscaS
-G0U299fqiEAgTqTFQBp8Ai6zzjl557cVb3k6z4QZ7CbqBjSXAjLbh5e7S5Hd/FrFcDnxl1Ka06ha
-VHGPMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UE
-BxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0GCSqG
-SIb3DQEBAQUABECsyHXZ1xaiv0UQRvOmVYsaF38AL2XX75wxbCsz5/wOg7g3RP4aicZxaR4sBog0
-f2G1o9om/hu+A0rIYF/L4/GUMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIsozQrnwj
-cc2ggASCBAAQz/LPoJe/+iYWeTwSebz6Q9UeKZzQ2UWm7GLtEM3s3c9SCvpmkwIRdEhLjWaBJMyI
-DiL7t1I1vMf9inB8LXgAcIEYkpNScjS8ERA9Ebb7ieNKSBg7w7B8ATHFxLSlDADqRgoZrB1Ctfgf
-ximp3EgxTgnhtyQhZxXW7kBQyFRwumplrJXOp7albP7IothrOKncw30IJT1fwPxWNMItI9juXF0U
-CbWVSjPzGBo4+XNXMvUO6MplOQEz/ywEQ9E8OZAQex1Zw9qq5ppsXB2pMsYV5sLJGikukMYKquiz
-3YK+tN6J8ahLcDUs+VGwqvZi17gpBTlbEP+ZmXJpnO63t1yTEB0V5AZcRKWUOhzlCBM5YUagqNoY
-cpsmSvOK6bYzkUKOrzWpDCAtGZ/Dvul5dTZZmxs2WpM+iyeHXMxO3huy8K1brPTqt1f1sHhuq1jD
-1eXedaCjIgUW9qV18vNAQCof/Yb6T/1fxztf/jD7pPLQJ+7LJkKCAEHGcaizpoKqhYcttaEhLq1G
-O+Ohqf7yFegMdTJ3wwP324w5ZYSU5fLo2Z34/Edf6EGvXyTIqVfAmEBALd6JGVdN5GlYYTxrL+eO
-P80Z4ao4YKoxwEmRp5bmQsQ8B29QhOFKmC6eiG5B96qLMtp7Zmu1grDNxTd6OXShWVwYARD0/B1P
-Sy0PAfk9Gb4fAkO9fZJDQYZ7s0mM5iOPEeSR7820TolOb+KfRabLA9d714jsc2jEykKlpP66Bh4j
-aCsyqJ0uUQcE8SnzrKAqGwgWiCGQpiTa+HBiP6eRlRGOKQj5Y06vcNx6Ija4cGe6+yCN8HV8tCY0
-okZK98NQCl5t79R/ZB2c3NvBJH+/g3ulU48ikT3tVmDxE3mOZofZyGFEM99P+YCMScLDxTl3hzGy
-0YkI8U855P7qOAbcFfh2T5n+LSELwLhbkymEfZT917GWTfmypBWMvJx0WHeDhKwQYPdzbKgWETnc
-yeKasaCW+oLdhBwrd6Ws2r4MA8cwiYXDLbwYmCxJA8VF++8kubF2HJOjSyMBS+QT2PSV/0D9UWoi
-Vfk7R4OvWBJVvq7nV+lXS0O5igjExxlmx1OaBfg7+Cr/MbK4zVNrKSJn82NnKKt6LC6RaTmvFYay
-0sDFxQ7Xo+Th6tDNKmKWJt6Kegfjc+qTWJTKb3kL+UI8vS0zTLy1+M/rZ4ekos/JiS5rYIcAswvg
-58kBgp/0rc6upBeWjBaK5O0aLAeBQfLulo1axWX04OSVKmYeoAltyR6UO9ME3acurQyg7Ta24yqO
-whi/PrIaEiO7dsWvFtzsshVzBLic02NlAkPkMUzliPYnZHWQglDAVxL5K2qhvK1OFCkQpIgBsBDM
-6KYRL/mkBIIEALIl927rIkaN37/BQIcxLcSa05YfC0Hl3mxWESt1A0D4lA37A9S8EbYmDfAYlMc0
-3HhZGdZEtawfpJFyDHzNZceNWBch6nxeNZCY4YFdsbzuGS0RKpwNA9S/czOJ4p9ymBCxuhGepI3U
-PKbC8C749Www1/wMdAot1n+K7M/PBGR8hWmaH5SS7U3yMwAB1fq2NDjx4ur+Um+MclSdN01MDXzG
-EO+eAo1pdAY8479234l8dB2YVAhZ1ZlJ4KmbqMKJrGJXnQUEYS6/cTDRjsUocsoW7uGg1ci2GiHa
-qjlkfpBfie3SdhFW/K8hwAH0HALs56oFN66wUkP/AaJAPfIUNhR6RpHKzZ9zCC42oB2mNawQRMnF
-ETBl1s/SwMxLKRp7jAfKs4NZxSY6I9z/2dTpzS3tsHMjxVDuxkolvRNWBILEMeL1CBvip2HhmoUw
-/Sz5NDgyzk1aQLV6DQNJ2RZLMZDRCtSwZSBu6lhhSgTJGazP0+NbqXXC5aQTrqrFIcWyDXz+ADle
-kszzYM/gSaQTCALTwfDDaU9Ek3xVgW+XBtExtJ3U+0AN3l0j86rUIdIvp6eWdxWQqv9LtpoorKMD
-KfUc5PYV09Z1JgsT4X51Zzq+74l5dz7udIM7UNbdTpmRm9PDj3TUbGCvNR9hqOEGTLbkvb1ZR24a
-h6uGRl2znB25IpDAGRhNRb9is/pO2tvHwHTDMOjrgvZG/pNvXgSUxz0pRjUjXIcqBe2X2gcQfeal
-r8gY76o83WEGL6ODryV9vTQVHt52+izgpYoBZaVlpgqbZl54c+OE0Zxf9RwXwDbcYu5Ku5E0MPL0
-qUjc0y2+Y6E4P5bAWaZGMGT+ORkyVUzcaWmM/+XlO7PER5wrWlCIMZCX1L/nvioY0q0CKqALn7DJ
-QU+qenbwrb6uwS7uNZY6V86s0aDYpU7yRyqxC5SbuyNJb02gdxUCgpIscFaMUjMVRml4M4BIjX/b
-U+HgHoVMUm8SnN9gRcT2izPrgOGVcMTJjfenzoCKoCPo9RjgGMctgB4DvKamErNU7OrilIfuoqzE
-PNSeP9SPw/zkDmNvMebM499We9CVnsHUWqF00/ZJWoua77+0f1bLS/tmci1JBvIcMo/4SJvgH+KF
-o0gijP9gqAPd5iCOnpnJlHUqRIym42SmyKEDuzdSwXKjAR6j7uXda39JyMJr8gGzEsu0jYRkAmj1
-YdiqwKXUcLMkcj1AKeU/PxTUVw0YKsv/rowrPYww3xQUWqNivrXB7GCHE3BzsYNdHsmziaGIXQbA
-+EBHdkuKrM8BcC+fxhF/l/KUxngsD1E75IcUv8zFDF+sk4CBYHqks9S4JYlcubuizqsILbdGzIMN
-Z7w34k0XT+sEggQAyzr8MHeIJGsT+AYnZr08PeTbyr01JEoT7lPYT6PzX4F63QKKDl+mB+PwLMzY
-CXrxZcUmuay6/MV8w/f5T6vQXdoSw5puWodBYwVReYh1IaEN+jiTapm9YBVmcIsJPO6abHowknSV
-OWSvST0AtAX57fFOTckm+facfBK9s9T1lUUgF44Bh5e8f9qKqfOV44nqdCOEyUm0Dao497ieN4Eg
-XBLNvOZY9+irMiXjp0lcyFvhrJOczfyCr9EiiaiH1TfSzKGKsf2W84iKn/JH6x2eOo7xjwJ40BQD
-c6S1cUNEuqBhP6by0FioOXYOKVyifpxk84Eb+F/4CNdTJTvCPwsiegdfsX/Q53DvKVtXp9Ycam5J
-TmKRHXK/bMHF4ONv3p/O/kn/BqRx+fbbP2eMX8Z1F/ltHKfp6B+06HljUwQLBJs9XtCfqH5Zgdz9
-gad5WZF5ykFArmHDgeFlgggvbZ7z9vqnjN/TH68TxJzauYQ5vLHQ6wGXik4/4uq7/TqNmhxlQEM4
-zVkwsn203bUmKLyz+yl1zItDpn5zy1uXfGo99rBdUzdbdE9LmEFPMaFsaHd4a8oDaUroD7FgCbeD
-JJVld3ac6F8+3QbExPs48OrgA1kI3/UwXr52ldjiYzTLfAGR9BjqNFTw45FUHuMf8TEM5hcHx56w
-95eKAqraDk28o9k+M2UKpcmrdlWoWzdqVVFeWGpM8x9Y9Nt0lf/4VUQgrXjqTkUCQkJyqTeTeGgH
-rn3QBk2XAgpxZhaJs3InW0BkAlBmK99cMinUiJeFt5a4p5wPeXrVuh6V9m7Mpl9hzpogg++EZqah
-fzzNnDgxOZfW342DX052PdgXo0NnkhCk005LvFt6M2mRn0fLgNVfyUZZoOp8cO5ZWbhXXlrhrgUt
-j2zKPK6Q94Zj4kdXHBGpAkrB8ZQ4EGGODE0Dqusm8WPXzB+9236IMHPU7lFbyjBrFNI7O4jg+qRI
-Ipi+7tX0FsilqEbmjG+OPwhZXrdqUqyF+rjKQuSRq7lOeDB4c6S2dq4OOny01i5HCbbyc9UvSHRm
-hOhGqUlzHyHLo3W7j+26V/MhkDXJ+Tx+qfylv4pbliwTteJJj+CZwzjv29qb6lxYi+38Bw10ERap
-m8UCRFBecVN7xXlcIfyeAl666Vi7EBJZv3EdFNrx1nlLwM65nYya7uj6L7IwJWotIUx8E0XH0/cU
-xS/dG8bxf9L/8652h5gq3LI+wTNGuEX0DMuz7BGQG+NtgabrZ6SsKGthGa7eULTpz0McWTLRU0y/
-/tkckpm5pDnXSFbIMskwwjECz82UZBSPpigdN/Pjg5d+0yWu7s3VJxw4ENWPPpzZ+j7sOXmdvn9P
-O1tQd60EO+3awASCBAAZQvWV3/yJ6FxPttbP+qeURpJoPEZfpN2UYZmd8HqtR0YbaOZ6Rln9nvpd
-K9fylXdw9z2xeCbjDWUttJB4VqZxGJM8eCTC1VDVyAOsQ5n7SY55dMkQbU+o4Z/4J5m8+wz50BBI
-LfruL1eZ6/CF6CdvxVRiJ10sXc0Tn2sVMXqkw7Adp1GYoCI9c6VFSFK74+n+y7LVFQ5HBnbQyKJc
-dvdLOXwZOPaFHC5UNXRmOpcwdPqyXUe+xIsOMYbzdlAnI9eGDNeRDktUa/Rh0CbZCxjmJzoZEYOE
-ZjsYZlEfp1Kb61t8z4m28hGLEg88T1Ihmxa2HeUWes1RpmgIOP+/2Lb3smj/l/fpSu4gabFgyCAV
-H5HdCYMScUv8SVu55+tpeO8ELoHHQUXV4rr084O4budzhgNSOPyLGDl5sfDUXiyusPCxS4JVO/KY
-6V2Qrtg/q2wtmXpEkZnGT+Qi3WDzwt4W81alztnYMP17oGLmxX71KV9OEiMZjI4WaaGt+OOINLtR
-qefioZ1NI2L1s5M0tybwTsyU9WERM+3pUwXIfJVsbMZRlNaO2OogcHbaR4UWvhOj+3CTG1sThiYQ
-MxMnp1Rpqx3nhyzqLO3TRrkYvxnA3cdPBn9EeqpgBMg7X3hCiMV3Fl5cj/WOMhtHYgY7BgeCXo46
-EFVZ4+WroGZ46xGiRDiIblo8bzLd7QCxvukzxy3mUDgsZQ8pds4N28weSUhBk5MAPbfBpRvXUVJx
-MhKqXucQU1Md1qSGLbuuIQuz9pAGp1JFUx/vEkCgm74daSoVWCZuB+1ZE4f48clvrBj51xMNf8CP
-EFE7vySzVb6X2H1i5X3Z+Y3DdIcWw4Y2FClfcJk4Mwq8Cq2GALGFEge9YSEE9YmyuU6OFeU0ICon
-iXAgZ72SM8fBwJPruLFbdsNYKW+oAfmPisXSWMcZmdSbfk0GYv+vKtu3eegSbWw1UsCVtZOh9E5Z
-uQ83l59CBqO9sV/SFU3WrrJ0qNWxrmXu9nJn5Qf5iCRoFGYNHYHkIG5FS6N00GEDZxGkxmro2d++
-Adj5LVHc/b1cYWmrux+jEqI8ZK8cyTB0XMbBA/HYbx9NXazr7znP4/Mlv3pZToEcYt+lgLHAArtU
-AdhybhbLIwNMq0gr6EwtDklBa3ns4Wx/rJU8H7LGs6gV8uqeaSketv+nz+sQhfctxZ1rx+5qzXfy
-FOQVpO23KDQunBi1Bl9k61Di4q9JWcyADBXPHXJzp7mL8Fk7zdvMAEfuED1phdRm6GgDYoYUs4yQ
-IrhSjFlWyk7hT8475xk3BIv++obvWSAv/3+pF6A6U2RXDChVmnG0JnPa9wYYtdzBmLfZKBjX+DjD
-yEMsuhPsCzuN4R6tBIIBWCVRKmKwdkatmpsQBgDw48u0/Arffl5/DRlS9ee+QffFecUitDdCK+kt
-X5L2fGYrL5g6SltncMIeV1ptx4nuSjC/O944q1KYtqvQiPFWJqEXIRMNbbYOC47sjLza0tEFrimN
-wxcrWGSzsy5R9beFQ1aHPcMrDWfCoviNRk2qPtxuKIC5Qk2ZuOmJLjCiLwUGEb0/1Mpzv3MqQa7d
-mRayXg3DZWJPajxNZv6eS357ElMvwGQmqafb2mlQJwWLsg9m9PG7uqEoyrqSc6MiuY+icLEFib9j
-OfRQrx70rTSKUfTr4MtP0aZZAefjCrpVIyTekhFDOk0Nmx057eonlyGgmGpl5/Uo+t1J1Z11Ya/l
-bNbfmebRISJeTVW0I8FhseAZMI1GSwp/ludJxSLYOgyRkh+GX134MexNo7O9F1SxLCfWaSG9Fc3s
-5ify04ua9/t8SGrYZPm/l3MkAAAAAAAAAAAAAA==
-
-
diff --git a/crypto/openssl/crypto/pkcs7/t/msie-s-a-e.pem b/crypto/openssl/crypto/pkcs7/t/msie-s-a-e.pem
deleted file mode 100644
index 55dbd8f80bdd..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/msie-s-a-e.pem
+++ /dev/null
@@ -1,106 +0,0 @@
------BEGIN PKCS7-----
-MIAGCSqGSIb3DQEHA6CAMIITUAIBADGCAcIwgcwCAQAwdjBiMREwDwYDVQQHEwhJ
-bnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlT
-aWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGBAmILep9sJ
-uN2Pkg1gucowDQYJKoZIhvcNAQEBBQAEQKOxxpIbRTb31+qIQCBOpMVAGnwCLrPO
-OXnntxVveTrPhBnsJuoGNJcCMtuHl7tLkd38WsVwOfGXUprTqFpUcY8wgfACAQAw
-gZkwgZIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
-EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsT
-GURFTU9OU1RSQVRJT04gQU5EIFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBW
-QUxVRSBDQQICBG4wDQYJKoZIhvcNAQEBBQAEQKzIddnXFqK/RRBG86ZVixoXfwAv
-ZdfvnDFsKzPn/A6DuDdE/hqJxnFpHiwGiDR/YbWj2ib+G74DSshgX8vj8ZQwghGD
-BgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgICAKAECLKM0K58I3HNgIIRWBDP8s+g
-l7/6JhZ5PBJ5vPpD1R4pnNDZRabsYu0Qzezdz1IK+maTAhF0SEuNZoEkzIgOIvu3
-UjW8x/2KcHwteABwgRiSk1JyNLwRED0RtvuJ40pIGDvDsHwBMcXEtKUMAOpGChms
-HUK1+B/GKancSDFOCeG3JCFnFdbuQFDIVHC6amWslc6ntqVs/sii2Gs4qdzDfQgl
-PV/A/FY0wi0j2O5cXRQJtZVKM/MYGjj5c1cy9Q7oymU5ATP/LARD0Tw5kBB7HVnD
-2qrmmmxcHakyxhXmwskaKS6Qxgqq6LPdgr603onxqEtwNSz5UbCq9mLXuCkFOVsQ
-/5mZcmmc7re3XJMQHRXkBlxEpZQ6HOUIEzlhRqCo2hhymyZK84rptjORQo6vNakM
-IC0Zn8O+6Xl1NlmbGzZakz6LJ4dczE7eG7LwrVus9Oq3V/WweG6rWMPV5d51oKMi
-BRb2pXXy80BAKh/9hvpP/V/HO1/+MPuk8tAn7ssmQoIAQcZxqLOmgqqFhy21oSEu
-rUY746Gp/vIV6Ax1MnfDA/fbjDllhJTl8ujZnfj8R1/oQa9fJMipV8CYQEAt3okZ
-V03kaVhhPGsv544/zRnhqjhgqjHASZGnluZCxDwHb1CE4UqYLp6IbkH3qosy2ntm
-a7WCsM3FN3o5dKFZXBgBEPT8HU9LLQ8B+T0Zvh8CQ719kkNBhnuzSYzmI48R5JHv
-zbROiU5v4p9FpssD13vXiOxzaMTKQqWk/roGHiNoKzKonS5RBwTxKfOsoCobCBaI
-IZCmJNr4cGI/p5GVEY4pCPljTq9w3HoiNrhwZ7r7II3wdXy0JjSiRkr3w1AKXm3v
-1H9kHZzc28Ekf7+De6VTjyKRPe1WYPETeY5mh9nIYUQz30/5gIxJwsPFOXeHMbLR
-iQjxTznk/uo4BtwV+HZPmf4tIQvAuFuTKYR9lP3XsZZN+bKkFYy8nHRYd4OErBBg
-93NsqBYROdzJ4pqxoJb6gt2EHCt3pazavgwDxzCJhcMtvBiYLEkDxUX77yS5sXYc
-k6NLIwFL5BPY9JX/QP1RaiJV+TtHg69YElW+rudX6VdLQ7mKCMTHGWbHU5oF+Dv4
-Kv8xsrjNU2spImfzY2coq3osLpFpOa8VhrLSwMXFDtej5OHq0M0qYpYm3op6B+Nz
-6pNYlMpveQv5Qjy9LTNMvLX4z+tnh6Siz8mJLmtghwCzC+DnyQGCn/Stzq6kF5aM
-Fork7RosB4FB8u6WjVrFZfTg5JUqZh6gCW3JHpQ70wTdpy6tDKDtNrbjKo7CGL8+
-shoSI7t2xa8W3OyyFXMEuJzTY2UCQ+QxTOWI9idkdZCCUMBXEvkraqG8rU4UKRCk
-iAGwEMzophEv+aSyJfdu6yJGjd+/wUCHMS3EmtOWHwtB5d5sVhErdQNA+JQN+wPU
-vBG2Jg3wGJTHNNx4WRnWRLWsH6SRcgx8zWXHjVgXIep8XjWQmOGBXbG87hktESqc
-DQPUv3MzieKfcpgQsboRnqSN1DymwvAu+PVsMNf8DHQKLdZ/iuzPzwRkfIVpmh+U
-ku1N8jMAAdX6tjQ48eLq/lJvjHJUnTdNTA18xhDvngKNaXQGPOO/dt+JfHQdmFQI
-WdWZSeCpm6jCiaxiV50FBGEuv3Ew0Y7FKHLKFu7hoNXIthoh2qo5ZH6QX4nt0nYR
-VvyvIcAB9BwC7OeqBTeusFJD/wGiQD3yFDYUekaRys2fcwguNqAdpjWsEETJxREw
-ZdbP0sDMSykae4wHyrODWcUmOiPc/9nU6c0t7bBzI8VQ7sZKJb0TVgSCxDHi9Qgb
-4qdh4ZqFMP0s+TQ4Ms5NWkC1eg0DSdkWSzGQ0QrUsGUgbupYYUoEyRmsz9PjW6l1
-wuWkE66qxSHFsg18/gA5XpLM82DP4EmkEwgC08Hww2lPRJN8VYFvlwbRMbSd1PtA
-Dd5dI/Oq1CHSL6enlncVkKr/S7aaKKyjAyn1HOT2FdPWdSYLE+F+dWc6vu+JeXc+
-7nSDO1DW3U6ZkZvTw4901GxgrzUfYajhBky25L29WUduGoerhkZds5wduSKQwBkY
-TUW/YrP6Ttrbx8B0wzDo64L2Rv6Tb14ElMc9KUY1I1yHKgXtl9oHEH3mpa/IGO+q
-PN1hBi+jg68lfb00FR7edvos4KWKAWWlZaYKm2ZeeHPjhNGcX/UcF8A23GLuSruR
-NDDy9KlI3NMtvmOhOD+WwFmmRjBk/jkZMlVM3GlpjP/l5TuzxEecK1pQiDGQl9S/
-574qGNKtAiqgC5+wyUFPqnp28K2+rsEu7jWWOlfOrNGg2KVO8kcqsQuUm7sjSW9N
-oHcVAoKSLHBWjFIzFUZpeDOASI1/21Ph4B6FTFJvEpzfYEXE9osz64DhlXDEyY33
-p86AiqAj6PUY4BjHLYAeA7ymphKzVOzq4pSH7qKsxDzUnj/Uj8P85A5jbzHmzOPf
-VnvQlZ7B1FqhdNP2SVqLmu+/tH9Wy0v7ZnItSQbyHDKP+Eib4B/ihaNIIoz/YKgD
-3eYgjp6ZyZR1KkSMpuNkpsihA7s3UsFyowEeo+7l3Wt/ScjCa/IBsxLLtI2EZAJo
-9WHYqsCl1HCzJHI9QCnlPz8U1FcNGCrL/66MKz2MMN8UFFqjYr61wexghxNwc7GD
-XR7Js4mhiF0GwPhAR3ZLiqzPAXAvn8YRf5fylMZ4LA9RO+SHFL/MxQxfrJOAgWB6
-pLPUuCWJXLm7os6rCC23RsyDDWe8N+JNF0/ryzr8MHeIJGsT+AYnZr08PeTbyr01
-JEoT7lPYT6PzX4F63QKKDl+mB+PwLMzYCXrxZcUmuay6/MV8w/f5T6vQXdoSw5pu
-WodBYwVReYh1IaEN+jiTapm9YBVmcIsJPO6abHowknSVOWSvST0AtAX57fFOTckm
-+facfBK9s9T1lUUgF44Bh5e8f9qKqfOV44nqdCOEyUm0Dao497ieN4EgXBLNvOZY
-9+irMiXjp0lcyFvhrJOczfyCr9EiiaiH1TfSzKGKsf2W84iKn/JH6x2eOo7xjwJ4
-0BQDc6S1cUNEuqBhP6by0FioOXYOKVyifpxk84Eb+F/4CNdTJTvCPwsiegdfsX/Q
-53DvKVtXp9Ycam5JTmKRHXK/bMHF4ONv3p/O/kn/BqRx+fbbP2eMX8Z1F/ltHKfp
-6B+06HljUwQLBJs9XtCfqH5Zgdz9gad5WZF5ykFArmHDgeFlgggvbZ7z9vqnjN/T
-H68TxJzauYQ5vLHQ6wGXik4/4uq7/TqNmhxlQEM4zVkwsn203bUmKLyz+yl1zItD
-pn5zy1uXfGo99rBdUzdbdE9LmEFPMaFsaHd4a8oDaUroD7FgCbeDJJVld3ac6F8+
-3QbExPs48OrgA1kI3/UwXr52ldjiYzTLfAGR9BjqNFTw45FUHuMf8TEM5hcHx56w
-95eKAqraDk28o9k+M2UKpcmrdlWoWzdqVVFeWGpM8x9Y9Nt0lf/4VUQgrXjqTkUC
-QkJyqTeTeGgHrn3QBk2XAgpxZhaJs3InW0BkAlBmK99cMinUiJeFt5a4p5wPeXrV
-uh6V9m7Mpl9hzpogg++EZqahfzzNnDgxOZfW342DX052PdgXo0NnkhCk005LvFt6
-M2mRn0fLgNVfyUZZoOp8cO5ZWbhXXlrhrgUtj2zKPK6Q94Zj4kdXHBGpAkrB8ZQ4
-EGGODE0Dqusm8WPXzB+9236IMHPU7lFbyjBrFNI7O4jg+qRIIpi+7tX0FsilqEbm
-jG+OPwhZXrdqUqyF+rjKQuSRq7lOeDB4c6S2dq4OOny01i5HCbbyc9UvSHRmhOhG
-qUlzHyHLo3W7j+26V/MhkDXJ+Tx+qfylv4pbliwTteJJj+CZwzjv29qb6lxYi+38
-Bw10ERapm8UCRFBecVN7xXlcIfyeAl666Vi7EBJZv3EdFNrx1nlLwM65nYya7uj6
-L7IwJWotIUx8E0XH0/cUxS/dG8bxf9L/8652h5gq3LI+wTNGuEX0DMuz7BGQG+Nt
-gabrZ6SsKGthGa7eULTpz0McWTLRU0y//tkckpm5pDnXSFbIMskwwjECz82UZBSP
-pigdN/Pjg5d+0yWu7s3VJxw4ENWPPpzZ+j7sOXmdvn9PO1tQd60EO+3awBlC9ZXf
-/InoXE+21s/6p5RGkmg8Rl+k3ZRhmZ3weq1HRhto5npGWf2e+l0r1/KVd3D3PbF4
-JuMNZS20kHhWpnEYkzx4JMLVUNXIA6xDmftJjnl0yRBtT6jhn/gnmbz7DPnQEEgt
-+u4vV5nr8IXoJ2/FVGInXSxdzROfaxUxeqTDsB2nUZigIj1zpUVIUrvj6f7LstUV
-DkcGdtDIolx290s5fBk49oUcLlQ1dGY6lzB0+rJdR77Eiw4xhvN2UCcj14YM15EO
-S1Rr9GHQJtkLGOYnOhkRg4RmOxhmUR+nUpvrW3zPibbyEYsSDzxPUiGbFrYd5RZ6
-zVGmaAg4/7/YtveyaP+X9+lK7iBpsWDIIBUfkd0JgxJxS/xJW7nn62l47wQugcdB
-RdXiuvTzg7hu53OGA1I4/IsYOXmx8NReLK6w8LFLglU78pjpXZCu2D+rbC2ZekSR
-mcZP5CLdYPPC3hbzVqXO2dgw/XugYubFfvUpX04SIxmMjhZpoa3444g0u1Gp5+Kh
-nU0jYvWzkzS3JvBOzJT1YREz7elTBch8lWxsxlGU1o7Y6iBwdtpHhRa+E6P7cJMb
-WxOGJhAzEyenVGmrHeeHLOos7dNGuRi/GcDdx08Gf0R6qmAEyDtfeEKIxXcWXlyP
-9Y4yG0diBjsGB4JejjoQVVnj5augZnjrEaJEOIhuWjxvMt3tALG+6TPHLeZQOCxl
-Dyl2zg3bzB5JSEGTkwA9t8GlG9dRUnEyEqpe5xBTUx3WpIYtu64hC7P2kAanUkVT
-H+8SQKCbvh1pKhVYJm4H7VkTh/jxyW+sGPnXEw1/wI8QUTu/JLNVvpfYfWLlfdn5
-jcN0hxbDhjYUKV9wmTgzCrwKrYYAsYUSB71hIQT1ibK5To4V5TQgKieJcCBnvZIz
-x8HAk+u4sVt2w1gpb6gB+Y+KxdJYxxmZ1Jt+TQZi/68q27d56BJtbDVSwJW1k6H0
-Tlm5DzeXn0IGo72xX9IVTdausnSo1bGuZe72cmflB/mIJGgUZg0dgeQgbkVLo3TQ
-YQNnEaTGaujZ374B2PktUdz9vVxhaau7H6MSojxkrxzJMHRcxsED8dhvH01drOvv
-Oc/j8yW/ellOgRxi36WAscACu1QB2HJuFssjA0yrSCvoTC0OSUFreezhbH+slTwf
-ssazqBXy6p5pKR62/6fP6xCF9y3FnWvH7mrNd/IU5BWk7bcoNC6cGLUGX2TrUOLi
-r0lZzIAMFc8dcnOnuYvwWTvN28wAR+4QPWmF1GboaANihhSzjJAiuFKMWVbKTuFP
-zjvnGTcEi/76hu9ZIC//f6kXoDpTZFcMKFWacbQmc9r3Bhi13MGYt9koGNf4OMPI
-Qyy6E+wLO43hHq0lUSpisHZGrZqbEAYA8OPLtPwK335efw0ZUvXnvkH3xXnFIrQ3
-QivpLV+S9nxmKy+YOkpbZ3DCHldabceJ7kowvzveOKtSmLar0IjxViahFyETDW22
-DguO7Iy82tLRBa4pjcMXK1hks7MuUfW3hUNWhz3DKw1nwqL4jUZNqj7cbiiAuUJN
-mbjpiS4woi8FBhG9P9TKc79zKkGu3ZkWsl4Nw2ViT2o8TWb+nkt+exJTL8BkJqmn
-29ppUCcFi7IPZvTxu7qhKMq6knOjIrmPonCxBYm/Yzn0UK8e9K00ilH06+DLT9Gm
-WQHn4wq6VSMk3pIRQzpNDZsdOe3qJ5choJhqZef1KPrdSdWddWGv5WzW35nm0SEi
-Xk1VtCPBYbHgGTCNRksKf5bnScUi2DoMkZIfhl9d+DHsTaOzvRdUsSwn1mkhvRXN
-7OYn8tOLmvf7fEhq2GT5v5dzJAAAAAA=
------END PKCS7-----
diff --git a/crypto/openssl/crypto/pkcs7/t/nav-smime b/crypto/openssl/crypto/pkcs7/t/nav-smime
deleted file mode 100644
index 6ee4b597a145..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/nav-smime
+++ /dev/null
@@ -1,157 +0,0 @@
-From angela@c2.net.au Thu May 14 13:32:27 1998
-X-UIDL: 83c94dd550e54329bf9571b72038b8c8
-Return-Path: angela@c2.net.au
-Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id NAA27838 for <tjh@cryptsoft.com>; Thu, 14 May 1998 13:32:26 +1000 (EST)
-Message-ID: <355A6779.4B63E64C@cryptsoft.com>
-Date: Thu, 14 May 1998 13:39:37 +1000
-From: Angela van Lent <angela@c2.net.au>
-X-Mailer: Mozilla 4.03 [en] (Win95; U)
-MIME-Version: 1.0
-To: tjh@cryptsoft.com
-Subject: signed
-Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms9A58844C95949ECC78A1C54C"
-Content-Length: 2604
-Status: OR
-
-This is a cryptographically signed message in MIME format.
-
---------------ms9A58844C95949ECC78A1C54C
-Content-Type: text/plain; charset=us-ascii
-Content-Transfer-Encoding: 7bit
-
-signed body
-
---------------ms9A58844C95949ECC78A1C54C
-Content-Type: application/x-pkcs7-signature; name="smime.p7s"
-Content-Transfer-Encoding: base64
-Content-Disposition: attachment; filename="smime.p7s"
-Content-Description: S/MIME Cryptographic Signature
-
-MIIGHgYJKoZIhvcNAQcCoIIGDzCCBgsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
-BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
-ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
-AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
-gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
-ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
-A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
-dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
-hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
-hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
-igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
-syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
-kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
-MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
-TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
-BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
-mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
-8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
-ggF7MIIBdwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
-BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
-REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
-AgIEfjAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAbBgkqhkiG9w0B
-CQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEPFw05ODA1MTQwMzM5MzdaMCMGCSqG
-SIb3DQEJBDEWBBQstNMnSV26ba8PapQEDhO21yNFrjANBgkqhkiG9w0BAQEFAARAW9Xb9YXv
-BfcNkutgFX9Gr8iXhBVsNtGEVrjrpkQwpKa7jHI8SjAlLhk/4RFwDHf+ISB9Np3Z1WDWnLcA
-9CWR6g==
---------------ms9A58844C95949ECC78A1C54C--
-
-
-From angela@c2.net.au Thu May 14 13:33:16 1998
-X-UIDL: 8f076c44ff7c5967fd5b00c4588a8731
-Return-Path: angela@c2.net.au
-Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id NAA27847 for <tjh@cryptsoft.com>; Thu, 14 May 1998 13:33:15 +1000 (EST)
-Message-ID: <355A67AB.2AF38806@cryptsoft.com>
-Date: Thu, 14 May 1998 13:40:27 +1000
-From: Angela van Lent <angela@c2.net.au>
-X-Mailer: Mozilla 4.03 [en] (Win95; U)
-MIME-Version: 1.0
-To: tjh@cryptsoft.com
-Subject: signed
-Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msD7863B84BD61E02C407F2F5E"
-Content-Length: 2679
-Status: OR
-
-This is a cryptographically signed message in MIME format.
-
---------------msD7863B84BD61E02C407F2F5E
-Content-Type: text/plain; charset=us-ascii
-Content-Transfer-Encoding: 7bit
-
-signed body 2
-
---------------msD7863B84BD61E02C407F2F5E
-Content-Type: application/x-pkcs7-signature; name="smime.p7s"
-Content-Transfer-Encoding: base64
-Content-Disposition: attachment; filename="smime.p7s"
-Content-Description: S/MIME Cryptographic Signature
-
-MIIGVgYJKoZIhvcNAQcCoIIGRzCCBkMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
-BGswggJTMIIB/aADAgECAgIEfjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNv
-ZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UE
-AxMSREVNTyBaRVJPIFZBTFVFIENBMB4XDTk4MDUxMzA2MjY1NloXDTAwMDUxMjA2MjY1Nlow
-gaUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFu
-ZTEaMBgGA1UEChMRQ3J5cHRzb2Z0IFB0eSBMdGQxEjAQBgNVBAsTCVNNSU1FIDAwMzEZMBcG
-A1UEAxMQQW5nZWxhIHZhbiBMZWVudDEjMCEGCSqGSIb3DQEJARYUYW5nZWxhQGNyeXB0c29m
-dC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuC3+7dAb2LhuO7gt2cTM8vsNjhG5JfDh
-hX1Vl/wVGbKEEj0MA6vWEolvefQlxB+EzwCtR0YZ7eEC/T/4JoCyeQIDAQABoygwJjAkBglg
-hkgBhvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EAUnSP
-igs6TMFISTjw8cBtJYb98czgAVkVFjKyJQwYMH8FbDnCyx6NocM555nsyDstaw8fKR11Khds
-syd3ikkrhDCCAhAwggG6AgEDMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0EwHhcNOTgwMzAzMDc0MTMyWhcNMDgwMjI5MDc0MTMyWjCB
-kjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAPBgNVBAcTCEJyaXNiYW5l
-MRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZREVNT05TVFJBVElPTiBB
-TkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENBMFwwDQYJKoZIhvcNAQEB
-BQADSwAwSAJBAL+0E2fLej3FSCwe2A2iRnMuC3z12qHIp6Ky1wo2zZcxft7AI+RfkrWrSGtf
-mfzBEuPrLdfulncC5Y1pNcM8RTUCAwEAATANBgkqhkiG9w0BAQQFAANBAGSbLMphL6F5pp3s
-8o0Xyh86FHFdpVOwYx09ELLkuG17V/P9pgIc0Eo/gDMbN+KT3IdgECf8S//pCRA6RrNjcXIx
-ggGzMIIBrwIBATCBmTCBkjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxETAP
-BgNVBAcTCEJyaXNiYW5lMRowGAYDVQQKExFDcnlwdHNvZnQgUHR5IEx0ZDEiMCAGA1UECxMZ
-REVNT05TVFJBVElPTiBBTkQgVEVTVElORzEbMBkGA1UEAxMSREVNTyBaRVJPIFZBTFVFIENB
-AgIEfjAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN
-AQkFMQ8XDTk4MDUxNDAzNDAyN1owIwYJKoZIhvcNAQkEMRYEFOKcV8mNYJnM8rHQajcSEqJN
-rwdDMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsO
-AwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEADPE/N
-coH+zTFuX5YpolupTKxKK8eEjc48TuADuO8bIHHDE/fEYaWunlwDuTlcFJl1ig0idffPB1qC
-Zp8SSVVY
---------------msD7863B84BD61E02C407F2F5E--
-
-
-From angela@c2.net.au Thu May 14 14:05:32 1998
-X-UIDL: a7d629b4b9acacaee8b39371b860a32a
-Return-Path: angela@c2.net.au
-Received: from cryptsoft.com (play.cryptsoft.com [203.56.44.3]) by pandora.cryptsoft.com (8.8.3/8.7.3) with ESMTP id OAA28033 for <tjh@cryptsoft.com>; Thu, 14 May 1998 14:05:32 +1000 (EST)
-Message-ID: <355A6F3B.AC385981@cryptsoft.com>
-Date: Thu, 14 May 1998 14:12:43 +1000
-From: Angela van Lent <angela@c2.net.au>
-X-Mailer: Mozilla 4.03 [en] (Win95; U)
-MIME-Version: 1.0
-To: tjh@cryptsoft.com
-Subject: encrypted
-Content-Type: application/x-pkcs7-mime; name="smime.p7m"
-Content-Transfer-Encoding: base64
-Content-Disposition: attachment; filename="smime.p7m"
-Content-Description: S/MIME Encrypted Message
-Content-Length: 905
-Status: OR
-
-MIAGCSqGSIb3DQEHA6CAMIACAQAxggHmMIHwAgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEG
-A1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNUUkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQD
-ExJERU1PIFpFUk8gVkFMVUUgQ0ECAgR+MA0GCSqGSIb3DQEBAQUABEA92N29Yk39RUY2tIVd
-exGT2MFX3J6H8LB8aDRJjw7843ALgJ5zXpM5+f80QkAWwEN2A6Pl3VxiCeKLi435zXVyMIHw
-AgEAMIGZMIGSMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDERMA8GA1UEBxMI
-QnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29mdCBQdHkgTHRkMSIwIAYDVQQLExlERU1PTlNU
-UkFUSU9OIEFORCBURVNUSU5HMRswGQYDVQQDExJERU1PIFpFUk8gVkFMVUUgQ0ECAgRuMA0G
-CSqGSIb3DQEBAQUABECR9IfyHtvnjFmZ8B2oUCEs1vxMsG0u1kxKE4RMPFyDqDCEARq7zXMg
-nzSUI7Wgv5USSKDqcLRJeW+jvYURv/nJMIAGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIA
-oAQIrLqrij2ZMpeggAQoibtn6reRZWuWk5Iv5IAhgitr8EYE4w4ySQ7EMB6mTlBoFpccUMWX
-BwQgQn1UoWCvYAlhDzURdbui64Dc0rS2wtj+kE/InS6y25EEEPe4NUKaF8/UlE+lo3LtILQE
-CL3uV8k7m0iqAAAAAAAAAAAAAA==
-
diff --git a/crypto/openssl/crypto/pkcs7/t/s.pem b/crypto/openssl/crypto/pkcs7/t/s.pem
deleted file mode 100644
index 4fa925b1824a..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/s.pem
+++ /dev/null
@@ -1,57 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
-mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
-fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
-zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
-p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
-bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
-IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
------END RSA PRIVATE KEY-----
-issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
-subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
-serial :047D
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1149 (0x47d)
-        Signature Algorithm: md5withRSAEncryption
-        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
-        Validity
-            Not Before: May 13 05:40:58 1998 GMT
-            Not After : May 12 05:40:58 2000 GMT
-        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Modulus:
-                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
-                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
-                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
-                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
-                    e7:e7:0c:4d:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Comment: 
-                Generated with SSLeay
-    Signature Algorithm: md5withRSAEncryption
-        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
-        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
-        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
-        50:74:ad:92:cb:4e:90:e5:fa:7d
-
------BEGIN CERTIFICATE-----
-MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
-MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
-ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
-IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
-NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
-aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
-9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
-lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
-hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
-UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
-4A3ZItobUHStkstOkOX6fQ==
------END CERTIFICATE-----
-
diff --git a/crypto/openssl/crypto/pkcs7/t/server.pem b/crypto/openssl/crypto/pkcs7/t/server.pem
deleted file mode 100644
index 989baf87096a..000000000000
--- a/crypto/openssl/crypto/pkcs7/t/server.pem
+++ /dev/null
@@ -1,57 +0,0 @@
-issuer :/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=DEMONSTRATION AND TESTING/CN=DEMO ZERO VALUE CA
-subject:/C=AU/SP=Queensland/L=Brisbane/O=Cryptsoft Pty Ltd/OU=SMIME 003/CN=Information/Email=info@cryptsoft.com
-serial :047D
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1149 (0x47d)
-        Signature Algorithm: md5withRSAEncryption
-        Issuer: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=DEMONSTRATION AND TESTING, CN=DEMO ZERO VALUE CA
-        Validity
-            Not Before: May 13 05:40:58 1998 GMT
-            Not After : May 12 05:40:58 2000 GMT
-        Subject: C=AU, SP=Queensland, L=Brisbane, O=Cryptsoft Pty Ltd, OU=SMIME 003, CN=Information/Email=info@cryptsoft.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Modulus:
-                    00:ad:e7:23:89:ee:0d:87:b7:9c:32:44:4b:95:81:
-                    73:dd:22:80:4b:2d:c5:60:b8:fe:1e:18:63:ef:dc:
-                    89:89:22:df:95:3c:7a:db:3d:9a:06:a8:08:d6:29:
-                    fd:ef:41:09:91:ed:bc:ad:98:f9:f6:28:90:62:6f:
-                    e7:e7:0c:4d:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            Netscape Comment: 
-                Generated with SSLeay
-    Signature Algorithm: md5withRSAEncryption
-        52:15:ea:88:f4:f0:f9:0b:ef:ce:d5:f8:83:40:61:16:5e:55:
-        f9:ce:2d:d1:8b:31:5c:03:c6:2d:10:7c:61:d5:5c:0a:42:97:
-        d1:fd:65:b6:b6:84:a5:39:ec:46:ec:fc:e0:0d:d9:22:da:1b:
-        50:74:ad:92:cb:4e:90:e5:fa:7d
-
------BEGIN CERTIFICATE-----
-MIICTDCCAfagAwIBAgICBH0wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAkFV
-MRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UE
-ChMRQ3J5cHRzb2Z0IFB0eSBMdGQxIjAgBgNVBAsTGURFTU9OU1RSQVRJT04gQU5E
-IFRFU1RJTkcxGzAZBgNVBAMTEkRFTU8gWkVSTyBWQUxVRSBDQTAeFw05ODA1MTMw
-NTQwNThaFw0wMDA1MTIwNTQwNThaMIGeMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-UXVlZW5zbGFuZDERMA8GA1UEBxMIQnJpc2JhbmUxGjAYBgNVBAoTEUNyeXB0c29m
-dCBQdHkgTHRkMRIwEAYDVQQLEwlTTUlNRSAwMDMxFDASBgNVBAMTC0luZm9ybWF0
-aW9uMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGNyeXB0c29mdC5jb20wXDANBgkqhkiG
-9w0BAQEFAANLADBIAkEArecjie4Nh7ecMkRLlYFz3SKASy3FYLj+Hhhj79yJiSLf
-lTx62z2aBqgI1in970EJke28rZj59iiQYm/n5wxNCwIDAQABoygwJjAkBglghkgB
-hvhCAQ0EFxYVR2VuZXJhdGVkIHdpdGggU1NMZWF5MA0GCSqGSIb3DQEBBAUAA0EA
-UhXqiPTw+QvvztX4g0BhFl5V+c4t0YsxXAPGLRB8YdVcCkKX0f1ltraEpTnsRuz8
-4A3ZItobUHStkstOkOX6fQ==
------END CERTIFICATE-----
-
------BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBAK3nI4nuDYe3nDJES5WBc90igEstxWC4/h4YY+/ciYki35U8ets9
-mgaoCNYp/e9BCZHtvK2Y+fYokGJv5+cMTQsCAwEAAQJBAIHpvXvqEcOEoDRRHuIG
-fkcB4jPHcr9KE9TpxabH6xs9beN6OJnkePXAHwaz5MnUgSnbpOKq+cw8miKjXwe/
-zVECIQDVLwncT2lRmXarEYHzb+q/0uaSvKhWKKt3kJasLNTrAwIhANDUc/ghut29
-p3jJYjurzUKuG774/5eLjPLsxPPIZzNZAiA/10hSq41UnGqHLEUIS9m2/EeEZe7b
-bm567dfRU9OnVQIgDo8ROrZXSchEGbaog5J5r/Fle83uO8l93R3GqVxKXZkCIFfk
-IPD5PIYQAyyod3hyKKza7ZP4CGY4oOfZetbkSGGG
------END RSA PRIVATE KEY-----
diff --git a/crypto/openssl/crypto/pkcs7/verify.c b/crypto/openssl/crypto/pkcs7/verify.c
deleted file mode 100644
index b40f26032ec6..000000000000
--- a/crypto/openssl/crypto/pkcs7/verify.c
+++ /dev/null
@@ -1,263 +0,0 @@
-/* crypto/pkcs7/verify.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/bio.h>
-#include <openssl/asn1.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include "example.h"
-
-int verify_callback(int ok, X509_STORE_CTX *ctx);
-
-BIO *bio_err=NULL;
-BIO *bio_out=NULL;
-
-int main(argc,argv)
-int argc;
-char *argv[];
-	{
-	PKCS7 *p7;
-	PKCS7_SIGNER_INFO *si;
-	X509_STORE_CTX cert_ctx;
-	X509_STORE *cert_store=NULL;
-	BIO *data,*detached=NULL,*p7bio=NULL;
-	char buf[1024*4];
-	char *pp;
-	int i,printit=0;
-	STACK_OF(PKCS7_SIGNER_INFO) *sk;
-
-	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
-#ifndef OPENSSL_NO_MD2
-	EVP_add_digest(EVP_md2());
-#endif
-#ifndef OPENSSL_NO_MD5
-	EVP_add_digest(EVP_md5());
-#endif
-#ifndef OPENSSL_NO_SHA1
-	EVP_add_digest(EVP_sha1());
-#endif
-#ifndef OPENSSL_NO_MDC2
-	EVP_add_digest(EVP_mdc2());
-#endif
-
-	data=BIO_new(BIO_s_file());
-
-	pp=NULL;
-	while (argc > 1)
-		{
-		argc--;
-		argv++;
-		if (strcmp(argv[0],"-p") == 0)
-			{
-			printit=1;
-			}
-		else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2))
-			{
-			detached=BIO_new(BIO_s_file());
-			if (!BIO_read_filename(detached,argv[1]))
-				goto err;
-			argc--;
-			argv++;
-			}
-		else
-			{
-			pp=argv[0];
-			if (!BIO_read_filename(data,argv[0]))
-				goto err;
-			}
-		}
-
-	if (pp == NULL)
-		BIO_set_fp(data,stdin,BIO_NOCLOSE);
-
-
-	/* Load the PKCS7 object from a file */
-	if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err;
-
-	/* This stuff is being setup for certificate verification.
-	 * When using SSL, it could be replaced with a 
-	 * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */
-	cert_store=X509_STORE_new();
-	X509_STORE_set_default_paths(cert_store);
-	X509_STORE_load_locations(cert_store,NULL,"../../certs");
-	X509_STORE_set_verify_cb_func(cert_store,verify_callback);
-
-	ERR_clear_error();
-
-	/* We need to process the data */
-	if ((PKCS7_get_detached(p7) || detached))
-		{
-		if (detached == NULL)
-			{
-			printf("no data to verify the signature on\n");
-			exit(1);
-			}
-		else
-			p7bio=PKCS7_dataInit(p7,detached);
-		}
-	else
-		{
-		p7bio=PKCS7_dataInit(p7,NULL);
-		}
-
-	/* We now have to 'read' from p7bio to calculate digests etc. */
-	for (;;)
-		{
-		i=BIO_read(p7bio,buf,sizeof(buf));
-		/* print it? */
-		if (i <= 0) break;
-		}
-
-	/* We can now verify signatures */
-	sk=PKCS7_get_signer_info(p7);
-	if (sk == NULL)
-		{
-		printf("there are no signatures on this data\n");
-		exit(1);
-		}
-
-	/* Ok, first we need to, for each subject entry, see if we can verify */
-	for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
-		{
-		ASN1_UTCTIME *tm;
-		char *str1,*str2;
-		int rc;
-
-		si=sk_PKCS7_SIGNER_INFO_value(sk,i);
-		rc=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si);
-		if (rc <= 0)
-			goto err;
-		printf("signer info\n");
-		if ((tm=get_signed_time(si)) != NULL)
-			{
-			BIO_printf(bio_out,"Signed time:");
-			ASN1_UTCTIME_print(bio_out,tm);
-			ASN1_UTCTIME_free(tm);
-			BIO_printf(bio_out,"\n");
-			}
-		if (get_signed_seq2string(si,&str1,&str2))
-			{
-			BIO_printf(bio_out,"String 1 is %s\n",str1);
-			BIO_printf(bio_out,"String 2 is %s\n",str2);
-			}
-
-		}
-
-	X509_STORE_free(cert_store);
-
-	printf("done\n");
-	exit(0);
-err:
-	ERR_load_crypto_strings();
-	ERR_print_errors_fp(stderr);
-	exit(1);
-	}
-
-/* should be X509 * but we can just have them as char *. */
-int verify_callback(int ok, X509_STORE_CTX *ctx)
-	{
-	char buf[256];
-	X509 *err_cert;
-	int err,depth;
-
-	err_cert=X509_STORE_CTX_get_current_cert(ctx);
-	err=	X509_STORE_CTX_get_error(ctx);
-	depth=	X509_STORE_CTX_get_error_depth(ctx);
-
-	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
-	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
-	if (!ok)
-		{
-		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
-			X509_verify_cert_error_string(err));
-		if (depth < 6)
-			{
-			ok=1;
-			X509_STORE_CTX_set_error(ctx,X509_V_OK);
-			}
-		else
-			{
-			ok=0;
-			X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG);
-			}
-		}
-	switch (ctx->error)
-		{
-	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
-		BIO_printf(bio_err,"issuer= %s\n",buf);
-		break;
-	case X509_V_ERR_CERT_NOT_YET_VALID:
-	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-		BIO_printf(bio_err,"notBefore=");
-		ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
-		BIO_printf(bio_err,"\n");
-		break;
-	case X509_V_ERR_CERT_HAS_EXPIRED:
-	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-		BIO_printf(bio_err,"notAfter=");
-		ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
-		BIO_printf(bio_err,"\n");
-		break;
-		}
-	BIO_printf(bio_err,"verify return:%d\n",ok);
-	return(ok);
-	}
diff --git a/crypto/openssl/crypto/pqueue/pqueue.h b/crypto/openssl/crypto/pqueue/pqueue.h
index 87fc9037c8f3..26b534808900 100644
--- a/crypto/openssl/crypto/pqueue/pqueue.h
+++ b/crypto/openssl/crypto/pqueue/pqueue.h
@@ -64,6 +64,9 @@
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef  __cplusplus
+extern "C" {
+#endif
 typedef struct _pqueue *pqueue;
 
 typedef struct _pitem
@@ -91,4 +94,7 @@ pitem *pqueue_next(piterator *iter);
 void   pqueue_print(pqueue pq);
 int    pqueue_size(pqueue pq);
 
+#ifdef  __cplusplus
+}
+#endif
 #endif /* ! HEADER_PQUEUE_H */
diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c
index 1e3bcb9bc426..888b4eb8dd0b 100644
--- a/crypto/openssl/crypto/rand/md_rand.c
+++ b/crypto/openssl/crypto/rand/md_rand.c
@@ -159,7 +159,6 @@ const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
 static void ssleay_rand_cleanup(void);
 static void ssleay_rand_seed(const void *buf, int num);
 static void ssleay_rand_add(const void *buf, int num, double add_entropy);
-static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
 static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
 static int ssleay_rand_status(void);
@@ -198,6 +197,9 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 	EVP_MD_CTX m;
 	int do_not_lock;
 
+	if (!num)
+		return;
+
 	/*
 	 * (Based on the rand(3) manpage)
 	 *
@@ -331,7 +333,7 @@ static void ssleay_rand_seed(const void *buf, int num)
 	ssleay_rand_add(buf, num, (double)num);
 	}
 
-static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
+int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
 	{
 	static volatile int stirred_pool = 0;
 	int i,j,k,st_num,st_idx;
@@ -380,8 +382,8 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	 * are fed into the hash function and the results are kept in the
 	 * global 'md'.
 	 */
-
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	if (lock)
+		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
 	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -460,7 +462,8 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 
 	/* before unlocking, we must clear 'crypto_lock_rand' */
 	crypto_lock_rand = 0;
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	if (lock)
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	while (num > 0)
 		{
@@ -512,10 +515,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	MD_Init(&m);
 	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
 	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	if (lock)
+		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	MD_Update(&m,md,MD_DIGEST_LENGTH);
 	MD_Final(&m,md);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	if (lock)
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	EVP_MD_CTX_cleanup(&m);
 	if (ok)
@@ -533,14 +538,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 
 static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
 	{
-	return ssleay_rand_bytes(buf, num, 0);
+	return ssleay_rand_bytes(buf, num, 0, 1);
 	}
 
 /* pseudo-random bytes that are guaranteed to be unique but not
    unpredictable */
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 
 	{
-	return ssleay_rand_bytes(buf, num, 1);
+	return ssleay_rand_bytes(buf, num, 1, 1);
 	}
 
 static int ssleay_rand_status(void)
diff --git a/crypto/openssl/crypto/rand/rand.h b/crypto/openssl/crypto/rand/rand.h
index dc8fcf94c5aa..bb5520e80ac1 100644
--- a/crypto/openssl/crypto/rand/rand.h
+++ b/crypto/openssl/crypto/rand/rand.h
@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
 #define RAND_F_SSLEAY_RAND_BYTES			 100
 
 /* Reason codes. */
+#define RAND_R_DUAL_EC_DRBG_DISABLED			 104
 #define RAND_R_ERROR_INITIALISING_DRBG			 102
 #define RAND_R_ERROR_INSTANTIATING_DRBG			 103
 #define RAND_R_NO_FIPS_RANDOM_METHOD_SET		 101
diff --git a/crypto/openssl/crypto/rand/rand_err.c b/crypto/openssl/crypto/rand/rand_err.c
index b8586c8f4a9c..c4c80fc8ccad 100644
--- a/crypto/openssl/crypto/rand/rand_err.c
+++ b/crypto/openssl/crypto/rand/rand_err.c
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
 
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
+{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
 {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
 {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
 {ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
diff --git a/crypto/openssl/crypto/rand/rand_lcl.h b/crypto/openssl/crypto/rand/rand_lcl.h
index 618a8ec899ce..0fabf8dc5d90 100644
--- a/crypto/openssl/crypto/rand/rand_lcl.h
+++ b/crypto/openssl/crypto/rand/rand_lcl.h
@@ -154,5 +154,6 @@
 #define	MD(a,b,c)		EVP_Digest(a,b,c,NULL,EVP_md2(), NULL)
 #endif
 
+int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock);
 
 #endif
diff --git a/crypto/openssl/crypto/rand/rand_lib.c b/crypto/openssl/crypto/rand/rand_lib.c
index 476a0cd187ee..239a1cde8189 100644
--- a/crypto/openssl/crypto/rand/rand_lib.c
+++ b/crypto/openssl/crypto/rand/rand_lib.c
@@ -68,6 +68,7 @@
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
 #include <openssl/fips_rand.h>
+#include "rand_lcl.h"
 #endif
 
 #ifndef OPENSSL_NO_ENGINE
@@ -199,7 +200,7 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
 	*pout = OPENSSL_malloc(min_len);
 	if (!*pout)
 		return 0;
-	if (RAND_SSLeay()->bytes(*pout, min_len) <= 0)
+	if (ssleay_rand_bytes(*pout, min_len, 0, 0) <= 0)
 		{
 		OPENSSL_free(*pout);
 		*pout = NULL;
@@ -269,6 +270,14 @@ int RAND_init_fips(void)
 	DRBG_CTX *dctx;
 	size_t plen;
 	unsigned char pers[32], *p;
+#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
+	if (fips_drbg_type >> 16)
+		{
+		RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
+		return 0;
+		}
+#endif
+		
 	dctx = FIPS_get_default_drbg();
         if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
 		{
diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c
index 7f1428072d27..14ba69d4c694 100644
--- a/crypto/openssl/crypto/rand/randfile.c
+++ b/crypto/openssl/crypto/rand/randfile.c
@@ -79,6 +79,7 @@
 #endif
 #ifndef OPENSSL_NO_POSIX_IO
 # include <sys/stat.h>
+# include <fcntl.h>
 #endif
 
 #ifdef _WIN32
diff --git a/crypto/openssl/crypto/rc4/asm/rc4-parisc.pl b/crypto/openssl/crypto/rc4/asm/rc4-parisc.pl
index 9165067080ef..ad7e65651cf9 100755
--- a/crypto/openssl/crypto/rc4/asm/rc4-parisc.pl
+++ b/crypto/openssl/crypto/rc4/asm/rc4-parisc.pl
@@ -307,7 +307,8 @@ L\$opts
 	.STRINGZ "RC4 for PA-RISC, CRYPTOGAMS by <appro\@openssl.org>"
 ___
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
+$code =~ s/cmpib,\*/comib,/gm	if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm	if ($SIZE_T==8);
 
 print $code;
 close STDOUT;
diff --git a/crypto/openssl/crypto/rsa/Makefile b/crypto/openssl/crypto/rsa/Makefile
index f798d2f74932..e8121a496750 100644
--- a/crypto/openssl/crypto/rsa/Makefile
+++ b/crypto/openssl/crypto/rsa/Makefile
@@ -212,7 +212,7 @@ rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_oaep.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_oaep.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_oaep.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_oaep.o: ../cryptlib.h rsa_oaep.c
+rsa_oaep.o: ../constant_time_locl.h ../cryptlib.h rsa_oaep.c
 rsa_pk1.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_pk1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -221,7 +221,8 @@ rsa_pk1.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_pk1.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_pk1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
+rsa_pk1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+rsa_pk1.o: ../cryptlib.h rsa_pk1.c
 rsa_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 rsa_pmeth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h
index 5f269e577af4..11853fee5fe4 100644
--- a/crypto/openssl/crypto/rsa/rsa.h
+++ b/crypto/openssl/crypto/rsa/rsa.h
@@ -559,6 +559,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE	 158
 #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE	 148
 #define RSA_R_PADDING_CHECK_FAILED			 114
+#define RSA_R_PKCS_DECODING_ERROR			 159
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
diff --git a/crypto/openssl/crypto/rsa/rsa_ameth.c b/crypto/openssl/crypto/rsa/rsa_ameth.c
index 2460910ab278..4c8ecd9233e1 100644
--- a/crypto/openssl/crypto/rsa/rsa_ameth.c
+++ b/crypto/openssl/crypto/rsa/rsa_ameth.c
@@ -351,27 +351,27 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
 
 	if (!BIO_indent(bp, indent, 128))
 		goto err;
-	if (BIO_puts(bp, "Salt Length: ") <= 0)
+	if (BIO_puts(bp, "Salt Length: 0x") <= 0)
 			goto err;
 	if (pss->saltLength)
 		{
 		if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
 			goto err;
 		}
-	else if (BIO_puts(bp, "20 (default)") <= 0)
+	else if (BIO_puts(bp, "14 (default)") <= 0)
 		goto err;
 	BIO_puts(bp, "\n");
 
 	if (!BIO_indent(bp, indent, 128))
 		goto err;
-	if (BIO_puts(bp, "Trailer Field: ") <= 0)
+	if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
 			goto err;
 	if (pss->trailerField)
 		{
 		if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
 			goto err;
 		}
-	else if (BIO_puts(bp, "0xbc (default)") <= 0)
+	else if (BIO_puts(bp, "BC (default)") <= 0)
 		goto err;
 	BIO_puts(bp, "\n");
 	
diff --git a/crypto/openssl/crypto/rsa/rsa_chk.c b/crypto/openssl/crypto/rsa/rsa_chk.c
index 9d848db8c6c7..cc30e77132fa 100644
--- a/crypto/openssl/crypto/rsa/rsa_chk.c
+++ b/crypto/openssl/crypto/rsa/rsa_chk.c
@@ -59,6 +59,12 @@ int RSA_check_key(const RSA *key)
 	BN_CTX *ctx;
 	int r;
 	int ret=1;
+
+	if (!key->p || !key->q || !key->n || !key->e || !key->d)
+		{
+		RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
+		return 0;
+		}
 	
 	i = BN_new();
 	j = BN_new();
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index 88ee2cb557f0..aa810459a136 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -459,7 +459,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	if (padding == RSA_X931_PADDING)
 		{
 		BN_sub(f, rsa->n, ret);
-		if (BN_cmp(ret, f))
+		if (BN_cmp(ret, f) > 0)
 			res = f;
 		else
 			res = ret;
diff --git a/crypto/openssl/crypto/rsa/rsa_err.c b/crypto/openssl/crypto/rsa/rsa_err.c
index 46e0bf99806c..9da79d920ee9 100644
--- a/crypto/openssl/crypto/rsa/rsa_err.c
+++ b/crypto/openssl/crypto/rsa/rsa_err.c
@@ -175,6 +175,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
 {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_PKCS_DECODING_ERROR)   ,"pkcs decoding error"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
diff --git a/crypto/openssl/crypto/rsa/rsa_oaep.c b/crypto/openssl/crypto/rsa/rsa_oaep.c
index af4d24a56ef5..c363331992e0 100644
--- a/crypto/openssl/crypto/rsa/rsa_oaep.c
+++ b/crypto/openssl/crypto/rsa/rsa_oaep.c
@@ -18,6 +18,7 @@
  * an equivalent notion.
  */
 
+#include "constant_time_locl.h"
 
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 #include <stdio.h>
@@ -95,92 +96,117 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	const unsigned char *from, int flen, int num,
 	const unsigned char *param, int plen)
 	{
-	int i, dblen, mlen = -1;
-	const unsigned char *maskeddb;
-	int lzero;
-	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
-	unsigned char *padded_from;
-	int bad = 0;
-
-	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
-		/* 'num' is the length of the modulus, i.e. does not depend on the
-		 * particular ciphertext. */
-		goto decoding_err;
+	int i, dblen, mlen = -1, one_index = 0, msg_index;
+	unsigned int good, found_one_byte;
+	const unsigned char *maskedseed, *maskeddb;
+	/* |em| is the encoded message, zero-padded to exactly |num| bytes:
+	 * em = Y || maskedSeed || maskedDB */
+	unsigned char *db = NULL, *em = NULL, seed[EVP_MAX_MD_SIZE],
+		phash[EVP_MAX_MD_SIZE];
 
-	lzero = num - flen;
-	if (lzero < 0)
-		{
-		/* signalling this error immediately after detection might allow
-		 * for side-channel attacks (e.g. timing if 'plen' is huge
-		 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
-		 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
-		 * so we use a 'bad' flag */
-		bad = 1;
-		lzero = 0;
-		flen = num; /* don't overflow the memcpy to padded_from */
-		}
+        if (tlen <= 0 || flen <= 0)
+		return -1;
 
-	dblen = num - SHA_DIGEST_LENGTH;
-	db = OPENSSL_malloc(dblen + num);
-	if (db == NULL)
+	/*
+	 * |num| is the length of the modulus; |flen| is the length of the
+	 * encoded message. Therefore, for any |from| that was obtained by
+	 * decrypting a ciphertext, we must have |flen| <= |num|. Similarly,
+	 * num < 2 * SHA_DIGEST_LENGTH + 2 must hold for the modulus
+	 * irrespective of the ciphertext, see PKCS #1 v2.2, section 7.1.2.
+	 * This does not leak any side-channel information.
+	 */
+	if (num < flen || num < 2 * SHA_DIGEST_LENGTH + 2)
+		goto decoding_err;
+
+	dblen = num - SHA_DIGEST_LENGTH - 1;
+	db = OPENSSL_malloc(dblen);
+	em = OPENSSL_malloc(num);
+	if (db == NULL || em == NULL)
 		{
 		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
-		return -1;
+		goto cleanup;
 		}
 
-	/* Always do this zero-padding copy (even when lzero == 0)
-	 * to avoid leaking timing info about the value of lzero. */
-	padded_from = db + dblen;
-	memset(padded_from, 0, lzero);
-	memcpy(padded_from + lzero, from, flen);
+	/*
+	 * Always do this zero-padding copy (even when num == flen) to avoid
+	 * leaking that information. The copy still leaks some side-channel
+	 * information, but it's impossible to have a fixed  memory access
+	 * pattern since we can't read out of the bounds of |from|.
+	 *
+	 * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
+	 */
+	memset(em, 0, num);
+	memcpy(em + num - flen, from, flen);
 
-	maskeddb = padded_from + SHA_DIGEST_LENGTH;
+	/*
+	 * The first byte must be zero, however we must not leak if this is
+	 * true. See James H. Manger, "A Chosen Ciphertext  Attack on RSA
+	 * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
+	 */
+	good = constant_time_is_zero(em[0]);
+
+	maskedseed = em + 1;
+	maskeddb = em + 1 + SHA_DIGEST_LENGTH;
 
 	if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
-		return -1;
+		goto cleanup;
 	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
-		seed[i] ^= padded_from[i];
-  
+		seed[i] ^= maskedseed[i];
+
 	if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
-		return -1;
+		goto cleanup;
 	for (i = 0; i < dblen; i++)
 		db[i] ^= maskeddb[i];
 
 	if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
-		return -1;
+		goto cleanup;
+
+	good &= constant_time_is_zero(CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH));
 
-	if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+	found_one_byte = 0;
+	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+		{
+		/* Padding consists of a number of 0-bytes, followed by a 1. */
+		unsigned int equals1 = constant_time_eq(db[i], 1);
+		unsigned int equals0 = constant_time_is_zero(db[i]);
+		one_index = constant_time_select_int(~found_one_byte & equals1,
+			i, one_index);
+		found_one_byte |= equals1;
+		good &= (found_one_byte | equals0);
+		}
+
+	good &= found_one_byte;
+
+	/*
+	 * At this point |good| is zero unless the plaintext was valid,
+	 * so plaintext-awareness ensures timing side-channels are no longer a
+	 * concern.
+	 */
+	if (!good)
 		goto decoding_err;
+
+	msg_index = one_index + 1;
+	mlen = dblen - msg_index;
+
+	if (tlen < mlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+		mlen = -1;
+		}
 	else
 		{
-		for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
-			if (db[i] != 0x00)
-				break;
-		if (i == dblen || db[i] != 0x01)
-			goto decoding_err;
-		else
-			{
-			/* everything looks OK */
-
-			mlen = dblen - ++i;
-			if (tlen < mlen)
-				{
-				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
-				mlen = -1;
-				}
-			else
-				memcpy(to, db + i, mlen);
-			}
+		memcpy(to, db + msg_index, mlen);
+		goto cleanup;
 		}
-	OPENSSL_free(db);
-	return mlen;
 
 decoding_err:
-	/* to avoid chosen ciphertext attacks, the error message should not reveal
-	 * which kind of decoding error happened */
+	/* To avoid chosen ciphertext attacks, the error message should not reveal
+	 * which kind of decoding error happened. */
 	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+cleanup:
 	if (db != NULL) OPENSSL_free(db);
-	return -1;
+	if (em != NULL) OPENSSL_free(em);
+	return mlen;
 	}
 
 int PKCS1_MGF1(unsigned char *mask, long len,
diff --git a/crypto/openssl/crypto/rsa/rsa_pk1.c b/crypto/openssl/crypto/rsa/rsa_pk1.c
index 8560755f1d12..c2da56f6cad8 100644
--- a/crypto/openssl/crypto/rsa/rsa_pk1.c
+++ b/crypto/openssl/crypto/rsa/rsa_pk1.c
@@ -56,6 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
+#include "constant_time_locl.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
@@ -181,44 +183,87 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
 int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
 	     const unsigned char *from, int flen, int num)
 	{
-	int i,j;
-	const unsigned char *p;
+	int i;
+	/* |em| is the encoded message, zero-padded to exactly |num| bytes */
+	unsigned char *em = NULL;
+	unsigned int good, found_zero_byte;
+	int zero_index = 0, msg_index, mlen = -1;
 
-	p=from;
-	if ((num != (flen+1)) || (*(p++) != 02))
-		{
-		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BLOCK_TYPE_IS_NOT_02);
-		return(-1);
-		}
-#ifdef PKCS1_CHECK
-	return(num-11);
-#endif
+        if (tlen < 0 || flen < 0)
+		return -1;
 
-	/* scan over padding data */
-	j=flen-1; /* one for type. */
-	for (i=0; i<j; i++)
-		if (*(p++) == 0) break;
+	/* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
+	 * Standard", section 7.2.2. */
 
-	if (i == j)
+	if (flen > num)
+		goto err;
+
+	if (num < 11)
+		goto err;
+
+	em = OPENSSL_malloc(num);
+	if (em == NULL)
 		{
-		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_NULL_BEFORE_BLOCK_MISSING);
-		return(-1);
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
+		return -1;
 		}
+	memset(em, 0, num);
+	/*
+	 * Always do this zero-padding copy (even when num == flen) to avoid
+	 * leaking that information. The copy still leaks some side-channel
+	 * information, but it's impossible to have a fixed  memory access
+	 * pattern since we can't read out of the bounds of |from|.
+	 *
+	 * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
+	 */
+	memcpy(em + num - flen, from, flen);
 
-	if (i < 8)
+	good = constant_time_is_zero(em[0]);
+	good &= constant_time_eq(em[1], 2);
+
+	found_zero_byte = 0;
+	for (i = 2; i < num; i++)
 		{
-		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_BAD_PAD_BYTE_COUNT);
-		return(-1);
+		unsigned int equals0 = constant_time_is_zero(em[i]);
+		zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index);
+		found_zero_byte |= equals0;
 		}
-	i++; /* Skip over the '\0' */
-	j-=i;
-	if (j > tlen)
+
+	/*
+	 * PS must be at least 8 bytes long, and it starts two bytes into |em|.
+         * If we never found a 0-byte, then |zero_index| is 0 and the check
+	 * also fails.
+	 */
+	good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
+
+	/* Skip the zero byte. This is incorrect if we never found a zero-byte
+	 * but in this case we also do not copy the message out. */
+	msg_index = zero_index + 1;
+	mlen = num - msg_index;
+
+	/* For good measure, do this check in constant time as well; it could
+	 * leak something if |tlen| was assuming valid padding. */
+	good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
+
+	/*
+	 * We can't continue in constant-time because we need to copy the result
+	 * and we cannot fake its length. This unavoidably leaks timing
+	 * information at the API boundary.
+	 * TODO(emilia): this could be addressed at the call site,
+	 * see BoringSSL commit 0aa0767340baf925bda4804882aab0cb974b2d26.
+	 */
+	if (!good)
 		{
-		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
-		return(-1);
+		mlen = -1;
+		goto err;
 		}
-	memcpy(to,p,(unsigned int)j);
 
-	return(j);
-	}
+	memcpy(to, em + msg_index, mlen);
 
+err:
+	if (em != NULL)
+		OPENSSL_free(em);
+	if (mlen == -1)
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
+	return mlen;
+	}
diff --git a/crypto/openssl/crypto/rsa/rsa_pmeth.c b/crypto/openssl/crypto/rsa/rsa_pmeth.c
index 5b2ecf56adc7..157aa5c41d2a 100644
--- a/crypto/openssl/crypto/rsa/rsa_pmeth.c
+++ b/crypto/openssl/crypto/rsa/rsa_pmeth.c
@@ -611,6 +611,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 			pm = RSA_NO_PADDING;
 		else if (!strcmp(value, "oeap"))
 			pm = RSA_PKCS1_OAEP_PADDING;
+		else if (!strcmp(value, "oaep"))
+			pm = RSA_PKCS1_OAEP_PADDING;
 		else if (!strcmp(value, "x931"))
 			pm = RSA_X931_PADDING;
 		else if (!strcmp(value, "pss"))
diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c
index b6f6037ae002..225bcfe2dcab 100644
--- a/crypto/openssl/crypto/rsa/rsa_sign.c
+++ b/crypto/openssl/crypto/rsa/rsa_sign.c
@@ -151,6 +151,25 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
 	return(ret);
 	}
 
+/*
+ * Check DigestInfo structure does not contain extraneous data by reencoding
+ * using DER and checking encoding against original. 
+ */
+static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo, int dinfolen)
+	{
+	unsigned char *der = NULL;
+	int derlen;
+	int ret = 0;
+	derlen = i2d_X509_SIG(sig, &der);
+	if (derlen <= 0)
+		return 0;
+	if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
+		ret = 1;
+	OPENSSL_cleanse(der, derlen);
+	OPENSSL_free(der);
+	return ret;
+	}
+
 int int_rsa_verify(int dtype, const unsigned char *m,
 			  unsigned int m_len,
 			  unsigned char *rm, size_t *prm_len,
@@ -228,7 +247,7 @@ int int_rsa_verify(int dtype, const unsigned char *m,
 		if (sig == NULL) goto err;
 
 		/* Excess data can be used to create forgeries */
-		if(p != s+i)
+		if(p != s+i || !rsa_check_digestinfo(sig, s, i))
 			{
 			RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
 			goto err;
diff --git a/crypto/openssl/crypto/sha/Makefile b/crypto/openssl/crypto/sha/Makefile
index 6d191d3936ee..2eb2b7af992b 100644
--- a/crypto/openssl/crypto/sha/Makefile
+++ b/crypto/openssl/crypto/sha/Makefile
@@ -60,7 +60,9 @@ sha256-armv4.S: asm/sha256-armv4.pl
 	$(PERL) $< $(PERLASM_SCHEME) $@
 
 sha1-alpha.s:	asm/sha1-alpha.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) asm/sha1-alpha.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
 
 # Solaris make has to be explicitly told
 sha1-x86_64.s:	asm/sha1-x86_64.pl;	$(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > $@
diff --git a/crypto/openssl/crypto/sha/asm/sha1-mips.pl b/crypto/openssl/crypto/sha/asm/sha1-mips.pl
index f1a702f38f53..197bc6b50e95 100755
--- a/crypto/openssl/crypto/sha/asm/sha1-mips.pl
+++ b/crypto/openssl/crypto/sha/asm/sha1-mips.pl
@@ -64,7 +64,7 @@ if ($flavour =~ /64|n32/i) {
 #
 ######################################################################
 
-$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0;
+$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
 
 for (@ARGV) {	$output=$_ if (/^\w[\w\-]*\.\w+$/);   }
 open STDOUT,">$output";
diff --git a/crypto/openssl/crypto/sha/asm/sha1-parisc.pl b/crypto/openssl/crypto/sha/asm/sha1-parisc.pl
index 6d7bf495b20a..6e5a328a6f1f 100755
--- a/crypto/openssl/crypto/sha/asm/sha1-parisc.pl
+++ b/crypto/openssl/crypto/sha/asm/sha1-parisc.pl
@@ -254,6 +254,7 @@ $code.=<<___;
 ___
 
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/,\*/,/gm if ($SIZE_T==4);
+$code =~ s/,\*/,/gm		if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm	if ($SIZE_T==8);
 print $code;
 close STDOUT;
diff --git a/crypto/openssl/crypto/sha/asm/sha1-x86_64.pl b/crypto/openssl/crypto/sha/asm/sha1-x86_64.pl
index cfdc45cce6da..f15c7ec39b20 100755
--- a/crypto/openssl/crypto/sha/asm/sha1-x86_64.pl
+++ b/crypto/openssl/crypto/sha/asm/sha1-x86_64.pl
@@ -745,7 +745,7 @@ $code.=<<___;
 	mov	%rdi,$ctx	# reassigned argument
 	mov	%rsi,$inp	# reassigned argument
 	mov	%rdx,$num	# reassigned argument
-	vzeroall
+	vzeroupper
 
 	shl	\$6,$num
 	add	$inp,$num
@@ -1038,7 +1038,7 @@ ___
 	&Xtail_avx(\&body_20_39);
 
 $code.=<<___;
-	vzeroall
+	vzeroupper
 
 	add	0($ctx),$A			# update context
 	add	4($ctx),@T[0]
diff --git a/crypto/openssl/crypto/sha/asm/sha512-mips.pl b/crypto/openssl/crypto/sha/asm/sha512-mips.pl
index ba5b250890e0..6807a2c7220b 100755
--- a/crypto/openssl/crypto/sha/asm/sha512-mips.pl
+++ b/crypto/openssl/crypto/sha/asm/sha512-mips.pl
@@ -68,7 +68,7 @@ $pf = ($flavour =~ /nubi/i) ? $t0 : $t2;
 #
 ######################################################################
 
-$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0;
+$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
 
 for (@ARGV) {	$output=$_ if (/^\w[\w\-]*\.\w+$/);	}
 open STDOUT,">$output";
@@ -351,7 +351,7 @@ $code.=<<___;
 	$ST	$G,6*$SZ($ctx)
 	$ST	$H,7*$SZ($ctx)
 
-	bnel	$inp,@X[15],.Loop
+	bne	$inp,@X[15],.Loop
 	$PTR_SUB $Ktbl,`($rounds-16)*$SZ`	# rewind $Ktbl
 
 	$REG_L	$ra,$FRAMESIZE-1*$SZREG($sp)
diff --git a/crypto/openssl/crypto/sha/asm/sha512-parisc.pl b/crypto/openssl/crypto/sha/asm/sha512-parisc.pl
index e24ee58ae97f..fc0e15b3c059 100755
--- a/crypto/openssl/crypto/sha/asm/sha512-parisc.pl
+++ b/crypto/openssl/crypto/sha/asm/sha512-parisc.pl
@@ -785,6 +785,8 @@ foreach (split("\n",$code)) {
 
 	s/cmpb,\*/comb,/ if ($SIZE_T==4);
 
+	s/\bbv\b/bve/    if ($SIZE_T==8);
+
 	print $_,"\n";
 }
 
diff --git a/crypto/openssl/crypto/sha/sha512.c b/crypto/openssl/crypto/sha/sha512.c
index 50dd7dc74437..50c229ddebf2 100644
--- a/crypto/openssl/crypto/sha/sha512.c
+++ b/crypto/openssl/crypto/sha/sha512.c
@@ -232,7 +232,14 @@ int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
 {   return SHA512_Update (c,data,len);   }
 
 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
-{   sha512_block_data_order (c,data,1);  }
+	{
+#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+	if ((size_t)data%sizeof(c->u.d[0]) != 0)
+		memcpy(c->u.p,data,sizeof(c->u.p)),
+		data = c->u.p;
+#endif
+	sha512_block_data_order (c,data,1);
+	}
 
 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
 	{
diff --git a/crypto/openssl/crypto/srp/srp_grps.h b/crypto/openssl/crypto/srp/srp_grps.h
index d77c9fff4ba1..8e3c35e3f53f 100644
--- a/crypto/openssl/crypto/srp/srp_grps.h
+++ b/crypto/openssl/crypto/srp/srp_grps.h
@@ -1,22 +1,22 @@
 /* start of generated data */
 
 static BN_ULONG bn_group_1024_value[] = {
-	bn_pack4(9FC6,1D2F,C0EB,06E3),
-	bn_pack4(FD51,38FE,8376,435B),
-	bn_pack4(2FD4,CBF4,976E,AA9A),
-	bn_pack4(68ED,BC3C,0572,6CC0),
-	bn_pack4(C529,F566,660E,57EC),
-	bn_pack4(8255,9B29,7BCF,1885),
-	bn_pack4(CE8E,F4AD,69B1,5D49),
-	bn_pack4(5DC7,D7B4,6154,D6B6),
-	bn_pack4(8E49,5C1D,6089,DAD1),
-	bn_pack4(E0D5,D8E2,50B9,8BE4),
-	bn_pack4(383B,4813,D692,C6E0),
-	bn_pack4(D674,DF74,96EA,81D3),
-	bn_pack4(9EA2,314C,9C25,6576),
-	bn_pack4(6072,6187,75FF,3C0B),
-	bn_pack4(9C33,F80A,FA8F,C5E8),
-	bn_pack4(EEAF,0AB9,ADB3,8DD6)
+	bn_pack4(0x9FC6,0x1D2F,0xC0EB,0x06E3),
+	bn_pack4(0xFD51,0x38FE,0x8376,0x435B),
+	bn_pack4(0x2FD4,0xCBF4,0x976E,0xAA9A),
+	bn_pack4(0x68ED,0xBC3C,0x0572,0x6CC0),
+	bn_pack4(0xC529,0xF566,0x660E,0x57EC),
+	bn_pack4(0x8255,0x9B29,0x7BCF,0x1885),
+	bn_pack4(0xCE8E,0xF4AD,0x69B1,0x5D49),
+	bn_pack4(0x5DC7,0xD7B4,0x6154,0xD6B6),
+	bn_pack4(0x8E49,0x5C1D,0x6089,0xDAD1),
+	bn_pack4(0xE0D5,0xD8E2,0x50B9,0x8BE4),
+	bn_pack4(0x383B,0x4813,0xD692,0xC6E0),
+	bn_pack4(0xD674,0xDF74,0x96EA,0x81D3),
+	bn_pack4(0x9EA2,0x314C,0x9C25,0x6576),
+	bn_pack4(0x6072,0x6187,0x75FF,0x3C0B),
+	bn_pack4(0x9C33,0xF80A,0xFA8F,0xC5E8),
+	bn_pack4(0xEEAF,0x0AB9,0xADB3,0x8DD6)
 };
 static BIGNUM bn_group_1024 = {
 	bn_group_1024_value,
@@ -27,30 +27,30 @@ static BIGNUM bn_group_1024 = {
 };
 
 static BN_ULONG bn_group_1536_value[] = {
-	bn_pack4(CF76,E3FE,D135,F9BB),
-	bn_pack4(1518,0F93,499A,234D),
-	bn_pack4(8CE7,A28C,2442,C6F3),
-	bn_pack4(5A02,1FFF,5E91,479E),
-	bn_pack4(7F8A,2FE9,B8B5,292E),
-	bn_pack4(837C,264A,E3A9,BEB8),
-	bn_pack4(E442,734A,F7CC,B7AE),
-	bn_pack4(6577,2E43,7D6C,7F8C),
-	bn_pack4(DB2F,D53D,24B7,C486),
-	bn_pack4(6EDF,0195,3934,9627),
-	bn_pack4(158B,FD3E,2B9C,8CF5),
-	bn_pack4(764E,3F4B,53DD,9DA1),
-	bn_pack4(4754,8381,DBC5,B1FC),
-	bn_pack4(9B60,9E0B,E3BA,B63D),
-	bn_pack4(8134,B1C8,B979,8914),
-	bn_pack4(DF02,8A7C,EC67,F0D0),
-	bn_pack4(80B6,55BB,9A22,E8DC),
-	bn_pack4(1558,903B,A0D0,F843),
-	bn_pack4(51C6,A94B,E460,7A29),
-	bn_pack4(5F4F,5F55,6E27,CBDE),
-	bn_pack4(BEEE,A961,4B19,CC4D),
-	bn_pack4(DBA5,1DF4,99AC,4C80),
-	bn_pack4(B1F1,2A86,17A4,7BBB),
-	bn_pack4(9DEF,3CAF,B939,277A)
+	bn_pack4(0xCF76,0xE3FE,0xD135,0xF9BB),
+	bn_pack4(0x1518,0x0F93,0x499A,0x234D),
+	bn_pack4(0x8CE7,0xA28C,0x2442,0xC6F3),
+	bn_pack4(0x5A02,0x1FFF,0x5E91,0x479E),
+	bn_pack4(0x7F8A,0x2FE9,0xB8B5,0x292E),
+	bn_pack4(0x837C,0x264A,0xE3A9,0xBEB8),
+	bn_pack4(0xE442,0x734A,0xF7CC,0xB7AE),
+	bn_pack4(0x6577,0x2E43,0x7D6C,0x7F8C),
+	bn_pack4(0xDB2F,0xD53D,0x24B7,0xC486),
+	bn_pack4(0x6EDF,0x0195,0x3934,0x9627),
+	bn_pack4(0x158B,0xFD3E,0x2B9C,0x8CF5),
+	bn_pack4(0x764E,0x3F4B,0x53DD,0x9DA1),
+	bn_pack4(0x4754,0x8381,0xDBC5,0xB1FC),
+	bn_pack4(0x9B60,0x9E0B,0xE3BA,0xB63D),
+	bn_pack4(0x8134,0xB1C8,0xB979,0x8914),
+	bn_pack4(0xDF02,0x8A7C,0xEC67,0xF0D0),
+	bn_pack4(0x80B6,0x55BB,0x9A22,0xE8DC),
+	bn_pack4(0x1558,0x903B,0xA0D0,0xF843),
+	bn_pack4(0x51C6,0xA94B,0xE460,0x7A29),
+	bn_pack4(0x5F4F,0x5F55,0x6E27,0xCBDE),
+	bn_pack4(0xBEEE,0xA961,0x4B19,0xCC4D),
+	bn_pack4(0xDBA5,0x1DF4,0x99AC,0x4C80),
+	bn_pack4(0xB1F1,0x2A86,0x17A4,0x7BBB),
+	bn_pack4(0x9DEF,0x3CAF,0xB939,0x277A)
 };
 static BIGNUM bn_group_1536 = {
 	bn_group_1536_value,
@@ -61,38 +61,38 @@ static BIGNUM bn_group_1536 = {
 };
 
 static BN_ULONG bn_group_2048_value[] = {
-	bn_pack4(0FA7,111F,9E4A,FF73),
-	bn_pack4(9B65,E372,FCD6,8EF2),
-	bn_pack4(35DE,236D,525F,5475),
-	bn_pack4(94B5,C803,D89F,7AE4),
-	bn_pack4(71AE,35F8,E9DB,FBB6),
-	bn_pack4(2A56,98F3,A8D0,C382),
-	bn_pack4(9CCC,041C,7BC3,08D8),
-	bn_pack4(AF87,4E73,03CE,5329),
-	bn_pack4(6160,2790,04E5,7AE6),
-	bn_pack4(032C,FBDB,F52F,B378),
-	bn_pack4(5EA7,7A27,75D2,ECFA),
-	bn_pack4(5445,23B5,24B0,D57D),
-	bn_pack4(5B9D,32E6,88F8,7748),
-	bn_pack4(F1D2,B907,8717,461A),
-	bn_pack4(76BD,207A,436C,6481),
-	bn_pack4(CA97,B43A,23FB,8016),
-	bn_pack4(1D28,1E44,6B14,773B),
-	bn_pack4(7359,D041,D5C3,3EA7),
-	bn_pack4(A80D,740A,DBF4,FF74),
-	bn_pack4(55F9,7993,EC97,5EEA),
-	bn_pack4(2918,A996,2F0B,93B8),
-	bn_pack4(661A,05FB,D5FA,AAE8),
-	bn_pack4(CF60,9517,9A16,3AB3),
-	bn_pack4(E808,3969,EDB7,67B0),
-	bn_pack4(CD7F,48A9,DA04,FD50),
-	bn_pack4(D523,12AB,4B03,310D),
-	bn_pack4(8193,E075,7767,A13D),
-	bn_pack4(A373,29CB,B4A0,99ED),
-	bn_pack4(FC31,9294,3DB5,6050),
-	bn_pack4(AF72,B665,1987,EE07),
-	bn_pack4(F166,DE5E,1389,582F),
-	bn_pack4(AC6B,DB41,324A,9A9B)
+	bn_pack4(0x0FA7,0x111F,0x9E4A,0xFF73),
+	bn_pack4(0x9B65,0xE372,0xFCD6,0x8EF2),
+	bn_pack4(0x35DE,0x236D,0x525F,0x5475),
+	bn_pack4(0x94B5,0xC803,0xD89F,0x7AE4),
+	bn_pack4(0x71AE,0x35F8,0xE9DB,0xFBB6),
+	bn_pack4(0x2A56,0x98F3,0xA8D0,0xC382),
+	bn_pack4(0x9CCC,0x041C,0x7BC3,0x08D8),
+	bn_pack4(0xAF87,0x4E73,0x03CE,0x5329),
+	bn_pack4(0x6160,0x2790,0x04E5,0x7AE6),
+	bn_pack4(0x032C,0xFBDB,0xF52F,0xB378),
+	bn_pack4(0x5EA7,0x7A27,0x75D2,0xECFA),
+	bn_pack4(0x5445,0x23B5,0x24B0,0xD57D),
+	bn_pack4(0x5B9D,0x32E6,0x88F8,0x7748),
+	bn_pack4(0xF1D2,0xB907,0x8717,0x461A),
+	bn_pack4(0x76BD,0x207A,0x436C,0x6481),
+	bn_pack4(0xCA97,0xB43A,0x23FB,0x8016),
+	bn_pack4(0x1D28,0x1E44,0x6B14,0x773B),
+	bn_pack4(0x7359,0xD041,0xD5C3,0x3EA7),
+	bn_pack4(0xA80D,0x740A,0xDBF4,0xFF74),
+	bn_pack4(0x55F9,0x7993,0xEC97,0x5EEA),
+	bn_pack4(0x2918,0xA996,0x2F0B,0x93B8),
+	bn_pack4(0x661A,0x05FB,0xD5FA,0xAAE8),
+	bn_pack4(0xCF60,0x9517,0x9A16,0x3AB3),
+	bn_pack4(0xE808,0x3969,0xEDB7,0x67B0),
+	bn_pack4(0xCD7F,0x48A9,0xDA04,0xFD50),
+	bn_pack4(0xD523,0x12AB,0x4B03,0x310D),
+	bn_pack4(0x8193,0xE075,0x7767,0xA13D),
+	bn_pack4(0xA373,0x29CB,0xB4A0,0x99ED),
+	bn_pack4(0xFC31,0x9294,0x3DB5,0x6050),
+	bn_pack4(0xAF72,0xB665,0x1987,0xEE07),
+	bn_pack4(0xF166,0xDE5E,0x1389,0x582F),
+	bn_pack4(0xAC6B,0xDB41,0x324A,0x9A9B)
 };
 static BIGNUM bn_group_2048 = {
 	bn_group_2048_value,
@@ -103,54 +103,54 @@ static BIGNUM bn_group_2048 = {
 };
 
 static BN_ULONG bn_group_3072_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(4B82,D120,A93A,D2CA),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0x4B82,0xD120,0xA93A,0xD2CA),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_3072 = {
 	bn_group_3072_value,
@@ -161,70 +161,70 @@ static BIGNUM bn_group_3072 = {
 };
 
 static BN_ULONG bn_group_4096_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(4DF4,35C9,3406,3199),
-	bn_pack4(86FF,B7DC,90A6,C08F),
-	bn_pack4(93B4,EA98,8D8F,DDC1),
-	bn_pack4(D006,9127,D5B0,5AA9),
-	bn_pack4(B81B,DD76,2170,481C),
-	bn_pack4(1F61,2970,CEE2,D7AF),
-	bn_pack4(233B,A186,515B,E7ED),
-	bn_pack4(99B2,964F,A090,C3A2),
-	bn_pack4(287C,5947,4E6B,C05D),
-	bn_pack4(2E8E,FC14,1FBE,CAA6),
-	bn_pack4(DBBB,C2DB,04DE,8EF9),
-	bn_pack4(2583,E9CA,2AD4,4CE8),
-	bn_pack4(1A94,6834,B615,0BDA),
-	bn_pack4(99C3,2718,6AF4,E23C),
-	bn_pack4(8871,9A10,BDBA,5B26),
-	bn_pack4(1A72,3C12,A787,E6D7),
-	bn_pack4(4B82,D120,A921,0801),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0x4DF4,0x35C9,0x3406,0x3199),
+	bn_pack4(0x86FF,0xB7DC,0x90A6,0xC08F),
+	bn_pack4(0x93B4,0xEA98,0x8D8F,0xDDC1),
+	bn_pack4(0xD006,0x9127,0xD5B0,0x5AA9),
+	bn_pack4(0xB81B,0xDD76,0x2170,0x481C),
+	bn_pack4(0x1F61,0x2970,0xCEE2,0xD7AF),
+	bn_pack4(0x233B,0xA186,0x515B,0xE7ED),
+	bn_pack4(0x99B2,0x964F,0xA090,0xC3A2),
+	bn_pack4(0x287C,0x5947,0x4E6B,0xC05D),
+	bn_pack4(0x2E8E,0xFC14,0x1FBE,0xCAA6),
+	bn_pack4(0xDBBB,0xC2DB,0x04DE,0x8EF9),
+	bn_pack4(0x2583,0xE9CA,0x2AD4,0x4CE8),
+	bn_pack4(0x1A94,0x6834,0xB615,0x0BDA),
+	bn_pack4(0x99C3,0x2718,0x6AF4,0xE23C),
+	bn_pack4(0x8871,0x9A10,0xBDBA,0x5B26),
+	bn_pack4(0x1A72,0x3C12,0xA787,0xE6D7),
+	bn_pack4(0x4B82,0xD120,0xA921,0x0801),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_4096 = {
 	bn_group_4096_value,
@@ -235,102 +235,102 @@ static BIGNUM bn_group_4096 = {
 };
 
 static BN_ULONG bn_group_6144_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(E694,F91E,6DCC,4024),
-	bn_pack4(12BF,2D5B,0B74,74D6),
-	bn_pack4(043E,8F66,3F48,60EE),
-	bn_pack4(387F,E8D7,6E3C,0468),
-	bn_pack4(DA56,C9EC,2EF2,9632),
-	bn_pack4(EB19,CCB1,A313,D55C),
-	bn_pack4(F550,AA3D,8A1F,BFF0),
-	bn_pack4(06A1,D58B,B7C5,DA76),
-	bn_pack4(A797,15EE,F29B,E328),
-	bn_pack4(14CC,5ED2,0F80,37E0),
-	bn_pack4(CC8F,6D7E,BF48,E1D8),
-	bn_pack4(4BD4,07B2,2B41,54AA),
-	bn_pack4(0F1D,45B7,FF58,5AC5),
-	bn_pack4(23A9,7A7E,36CC,88BE),
-	bn_pack4(59E7,C97F,BEC7,E8F3),
-	bn_pack4(B5A8,4031,900B,1C9E),
-	bn_pack4(D55E,702F,4698,0C82),
-	bn_pack4(F482,D7CE,6E74,FEF6),
-	bn_pack4(F032,EA15,D172,1D03),
-	bn_pack4(5983,CA01,C64B,92EC),
-	bn_pack4(6FB8,F401,378C,D2BF),
-	bn_pack4(3320,5151,2BD7,AF42),
-	bn_pack4(DB7F,1447,E6CC,254B),
-	bn_pack4(44CE,6CBA,CED4,BB1B),
-	bn_pack4(DA3E,DBEB,CF9B,14ED),
-	bn_pack4(1797,27B0,865A,8918),
-	bn_pack4(B06A,53ED,9027,D831),
-	bn_pack4(E5DB,382F,4130,01AE),
-	bn_pack4(F8FF,9406,AD9E,530E),
-	bn_pack4(C975,1E76,3DBA,37BD),
-	bn_pack4(C1D4,DCB2,6026,46DE),
-	bn_pack4(36C3,FAB4,D27C,7026),
-	bn_pack4(4DF4,35C9,3402,8492),
-	bn_pack4(86FF,B7DC,90A6,C08F),
-	bn_pack4(93B4,EA98,8D8F,DDC1),
-	bn_pack4(D006,9127,D5B0,5AA9),
-	bn_pack4(B81B,DD76,2170,481C),
-	bn_pack4(1F61,2970,CEE2,D7AF),
-	bn_pack4(233B,A186,515B,E7ED),
-	bn_pack4(99B2,964F,A090,C3A2),
-	bn_pack4(287C,5947,4E6B,C05D),
-	bn_pack4(2E8E,FC14,1FBE,CAA6),
-	bn_pack4(DBBB,C2DB,04DE,8EF9),
-	bn_pack4(2583,E9CA,2AD4,4CE8),
-	bn_pack4(1A94,6834,B615,0BDA),
-	bn_pack4(99C3,2718,6AF4,E23C),
-	bn_pack4(8871,9A10,BDBA,5B26),
-	bn_pack4(1A72,3C12,A787,E6D7),
-	bn_pack4(4B82,D120,A921,0801),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0xE694,0xF91E,0x6DCC,0x4024),
+	bn_pack4(0x12BF,0x2D5B,0x0B74,0x74D6),
+	bn_pack4(0x043E,0x8F66,0x3F48,0x60EE),
+	bn_pack4(0x387F,0xE8D7,0x6E3C,0x0468),
+	bn_pack4(0xDA56,0xC9EC,0x2EF2,0x9632),
+	bn_pack4(0xEB19,0xCCB1,0xA313,0xD55C),
+	bn_pack4(0xF550,0xAA3D,0x8A1F,0xBFF0),
+	bn_pack4(0x06A1,0xD58B,0xB7C5,0xDA76),
+	bn_pack4(0xA797,0x15EE,0xF29B,0xE328),
+	bn_pack4(0x14CC,0x5ED2,0x0F80,0x37E0),
+	bn_pack4(0xCC8F,0x6D7E,0xBF48,0xE1D8),
+	bn_pack4(0x4BD4,0x07B2,0x2B41,0x54AA),
+	bn_pack4(0x0F1D,0x45B7,0xFF58,0x5AC5),
+	bn_pack4(0x23A9,0x7A7E,0x36CC,0x88BE),
+	bn_pack4(0x59E7,0xC97F,0xBEC7,0xE8F3),
+	bn_pack4(0xB5A8,0x4031,0x900B,0x1C9E),
+	bn_pack4(0xD55E,0x702F,0x4698,0x0C82),
+	bn_pack4(0xF482,0xD7CE,0x6E74,0xFEF6),
+	bn_pack4(0xF032,0xEA15,0xD172,0x1D03),
+	bn_pack4(0x5983,0xCA01,0xC64B,0x92EC),
+	bn_pack4(0x6FB8,0xF401,0x378C,0xD2BF),
+	bn_pack4(0x3320,0x5151,0x2BD7,0xAF42),
+	bn_pack4(0xDB7F,0x1447,0xE6CC,0x254B),
+	bn_pack4(0x44CE,0x6CBA,0xCED4,0xBB1B),
+	bn_pack4(0xDA3E,0xDBEB,0xCF9B,0x14ED),
+	bn_pack4(0x1797,0x27B0,0x865A,0x8918),
+	bn_pack4(0xB06A,0x53ED,0x9027,0xD831),
+	bn_pack4(0xE5DB,0x382F,0x4130,0x01AE),
+	bn_pack4(0xF8FF,0x9406,0xAD9E,0x530E),
+	bn_pack4(0xC975,0x1E76,0x3DBA,0x37BD),
+	bn_pack4(0xC1D4,0xDCB2,0x6026,0x46DE),
+	bn_pack4(0x36C3,0xFAB4,0xD27C,0x7026),
+	bn_pack4(0x4DF4,0x35C9,0x3402,0x8492),
+	bn_pack4(0x86FF,0xB7DC,0x90A6,0xC08F),
+	bn_pack4(0x93B4,0xEA98,0x8D8F,0xDDC1),
+	bn_pack4(0xD006,0x9127,0xD5B0,0x5AA9),
+	bn_pack4(0xB81B,0xDD76,0x2170,0x481C),
+	bn_pack4(0x1F61,0x2970,0xCEE2,0xD7AF),
+	bn_pack4(0x233B,0xA186,0x515B,0xE7ED),
+	bn_pack4(0x99B2,0x964F,0xA090,0xC3A2),
+	bn_pack4(0x287C,0x5947,0x4E6B,0xC05D),
+	bn_pack4(0x2E8E,0xFC14,0x1FBE,0xCAA6),
+	bn_pack4(0xDBBB,0xC2DB,0x04DE,0x8EF9),
+	bn_pack4(0x2583,0xE9CA,0x2AD4,0x4CE8),
+	bn_pack4(0x1A94,0x6834,0xB615,0x0BDA),
+	bn_pack4(0x99C3,0x2718,0x6AF4,0xE23C),
+	bn_pack4(0x8871,0x9A10,0xBDBA,0x5B26),
+	bn_pack4(0x1A72,0x3C12,0xA787,0xE6D7),
+	bn_pack4(0x4B82,0xD120,0xA921,0x0801),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_6144 = {
 	bn_group_6144_value,
@@ -341,134 +341,134 @@ static BIGNUM bn_group_6144 = {
 };
 
 static BN_ULONG bn_group_8192_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(60C9,80DD,98ED,D3DF),
-	bn_pack4(C81F,56E8,80B9,6E71),
-	bn_pack4(9E30,50E2,7656,94DF),
-	bn_pack4(9558,E447,5677,E9AA),
-	bn_pack4(C919,0DA6,FC02,6E47),
-	bn_pack4(889A,002E,D5EE,382B),
-	bn_pack4(4009,438B,481C,6CD7),
-	bn_pack4(3590,46F4,EB87,9F92),
-	bn_pack4(FAF3,6BC3,1ECF,A268),
-	bn_pack4(B1D5,10BD,7EE7,4D73),
-	bn_pack4(F9AB,4819,5DED,7EA1),
-	bn_pack4(64F3,1CC5,0846,851D),
-	bn_pack4(4597,E899,A025,5DC1),
-	bn_pack4(DF31,0EE0,74AB,6A36),
-	bn_pack4(6D2A,13F8,3F44,F82D),
-	bn_pack4(062B,3CF5,B3A2,78A6),
-	bn_pack4(7968,3303,ED5B,DD3A),
-	bn_pack4(FA9D,4B7F,A2C0,87E8),
-	bn_pack4(4BCB,C886,2F83,85DD),
-	bn_pack4(3473,FC64,6CEA,306B),
-	bn_pack4(13EB,57A8,1A23,F0C7),
-	bn_pack4(2222,2E04,A403,7C07),
-	bn_pack4(E3FD,B8BE,FC84,8AD9),
-	bn_pack4(238F,16CB,E39D,652D),
-	bn_pack4(3423,B474,2BF1,C978),
-	bn_pack4(3AAB,639C,5AE4,F568),
-	bn_pack4(2576,F693,6BA4,2466),
-	bn_pack4(741F,A7BF,8AFC,47ED),
-	bn_pack4(3BC8,32B6,8D9D,D300),
-	bn_pack4(D8BE,C4D0,73B9,31BA),
-	bn_pack4(3877,7CB6,A932,DF8C),
-	bn_pack4(74A3,926F,12FE,E5E4),
-	bn_pack4(E694,F91E,6DBE,1159),
-	bn_pack4(12BF,2D5B,0B74,74D6),
-	bn_pack4(043E,8F66,3F48,60EE),
-	bn_pack4(387F,E8D7,6E3C,0468),
-	bn_pack4(DA56,C9EC,2EF2,9632),
-	bn_pack4(EB19,CCB1,A313,D55C),
-	bn_pack4(F550,AA3D,8A1F,BFF0),
-	bn_pack4(06A1,D58B,B7C5,DA76),
-	bn_pack4(A797,15EE,F29B,E328),
-	bn_pack4(14CC,5ED2,0F80,37E0),
-	bn_pack4(CC8F,6D7E,BF48,E1D8),
-	bn_pack4(4BD4,07B2,2B41,54AA),
-	bn_pack4(0F1D,45B7,FF58,5AC5),
-	bn_pack4(23A9,7A7E,36CC,88BE),
-	bn_pack4(59E7,C97F,BEC7,E8F3),
-	bn_pack4(B5A8,4031,900B,1C9E),
-	bn_pack4(D55E,702F,4698,0C82),
-	bn_pack4(F482,D7CE,6E74,FEF6),
-	bn_pack4(F032,EA15,D172,1D03),
-	bn_pack4(5983,CA01,C64B,92EC),
-	bn_pack4(6FB8,F401,378C,D2BF),
-	bn_pack4(3320,5151,2BD7,AF42),
-	bn_pack4(DB7F,1447,E6CC,254B),
-	bn_pack4(44CE,6CBA,CED4,BB1B),
-	bn_pack4(DA3E,DBEB,CF9B,14ED),
-	bn_pack4(1797,27B0,865A,8918),
-	bn_pack4(B06A,53ED,9027,D831),
-	bn_pack4(E5DB,382F,4130,01AE),
-	bn_pack4(F8FF,9406,AD9E,530E),
-	bn_pack4(C975,1E76,3DBA,37BD),
-	bn_pack4(C1D4,DCB2,6026,46DE),
-	bn_pack4(36C3,FAB4,D27C,7026),
-	bn_pack4(4DF4,35C9,3402,8492),
-	bn_pack4(86FF,B7DC,90A6,C08F),
-	bn_pack4(93B4,EA98,8D8F,DDC1),
-	bn_pack4(D006,9127,D5B0,5AA9),
-	bn_pack4(B81B,DD76,2170,481C),
-	bn_pack4(1F61,2970,CEE2,D7AF),
-	bn_pack4(233B,A186,515B,E7ED),
-	bn_pack4(99B2,964F,A090,C3A2),
-	bn_pack4(287C,5947,4E6B,C05D),
-	bn_pack4(2E8E,FC14,1FBE,CAA6),
-	bn_pack4(DBBB,C2DB,04DE,8EF9),
-	bn_pack4(2583,E9CA,2AD4,4CE8),
-	bn_pack4(1A94,6834,B615,0BDA),
-	bn_pack4(99C3,2718,6AF4,E23C),
-	bn_pack4(8871,9A10,BDBA,5B26),
-	bn_pack4(1A72,3C12,A787,E6D7),
-	bn_pack4(4B82,D120,A921,0801),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0x60C9,0x80DD,0x98ED,0xD3DF),
+	bn_pack4(0xC81F,0x56E8,0x80B9,0x6E71),
+	bn_pack4(0x9E30,0x50E2,0x7656,0x94DF),
+	bn_pack4(0x9558,0xE447,0x5677,0xE9AA),
+	bn_pack4(0xC919,0x0DA6,0xFC02,0x6E47),
+	bn_pack4(0x889A,0x002E,0xD5EE,0x382B),
+	bn_pack4(0x4009,0x438B,0x481C,0x6CD7),
+	bn_pack4(0x3590,0x46F4,0xEB87,0x9F92),
+	bn_pack4(0xFAF3,0x6BC3,0x1ECF,0xA268),
+	bn_pack4(0xB1D5,0x10BD,0x7EE7,0x4D73),
+	bn_pack4(0xF9AB,0x4819,0x5DED,0x7EA1),
+	bn_pack4(0x64F3,0x1CC5,0x0846,0x851D),
+	bn_pack4(0x4597,0xE899,0xA025,0x5DC1),
+	bn_pack4(0xDF31,0x0EE0,0x74AB,0x6A36),
+	bn_pack4(0x6D2A,0x13F8,0x3F44,0xF82D),
+	bn_pack4(0x062B,0x3CF5,0xB3A2,0x78A6),
+	bn_pack4(0x7968,0x3303,0xED5B,0xDD3A),
+	bn_pack4(0xFA9D,0x4B7F,0xA2C0,0x87E8),
+	bn_pack4(0x4BCB,0xC886,0x2F83,0x85DD),
+	bn_pack4(0x3473,0xFC64,0x6CEA,0x306B),
+	bn_pack4(0x13EB,0x57A8,0x1A23,0xF0C7),
+	bn_pack4(0x2222,0x2E04,0xA403,0x7C07),
+	bn_pack4(0xE3FD,0xB8BE,0xFC84,0x8AD9),
+	bn_pack4(0x238F,0x16CB,0xE39D,0x652D),
+	bn_pack4(0x3423,0xB474,0x2BF1,0xC978),
+	bn_pack4(0x3AAB,0x639C,0x5AE4,0xF568),
+	bn_pack4(0x2576,0xF693,0x6BA4,0x2466),
+	bn_pack4(0x741F,0xA7BF,0x8AFC,0x47ED),
+	bn_pack4(0x3BC8,0x32B6,0x8D9D,0xD300),
+	bn_pack4(0xD8BE,0xC4D0,0x73B9,0x31BA),
+	bn_pack4(0x3877,0x7CB6,0xA932,0xDF8C),
+	bn_pack4(0x74A3,0x926F,0x12FE,0xE5E4),
+	bn_pack4(0xE694,0xF91E,0x6DBE,0x1159),
+	bn_pack4(0x12BF,0x2D5B,0x0B74,0x74D6),
+	bn_pack4(0x043E,0x8F66,0x3F48,0x60EE),
+	bn_pack4(0x387F,0xE8D7,0x6E3C,0x0468),
+	bn_pack4(0xDA56,0xC9EC,0x2EF2,0x9632),
+	bn_pack4(0xEB19,0xCCB1,0xA313,0xD55C),
+	bn_pack4(0xF550,0xAA3D,0x8A1F,0xBFF0),
+	bn_pack4(0x06A1,0xD58B,0xB7C5,0xDA76),
+	bn_pack4(0xA797,0x15EE,0xF29B,0xE328),
+	bn_pack4(0x14CC,0x5ED2,0x0F80,0x37E0),
+	bn_pack4(0xCC8F,0x6D7E,0xBF48,0xE1D8),
+	bn_pack4(0x4BD4,0x07B2,0x2B41,0x54AA),
+	bn_pack4(0x0F1D,0x45B7,0xFF58,0x5AC5),
+	bn_pack4(0x23A9,0x7A7E,0x36CC,0x88BE),
+	bn_pack4(0x59E7,0xC97F,0xBEC7,0xE8F3),
+	bn_pack4(0xB5A8,0x4031,0x900B,0x1C9E),
+	bn_pack4(0xD55E,0x702F,0x4698,0x0C82),
+	bn_pack4(0xF482,0xD7CE,0x6E74,0xFEF6),
+	bn_pack4(0xF032,0xEA15,0xD172,0x1D03),
+	bn_pack4(0x5983,0xCA01,0xC64B,0x92EC),
+	bn_pack4(0x6FB8,0xF401,0x378C,0xD2BF),
+	bn_pack4(0x3320,0x5151,0x2BD7,0xAF42),
+	bn_pack4(0xDB7F,0x1447,0xE6CC,0x254B),
+	bn_pack4(0x44CE,0x6CBA,0xCED4,0xBB1B),
+	bn_pack4(0xDA3E,0xDBEB,0xCF9B,0x14ED),
+	bn_pack4(0x1797,0x27B0,0x865A,0x8918),
+	bn_pack4(0xB06A,0x53ED,0x9027,0xD831),
+	bn_pack4(0xE5DB,0x382F,0x4130,0x01AE),
+	bn_pack4(0xF8FF,0x9406,0xAD9E,0x530E),
+	bn_pack4(0xC975,0x1E76,0x3DBA,0x37BD),
+	bn_pack4(0xC1D4,0xDCB2,0x6026,0x46DE),
+	bn_pack4(0x36C3,0xFAB4,0xD27C,0x7026),
+	bn_pack4(0x4DF4,0x35C9,0x3402,0x8492),
+	bn_pack4(0x86FF,0xB7DC,0x90A6,0xC08F),
+	bn_pack4(0x93B4,0xEA98,0x8D8F,0xDDC1),
+	bn_pack4(0xD006,0x9127,0xD5B0,0x5AA9),
+	bn_pack4(0xB81B,0xDD76,0x2170,0x481C),
+	bn_pack4(0x1F61,0x2970,0xCEE2,0xD7AF),
+	bn_pack4(0x233B,0xA186,0x515B,0xE7ED),
+	bn_pack4(0x99B2,0x964F,0xA090,0xC3A2),
+	bn_pack4(0x287C,0x5947,0x4E6B,0xC05D),
+	bn_pack4(0x2E8E,0xFC14,0x1FBE,0xCAA6),
+	bn_pack4(0xDBBB,0xC2DB,0x04DE,0x8EF9),
+	bn_pack4(0x2583,0xE9CA,0x2AD4,0x4CE8),
+	bn_pack4(0x1A94,0x6834,0xB615,0x0BDA),
+	bn_pack4(0x99C3,0x2718,0x6AF4,0xE23C),
+	bn_pack4(0x8871,0x9A10,0xBDBA,0x5B26),
+	bn_pack4(0x1A72,0x3C12,0xA787,0xE6D7),
+	bn_pack4(0x4B82,0xD120,0xA921,0x0801),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_8192 = {
 	bn_group_8192_value,
diff --git a/crypto/openssl/crypto/srp/srp_lib.c b/crypto/openssl/crypto/srp/srp_lib.c
index f8369aa9f48b..83d417a3084d 100644
--- a/crypto/openssl/crypto/srp/srp_lib.c
+++ b/crypto/openssl/crypto/srp/srp_lib.c
@@ -63,13 +63,17 @@
 #include <openssl/evp.h>
 
 #if (BN_BYTES == 8)
-#define bn_pack4(a1,a2,a3,a4) 0x##a1##a2##a3##a4##ul
-#endif
-#if (BN_BYTES == 4)
-#define bn_pack4(a1,a2,a3,a4)  0x##a3##a4##ul, 0x##a1##a2##ul
-#endif
-#if (BN_BYTES == 2)
-#define bn_pack4(a1,a2,a3,a4) 0x##a4##u,0x##a3##u,0x##a2##u,0x##a1##u
+# if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
+#  define bn_pack4(a1,a2,a3,a4) ((a1##UI64<<48)|(a2##UI64<<32)|(a3##UI64<<16)|a4##UI64)
+# elif defined(__arch64__)
+#  define bn_pack4(a1,a2,a3,a4) ((a1##UL<<48)|(a2##UL<<32)|(a3##UL<<16)|a4##UL)
+# else
+#  define bn_pack4(a1,a2,a3,a4) ((a1##ULL<<48)|(a2##ULL<<32)|(a3##ULL<<16)|a4##ULL)
+# endif
+#elif (BN_BYTES == 4)
+# define bn_pack4(a1,a2,a3,a4)  ((a3##UL<<16)|a4##UL), ((a1##UL<<16)|a2##UL)
+#else
+# error "unsupported BN_BYTES"
 #endif
 
 
diff --git a/crypto/openssl/crypto/srp/srp_vfy.c b/crypto/openssl/crypto/srp/srp_vfy.c
index 4a3d13edf6cb..fdca19ff7c69 100644
--- a/crypto/openssl/crypto/srp/srp_vfy.c
+++ b/crypto/openssl/crypto/srp/srp_vfy.c
@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src)
 		else a[i] = loc - b64table;
 		++i;
 		}
+	/* if nothing valid to process we have a zero length response */
+	if (i == 0)
+		return 0;
 	size = i;
 	i = size - 1;
 	j = size;
diff --git a/crypto/openssl/crypto/stack/safestack.h b/crypto/openssl/crypto/stack/safestack.h
index ea3aa0d800ec..bc194cb26817 100644
--- a/crypto/openssl/crypto/stack/safestack.h
+++ b/crypto/openssl/crypto/stack/safestack.h
@@ -57,6 +57,10 @@
 
 #include <openssl/stack.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #ifndef CHECKED_PTR_OF
 #define CHECKED_PTR_OF(type, p) \
     ((void*) (1 ? p : (type*)0))
@@ -2660,4 +2664,8 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 #define lh_SSL_SESSION_free(lh) LHM_lh_free(SSL_SESSION,lh)
 /* End of util/mkstack.pl block, you may now edit :-) */
 
+
+#ifdef  __cplusplus
+}
+#endif
 #endif /* !defined HEADER_SAFESTACK_H */
diff --git a/crypto/openssl/crypto/symhacks.h b/crypto/openssl/crypto/symhacks.h
index 07a412f84586..bd2f000d597f 100644
--- a/crypto/openssl/crypto/symhacks.h
+++ b/crypto/openssl/crypto/symhacks.h
@@ -204,6 +204,12 @@
 #define SSL_CTX_set_next_protos_advertised_cb	SSL_CTX_set_next_protos_adv_cb
 #undef SSL_CTX_set_next_proto_select_cb
 #define SSL_CTX_set_next_proto_select_cb	SSL_CTX_set_next_proto_sel_cb
+#undef ssl3_cbc_record_digest_supported
+#define ssl3_cbc_record_digest_supported        ssl3_cbc_record_digest_support
+#undef ssl_check_clienthello_tlsext_late
+#define ssl_check_clienthello_tlsext_late       ssl_check_clihello_tlsext_late
+#undef ssl_check_clienthello_tlsext_early
+#define ssl_check_clienthello_tlsext_early      ssl_check_clihello_tlsext_early
 
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
diff --git a/crypto/openssl/crypto/ts/ts_rsp_sign.c b/crypto/openssl/crypto/ts/ts_rsp_sign.c
index b0f023c9d2f8..2c0e94edda16 100644
--- a/crypto/openssl/crypto/ts/ts_rsp_sign.c
+++ b/crypto/openssl/crypto/ts/ts_rsp_sign.c
@@ -977,7 +977,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
 	if (precision > 0)
 	{
 		/* Add fraction of seconds (leave space for dot and null). */
-		BIO_snprintf(p, 2 + precision, ".%ld", usec);
+		BIO_snprintf(p, 2 + precision, ".%06ld", usec);
 		/* We cannot use the snprintf return value, 
 		   because it might have been truncated. */
 		p += strlen(p);
diff --git a/crypto/openssl/crypto/ts/ts_rsp_verify.c b/crypto/openssl/crypto/ts/ts_rsp_verify.c
index afe16afbe454..b7d170afac0a 100644
--- a/crypto/openssl/crypto/ts/ts_rsp_verify.c
+++ b/crypto/openssl/crypto/ts/ts_rsp_verify.c
@@ -629,6 +629,7 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
 	X509_ALGOR_free(*md_alg);
 	OPENSSL_free(*imprint);
 	*imprint_len = 0;
+	*imprint = NULL;
 	return 0;
 	}
 
diff --git a/crypto/openssl/crypto/ui/ui_lib.c b/crypto/openssl/crypto/ui/ui_lib.c
index a8abc270642a..167da002d24c 100644
--- a/crypto/openssl/crypto/ui/ui_lib.c
+++ b/crypto/openssl/crypto/ui/ui_lib.c
@@ -916,9 +916,9 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
 				break;
 				}
 			}
+		}
 	default:
 		break;
 		}
-		}
 	return 0;
 	}
diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c
index 27ca5150c195..c6602dae4f58 100644
--- a/crypto/openssl/crypto/x509/by_dir.c
+++ b/crypto/openssl/crypto/x509/by_dir.c
@@ -218,7 +218,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
 
 	s=dir;
 	p=s;
-	for (;;p++)
+	do
 		{
 		if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
 			{
@@ -264,9 +264,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
 				return 0;
 				}
 			}
-		if (*p == '\0')
-			break;
-		}
+		} while (*p++ != '\0');
 	return 1;
 	}
 
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index 12d71f54e2e5..920066aeba3b 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	X509_CRL *crl = NULL, *dcrl = NULL;
 	X509 *x;
 	int ok, cnum;
+	unsigned int last_reasons;
 	cnum = ctx->error_depth;
 	x = sk_X509_value(ctx->chain, cnum);
 	ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	ctx->current_reasons = 0;
 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
 		{
+		last_reasons = ctx->current_reasons;
 		/* Try to retrieve relevant CRL */
 		if (ctx->get_crl)
 			ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx)
 		X509_CRL_free(dcrl);
 		crl = NULL;
 		dcrl = NULL;
+		/* If reasons not updated we wont get anywhere by
+		 * another iteration, so exit loop.
+		 */
+		if (last_reasons == ctx->current_reasons)
+			{
+			ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+			ok = ctx->verify_cb(0, ctx);
+			goto err;
+			}
 		}
 	err:
 	X509_CRL_free(crl);
@@ -1451,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	 * a certificate was revoked. This has since been changed since 
 	 * critical extension can change the meaning of CRL entries.
 	 */
-	if (crl->flags & EXFLAG_CRITICAL)
+	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
+		&& (crl->flags & EXFLAG_CRITICAL))
 		{
-		if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-			return 1;
 		ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
 		ok = ctx->verify_cb(0, ctx);
 		if(!ok)
diff --git a/crypto/openssl/crypto/x509/x509_vpm.c b/crypto/openssl/crypto/x509/x509_vpm.c
index dfd89d89faf0..ba546bd1fabf 100644
--- a/crypto/openssl/crypto/x509/x509_vpm.c
+++ b/crypto/openssl/crypto/x509/x509_vpm.c
@@ -89,6 +89,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 	{
 	X509_VERIFY_PARAM *param;
 	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
+	if (!param)
+		return NULL;
 	memset(param, 0, sizeof(X509_VERIFY_PARAM));
 	x509_verify_param_zero(param);
 	return param;
diff --git a/crypto/openssl/crypto/x509/x_all.c b/crypto/openssl/crypto/x509/x_all.c
index 718f41e7b9f5..fef55f89d9a0 100644
--- a/crypto/openssl/crypto/x509/x_all.c
+++ b/crypto/openssl/crypto/x509/x_all.c
@@ -99,6 +99,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
 	{
+	x->cert_info->enc.modified = 1;
 	return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
 		x->cert_info->signature,
 		x->sig_alg, x->signature, x->cert_info, ctx);
@@ -125,6 +126,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
 	{
+	x->crl->enc.modified = 1;
 	return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
 		x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
 	}
diff --git a/crypto/openssl/crypto/x509v3/v3_ncons.c b/crypto/openssl/crypto/x509v3/v3_ncons.c
index a01dc64dd22e..3b0f1bd1bd0b 100644
--- a/crypto/openssl/crypto/x509v3/v3_ncons.c
+++ b/crypto/openssl/crypto/x509v3/v3_ncons.c
@@ -401,7 +401,7 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
 	if (dns->length > base->length)
 		{
 		dnsptr += dns->length - base->length;
-		if (dnsptr[-1] != '.')
+		if (*baseptr != '.' && dnsptr[-1] != '.')
 			return X509_V_ERR_PERMITTED_VIOLATION;
 		}
 
diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c
index ad688657e01e..f59bfc1844cf 100644
--- a/crypto/openssl/crypto/x509v3/v3_purp.c
+++ b/crypto/openssl/crypto/x509v3/v3_purp.c
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
 	/* Handle proxy certificates */
 	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
 		if (x->ex_flags & EXFLAG_CA
-		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
 			x->ex_flags |= EXFLAG_INVALID;
 		}
 		if (pci->pcPathLengthConstraint) {
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
 		return 0;
 
 	/* Extended Key Usage MUST be critical */
-	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
 	if (i_ext >= 0)
 		{
 		X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
diff --git a/crypto/openssl/crypto/x86cpuid.pl b/crypto/openssl/crypto/x86cpuid.pl
index c18b0e2486d6..b270b44337d1 100644
--- a/crypto/openssl/crypto/x86cpuid.pl
+++ b/crypto/openssl/crypto/x86cpuid.pl
@@ -67,6 +67,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 	&inc	("esi");		# number of cores
 
 	&mov	("eax",1);
+	&xor	("ecx","ecx");
 	&cpuid	();
 	&bt	("edx",28);
 	&jnc	(&label("generic"));
@@ -91,6 +92,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 
 &set_label("nocacheinfo");
 	&mov	("eax",1);
+	&xor	("ecx","ecx");
 	&cpuid	();
 	&and	("edx",0xbfefffff);	# force reserved bits #20, #30 to 0
 	&cmp	("ebp",0);
diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt
index a8a34c7abc51..65f8fc8296cd 100644
--- a/crypto/openssl/doc/HOWTO/certificates.txt
+++ b/crypto/openssl/doc/HOWTO/certificates.txt
@@ -3,22 +3,22 @@
 
 1. Introduction
 
-How you handle certificates depend a great deal on what your role is.
+How you handle certificates depends a great deal on what your role is.
 Your role can be one or several of:
 
-  - User of some client software
-  - User of some server software
+  - User of some client application
+  - User of some server application
   - Certificate authority
 
 This file is for users who wish to get a certificate of their own.
-Certificate authorities should read ca.txt.
+Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
 
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
-/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
-is better described in another HOWTO <config.txt?>.  If you want to
-use a different configuration file, use the argument '-config {file}'
-with the command shown below.
+/usr/local/ssl/ or somewhere else.  By default the file is named
+openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+You can specify a different configuration file using the
+'-config {file}' argument with the commands shown below.
 
 
 2. Relationship with keys
@@ -29,24 +29,26 @@ somewhere.  With OpenSSL, public keys are easily derived from private
 keys, so before you create a certificate or a certificate request, you
 need to create a private key.
 
-Private keys are generated with 'openssl genrsa' if you want a RSA
-private key, or 'openssl gendsa' if you want a DSA private key.
-Further information on how to create private keys can be found in
-another HOWTO <keys.txt?>.  The rest of this text assumes you have
-a private key in the file privkey.pem.
+Private keys are generated with 'openssl genrsa -out privkey.pem' if
+you want a RSA private key, or if you want a DSA private key:
+'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.
+
+The private keys created by these commands are not passphrase protected;
+it might or might not be the desirable thing.  Further information on how to
+create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt.
+The rest of this text assumes you have a private key in the file privkey.pem.
 
 
 3. Creating a certificate request
 
-To create a certificate, you need to start with a certificate
-request (or, as some certificate authorities like to put
-it, "certificate signing request", since that's exactly what they do,
-they sign it and give you the result back, thus making it authentic
-according to their policies).  A certificate request can then be sent
-to a certificate authority to get it signed into a certificate, or if
-you have your own certificate authority, you may sign it yourself, or
-if you need a self-signed certificate (because you just want a test
-certificate or because you are setting up your own CA).
+To create a certificate, you need to start with a certificate request
+(or, as some certificate authorities like to put it, "certificate
+signing request", since that's exactly what they do, they sign it and
+give you the result back, thus making it authentic according to their
+policies).  A certificate request is sent to a certificate authority
+to get it signed into a certificate. You can also sign the certificate
+yourself if you have your own certificate authority or create a
+self-signed certificate (typically for testing purpose).
 
 The certificate request is created like this:
 
@@ -55,12 +57,14 @@ The certificate request is created like this:
 Now, cert.csr can be sent to the certificate authority, if they can
 handle files in PEM format.  If not, use the extra argument '-outform'
 followed by the keyword for the format to use (see another HOWTO
-<formats.txt?>).  In some cases, that isn't sufficient and you will
-have to be more creative.
+<formats.txt?>).  In some cases, -outform does not let you output the
+certificate request in the right format and you will have to use one
+of the various other commands that are exposed by openssl (or get
+creative and use a combination of tools).
 
-When the certificate authority has then done the checks the need to
-do (and probably gotten payment from you), they will hand over your
-new certificate to you.
+The certificate authority performs various checks (according to their
+policies) and usually waits for payment from you. Once that is
+complete, they send you your new certificate.
 
 Section 5 will tell you more on how to handle the certificate you
 received.
@@ -68,11 +72,12 @@ received.
 
 4. Creating a self-signed test certificate
 
-If you don't want to deal with another certificate authority, or just
-want to create a test certificate for yourself.  This is similar to
-creating a certificate request, but creates a certificate instead of
-a certificate request.  This is NOT the recommended way to create a
-CA certificate, see ca.txt.
+You can create a self-signed certificate if you don't want to deal
+with a certificate authority, or if you just want to create a test
+certificate for yourself.  This is similar to creating a certificate
+request, but creates a certificate instead of a certificate request.
+This is NOT the recommended way to create a CA certificate, see
+https://www.openssl.org/docs/apps/ca.html.
 
   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
@@ -93,13 +98,13 @@ certificate and your key to various formats, most often also putting
 them together into one file.  The ways to do this is described in
 another HOWTO <formats.txt?>, I will just mention the simplest case.
 In the case of a raw DER thing in PEM format, and assuming that's all
-right for yor applications, simply concatenating the certificate and
+right for your applications, simply concatenating the certificate and
 the key into a new file and using that one should be enough.  With
 some applications, you don't even have to do that.
 
 
-By now, you have your cetificate and your private key and can start
-using the software that depend on it.
+By now, you have your certificate and your private key and can start
+using applications that depend on it.
 
 -- 
 Richard Levitte
diff --git a/crypto/openssl/doc/HOWTO/proxy_certificates.txt b/crypto/openssl/doc/HOWTO/proxy_certificates.txt
index f98ec3607678..d78be2f142bf 100644
--- a/crypto/openssl/doc/HOWTO/proxy_certificates.txt
+++ b/crypto/openssl/doc/HOWTO/proxy_certificates.txt
@@ -1,74 +1,69 @@
-<DRAFT!>
 			HOWTO proxy certificates
 
 0. WARNING
 
-NONE OF THE CODE PRESENTED HERE HAVE BEEN CHECKED!  They are just an
-example to show you how things can be done.  There may be typos or
-type conflicts, and you will have to resolve them.
+NONE OF THE CODE PRESENTED HERE HAS BEEN CHECKED!  The code is just examples to
+show you how things could be done.  There might be typos or type conflicts, and
+you will have to resolve them.
 
 1. Introduction
 
-Proxy certificates are defined in RFC 3820.  They are really usual
-certificates with the mandatory extension proxyCertInfo.
+Proxy certificates are defined in RFC 3820.  They are really usual certificates
+with the mandatory extension proxyCertInfo.
 
-Proxy certificates are issued by an End Entity (typically a user),
-either directly with the EE certificate as issuing certificate, or by
-extension through an already issued proxy certificate..  They are used
-to extend rights to some other entity (a computer process, typically,
-or sometimes to the user itself), so it can perform operations in the
-name of the owner of the EE certificate.
+Proxy certificates are issued by an End Entity (typically a user), either
+directly with the EE certificate as issuing certificate, or by extension through
+an already issued proxy certificate.  Proxy certificates are used to extend
+rights to some other entity (a computer process, typically, or sometimes to the
+user itself).  This allows the entity to perform operations on behalf of the
+owner of the EE certificate.
 
 See http://www.ietf.org/rfc/rfc3820.txt for more information.
 
 
 2. A warning about proxy certificates
 
-Noone seems to have tested proxy certificates with security in mind.
-Basically, to this date, it seems that proxy certificates have only
-been used in a world that's highly aware of them.  What would happen
-if an unsuspecting application is to validate a chain of certificates
-that contains proxy certificates?  It would usually consider the leaf
-to be the certificate to check for authorisation data, and since proxy
-certificates are controlled by the EE certificate owner alone, it's
-would be normal to consider what the EE certificate owner could do
-with them.
+No one seems to have tested proxy certificates with security in mind.  To this
+date, it seems that proxy certificates have only been used in a context highly
+aware of them.
 
-subjectAltName and issuerAltName are forbidden in proxy certificates,
-and this is enforced in OpenSSL.  The subject must be the same as the
-issuer, with one commonName added on.
+Existing applications might misbehave when trying to validate a chain of
+certificates which use a proxy certificate.  They might incorrectly consider the
+leaf to be the certificate to check for authorisation data, which is controlled
+by the EE certificate owner.
 
-Possible threats are, as far as has been imagined so far:
+subjectAltName and issuerAltName are forbidden in proxy certificates, and this
+is enforced in OpenSSL.  The subject must be the same as the issuer, with one
+commonName added on.
+
+Possible threats we can think of at this time include:
 
  - impersonation through commonName (think server certificates).
- - use of additional extensions, possibly non-standard ones used in
-   certain environments, that would grant extra or different
-   authorisation rights.
+ - use of additional extensions, possibly non-standard ones used in certain
+   environments, that would grant extra or different authorisation rights.
+
+For these reasons, OpenSSL requires that the use of proxy certificates be
+explicitly allowed.  Currently, this can be done using the following methods:
 
-For this reason, OpenSSL requires that the use of proxy certificates
-be explicitely allowed.  Currently, this can be done using the
-following methods:
+ - if the application directly calls X509_verify_cert(), it can first call:
 
- - if the application calls X509_verify_cert() itself, it can do the
-   following prior to that call (ctx is the pointer passed in the call
-   to X509_verify_cert()):
+   X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
 
-	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+   Where ctx is the pointer which then gets passed to X509_verify_cert().
 
- - in all other cases, proxy certificate validation can be enabled
-   before starting the application by setting the envirnoment variable
-   OPENSSL_ALLOW_PROXY_CERTS with some non-empty value.
+ - proxy certificate validation can be enabled before starting the application
+   by setting the environment variable OPENSSL_ALLOW_PROXY_CERTS.
 
-There are thoughts to allow proxy certificates with a line in the
-default openssl.cnf, but that's still in the future.
+In the future, it might be possible to enable proxy certificates by editing
+openssl.cnf.
 
 
-3. How to create proxy cerificates
+3. How to create proxy certificates
 
-It's quite easy to create proxy certificates, by taking advantage of
-the lack of checks of the 'openssl x509' application (*ahem*).  But
-first, you need to create a configuration section that contains a
-definition of the proxyCertInfo extension, a little like this:
+Creating proxy certificates is quite easy, by taking advantage of a lack of
+checks in the 'openssl x509' application (*ahem*).  You must first create a
+configuration section that contains a definition of the proxyCertInfo extension,
+for example:
 
   [ v3_proxy ]
   # A proxy certificate MUST NEVER be a CA certificate.
@@ -77,10 +72,10 @@ definition of the proxyCertInfo extension, a little like this:
   # Usual authority key ID
   authorityKeyIdentifier=keyid,issuer:always
 
-  # Now, for the extension that marks this certificate as a proxy one
+  # The extension which marks this certificate as a proxy
   proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
 
-It's also possible to give the proxy extension in a separate section:
+It's also possible to specify the proxy extension in a separate section:
 
   proxyCertInfo=critical,@proxy_ext
 
@@ -89,96 +84,85 @@ It's also possible to give the proxy extension in a separate section:
   pathlen=0
   policy=text:BC
 
-The policy value has a specific syntax, {syntag}:{string}, where the
-syntag determines what will be done with the string.  The recognised
-syntags are as follows:
-
-  text	indicates that the string is simply the bytes, not
-	encoded in any kind of way:
+The policy value has a specific syntax, {syntag}:{string}, where the syntag
+determines what will be done with the string.  The following syntags are
+recognised:
 
-		policy=text:räksmörgås
+  text  indicates that the string is simply bytes, without any encoding:
 
-	Previous versions of this design had a specific tag
-	for UTF-8 text.  However, since the bytes are copied
-	as-is anyway, there's no need for it.  Instead, use
-	the text: tag, like this:
+          policy=text:räksmörgås
 
-		policy=text:räksmörgås
+        Previous versions of this design had a specific tag for UTF-8 text.
+        However, since the bytes are copied as-is anyway, there is no need for
+        such a specific tag.
 
-  hex	indicates the string is encoded in hex, with colons
-	between each byte (every second hex digit):
+  hex   indicates the string is encoded in hex, with colons between each byte
+        (every second hex digit):
 
-		policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
+          policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
 
-	Previous versions of this design had a tag to insert a
-	complete DER blob.  However, the only legal use for
-	this would be to surround the bytes that would go with
-	the hex: tag with what's needed to construct a correct
-	OCTET STRING.  Since hex: does that, the DER tag felt
-	superfluous, and was therefore removed.
+        Previous versions of this design had a tag to insert a complete DER
+        blob.  However, the only legal use for this would be to surround the
+        bytes that would go with the hex: tag with whatever is needed to
+        construct a correct OCTET STRING.  The DER tag therefore felt
+        superfluous, and was removed.
 
-  file	indicates that the text of the policy should really be
-	taken from a file.  The string is then really a file
-	name.  This is useful for policies that are large
-	(more than a few of lines) XML documents, for example.
+  file  indicates that the text of the policy should really be taken from a
+        file.  The string is then really a file name.  This is useful for
+        policies that are large (more than a few lines, e.g. XML documents).
 
 The 'policy' setting can be split up in multiple lines like this:
 
   0.policy=This is
-  1.polisy= a multi-
+  1.policy= a multi-
   2.policy=line policy.
 
-NOTE: the proxy policy value is the part that determines the rights
-granted to the process using the proxy certificate.  The value is
-completely dependent on the application reading and interpretting it!
+NOTE: the proxy policy value is the part which determines the rights granted to
+the process using the proxy certificate.  The value is completely dependent on
+the application reading and interpreting it!
 
-Now that you have created an extension section for your proxy
-certificate, you can now easily create a proxy certificate like this:
+Now that you have created an extension section for your proxy certificate, you
+can easily create a proxy certificate by doing:
 
-  openssl req -new -config openssl.cnf \
-	  -out proxy.req -keyout proxy.key
-  openssl x509 -req -CAcreateserial -in proxy.req -days 7 \
-	  -out proxy.crt -CA user.crt -CAkey user.key \
-	  -extfile openssl.cnf -extensions v3_proxy
+  openssl req -new -config openssl.cnf -out proxy.req -keyout proxy.key
+  openssl x509 -req -CAcreateserial -in proxy.req -days 7 -out proxy.crt \
+    -CA user.crt -CAkey user.key -extfile openssl.cnf -extensions v3_proxy
 
-It's just as easy to create a proxy certificate using another proxy
-certificate as issuer (note that I'm using a different configuration
-section for it):
+You can also create a proxy certificate using another proxy certificate as
+issuer (note: I'm using a different configuration section for it):
 
-  openssl req -new -config openssl.cnf \
-	  -out proxy2.req -keyout proxy2.key
-  openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
-	  -out proxy2.crt -CA proxy.crt -CAkey proxy.key \
-	  -extfile openssl.cnf -extensions v3_proxy2
+  openssl req -new -config openssl.cnf -out proxy2.req -keyout proxy2.key
+  openssl x509 -req -CAcreateserial -in proxy2.req -days 7 -out proxy2.crt \
+    -CA proxy.crt -CAkey proxy.key -extfile openssl.cnf -extensions v3_proxy2
 
 
 4. How to have your application interpret the policy?
 
-The basic way to interpret proxy policies is to prepare some default
-rights, then do a check of the proxy certificate against the a chain
-of proxy certificates, user certificate and CA certificates, and see
-what rights came out by the end.  Sounds easy, huh?  It almost is.
+The basic way to interpret proxy policies is to start with some default rights,
+then compute the resulting rights by checking the proxy certificate against
+the chain of proxy certificates, user certificate and CA certificates. You then
+use the final computed rights.  Sounds easy, huh?  It almost is.
 
-The slightly complicated part is how to pass data between your
+The slightly complicated part is figuring out how to pass data between your
 application and the certificate validation procedure.
 
 You need the following ingredients:
 
- - a callback routing that will be called for every certificate that's
-   validated.  It will be called several times for each certificates,
-   so you must be attentive to when it's a good time to do the proxy
-   policy interpretation and check, as well as to fill in the defaults
-   when the EE certificate is checked.
+ - a callback function that will be called for every certificate being
+   validated.  The callback be called several times for each certificate,
+   so you must be careful to do the proxy policy interpretation at the right
+   time.  You also need to fill in the defaults when the EE certificate is
+   checked.
 
- - a structure of data that's shared between your application code and
-   the callback.
+ - a data structure that is shared between your application code and the
+   callback.
 
  - a wrapper function that sets it all up.
 
- - an ex_data index function that creates an index into the generic
-   ex_data store that's attached to an X509 validation context.
+ - an ex_data index function that creates an index into the generic ex_data
+   store that is attached to an X509 validation context.
 
-This is some cookbook code for you to fill in:
+Here is some skeleton code you can fill in:
 
   /* In this example, I will use a view of granted rights as a bit
      array, one bit for each possible right.  */
@@ -210,7 +194,7 @@ This is some cookbook code for you to fill in:
   static int verify_callback(int ok, X509_STORE_CTX *ctx)
   {
     if (ok == 1) /* It's REALLY important you keep the proxy policy
-                    check within this secion.  It's important to know
+                    check within this section.  It's important to know
                     that when ok is 1, the certificates are checked
                     from top to bottom.  You get the CA root first,
                     followed by the possible chain of intermediate
@@ -221,7 +205,7 @@ This is some cookbook code for you to fill in:
 
         if (xs->ex_flags & EXFLAG_PROXY)
           {
-	    YOUR_RIGHTS *rights =
+            YOUR_RIGHTS *rights =
               (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
                 get_proxy_auth_ex_data_idx());
             PROXY_CERT_INFO_EXTENSION *pci =
@@ -250,12 +234,12 @@ This is some cookbook code for you to fill in:
                    bit array and fill it with the rights granted by
                    the current proxy certificate, then use it as a
                    mask on the accumulated rights bit array, and
-                   voilà, you now have a new accumulated rights bit
+                   voilà, you now have a new accumulated rights bit
                    array.  */
                 {
                   int i;
                   YOUR_RIGHTS tmp_rights;
-		  memset(tmp_rights.rights, 0, sizeof(tmp_rights.rights));
+                  memset(tmp_rights.rights, 0, sizeof(tmp_rights.rights));
 
                   /* process_rights() is supposed to be a procedure
                      that takes a string and it's length, interprets
@@ -276,7 +260,7 @@ This is some cookbook code for you to fill in:
           {
             /* We have a EE certificate, let's use it to set default!
             */
-	    YOUR_RIGHTS *rights =
+            YOUR_RIGHTS *rights =
               (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
                 get_proxy_auth_ex_data_idx());
 
diff --git a/crypto/openssl/doc/apps/asn1parse.pod b/crypto/openssl/doc/apps/asn1parse.pod
index f7bb92621168..76a765daf95b 100644
--- a/crypto/openssl/doc/apps/asn1parse.pod
+++ b/crypto/openssl/doc/apps/asn1parse.pod
@@ -15,6 +15,8 @@ B<openssl> B<asn1parse>
 [B<-length number>]
 [B<-i>]
 [B<-oid filename>]
+[B<-dump>]
+[B<-dlimit num>]
 [B<-strparse offset>]
 [B<-genstr string>]
 [B<-genconf file>]
@@ -64,6 +66,14 @@ indents the output according to the "depth" of the structures.
 a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
 file is described in the NOTES section below.
 
+=item B<-dump>
+
+dump unknown data in hex format.
+
+=item B<-dlimit num>
+
+like B<-dump>, but only the first B<num> bytes are output.
+
 =item B<-strparse offset>
 
 parse the contents octets of the ASN.1 object starting at B<offset>. This
diff --git a/crypto/openssl/doc/apps/c_rehash.pod b/crypto/openssl/doc/apps/c_rehash.pod
new file mode 100644
index 000000000000..c564e8631552
--- /dev/null
+++ b/crypto/openssl/doc/apps/c_rehash.pod
@@ -0,0 +1,81 @@
+=pod
+
+=for comment
+Original text by James Westby, contributed under the OpenSSL license.
+
+=head1 NAME
+
+c_rehash - Create symbolic links to files named by the hash values
+
+=head1 SYNOPSIS
+
+B<c_rehash>
+[ I<directory>...]
+
+=head1 DESCRIPTION
+
+B<c_rehash> scans directories and calculates a hash value of each C<.pem>
+file in the specified directory list and creates symbolic links
+for each file, where the name of the link is the hash value.
+This utility is useful as many programs that use OpenSSL require
+directories to be set up like this in order to find certificates.
+
+If any directories are named on the command line, then those are
+processed in turn. If not, then the B<SSL_CERT_DIR> environment variable
+is consulted; this shold be a colon-separated list of directories,
+like the Unix B<PATH> variable.
+If that is not set then the default directory (installation-specific
+but often B</usr/local/ssl/certs>) is processed.
+
+In order for a directory to be processed, the user must have write
+permissions on that directory, otherwise it will be skipped.
+The links created are of the form C<HHHHHHHH.D>, where each B<H>
+is a hexadecimal character and B<D> is a single decimal digit.
+When processing a directory, B<c_rehash> will first remove all links
+that have a name in that syntax. If you have links in that format
+used for other purposes, they will be removed.
+Hashes for CRL's look similar except the letter B<r> appears after
+the period, like this: C<HHHHHHHH.rD>.
+
+Multiple objects may have the same hash; they will be indicated by
+incrementing the B<D> value. Duplicates are found by comparing the
+full SHA-1 fingerprint. A warning will be displayed if a duplicate
+is found.
+
+A warning will also be displayed if there are B<.pem> files that
+cannot be parsed as either a certificate or a CRL.
+
+The program uses the B<openssl> program to compute the hashes and
+fingerprints. If not found in the user's B<PATH>, then set the
+B<OPENSSL> environment variable to the full pathname.
+Any program can be used, it will be invoked as follows for either
+a certificate or CRL:
+
+  $OPENSSL x509 -hash -fingerprint -noout -in FFFFFF
+  $OPENSSL crl -hash -fingerprint -noout -in FFFFFF
+
+where B<FFFFFF> is the filename. It must output the hash of the
+file on the first line, and the fingerprint on the second,
+optionally prefixed with some text and an equals sign.
+
+=head1 ENVIRONMENT
+
+=over
+
+=item B<OPENSSL>
+
+The path to an executable to use to generate hashes and
+fingerprints (see above).
+
+=item B<SSL_CERT_DIR>
+
+Colon separated list of directories to operate on.
+Ignored if directories are listed on the command line.
+
+=back
+
+=head1 SEE ALSO
+
+L<openssl(1)|openssl(1)>,
+L<crl(1)|crl(1)>.
+L<x509(1)|x509(1)>.
diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod
index bcf4959f383a..f600f553b1a7 100644
--- a/crypto/openssl/doc/apps/ca.pod
+++ b/crypto/openssl/doc/apps/ca.pod
@@ -13,6 +13,8 @@ B<openssl> B<ca>
 [B<-name section>]
 [B<-gencrl>]
 [B<-revoke file>]
+[B<-status serial>]
+[B<-updatedb>]
 [B<-crl_reason reason>]
 [B<-crl_hold instruction>]
 [B<-crl_compromise time>]
@@ -26,6 +28,7 @@ B<openssl> B<ca>
 [B<-md arg>]
 [B<-policy arg>]
 [B<-keyfile arg>]
+[B<-keyform PEM|DER>]
 [B<-key arg>]
 [B<-passin arg>]
 [B<-cert file>]
@@ -83,7 +86,7 @@ a single self signed certificate to be signed by the CA.
 
 a file containing a single Netscape signed public key and challenge
 and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
-section for information on the required format.
+section for information on the required input and output format.
 
 =item B<-infiles>
 
@@ -94,7 +97,7 @@ are assumed to be the names of files containing certificate requests.
 
 the output file to output certificates to. The default is standard
 output. The certificate details will also be printed out to this
-file.
+file in PEM format (except that B<-spkac> outputs DER format).
 
 =item B<-outdir directory>
 
@@ -110,6 +113,11 @@ the CA certificate file.
 
 the private key to sign requests with.
 
+=item B<-keyform PEM|DER>
+
+the format of the data in the private key file.
+The default is PEM.
+
 =item B<-key password>
 
 the password used to encrypt the private key. Since on some
@@ -267,6 +275,15 @@ the number of hours before the next CRL is due.
 
 a filename containing a certificate to revoke.
 
+=item B<-status serial>
+
+displays the revocation status of the certificate with the specified
+serial number and exits.
+
+=item B<-updatedb>
+
+Updates the database index to purge expired certificates.
+
 =item B<-crl_reason reason>
 
 revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
@@ -499,6 +516,10 @@ the SPKAC and also the required DN components as name value pairs.
 If you need to include the same component twice then it can be
 preceded by a number and a '.'.
 
+When processing SPKAC format, the output is DER if the B<-out>
+flag is used, but PEM format if sending to stdout or the B<-outdir>
+flag is used.
+
 =head1 EXAMPLES
 
 Note: these examples assume that the B<ca> directory structure is
diff --git a/crypto/openssl/doc/apps/ciphers.pod b/crypto/openssl/doc/apps/ciphers.pod
index f44aa00a2fdb..6086d0a7154f 100644
--- a/crypto/openssl/doc/apps/ciphers.pod
+++ b/crypto/openssl/doc/apps/ciphers.pod
@@ -36,7 +36,7 @@ SSL v2 and for SSL v3/TLS v1.
 
 =item B<-V>
 
-Like B<-V>, but include cipher suite codes in output (hex format).
+Like B<-v>, but include cipher suite codes in output (hex format).
 
 =item B<-ssl3>
 
@@ -116,8 +116,8 @@ specified.
 =item B<COMPLEMENTOFDEFAULT>
 
 the ciphers included in B<ALL>, but not enabled by default. Currently
-this is B<ADH>. Note that this rule does not cover B<eNULL>, which is
-not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
+this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
+which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
 
 =item B<ALL>
 
@@ -165,21 +165,58 @@ included.
 =item B<aNULL>
 
 the cipher suites offering no authentication. This is currently the anonymous
-DH algorithms. These cipher suites are vulnerable to a "man in the middle"
-attack and so their use is normally discouraged.
+DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
+to a "man in the middle" attack and so their use is normally discouraged.
 
 =item B<kRSA>, B<RSA>
 
 cipher suites using RSA key exchange.
 
+=item B<kDHr>, B<kDHd>, B<kDH>
+
+cipher suites using DH key agreement and DH certificates signed by CAs with RSA
+and DSS keys or either respectively. Not implemented.
+
 =item B<kEDH>
 
-cipher suites using ephemeral DH key agreement.
+cipher suites using ephemeral DH key agreement, including anonymous cipher
+suites.
 
-=item B<kDHr>, B<kDHd>
+=item B<EDH>
 
-cipher suites using DH key agreement and DH certificates signed by CAs with RSA
-and DSS keys respectively. Not implemented.
+cipher suites using authenticated ephemeral DH key agreement.
+
+=item B<ADH>
+
+anonymous DH cipher suites, note that this does not include anonymous Elliptic
+Curve DH (ECDH) cipher suites.
+
+=item B<DH>
+
+cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
+
+=item B<kECDHr>, B<kECDHe>, B<kECDH>
+
+cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
+keys or either respectively.
+
+=item B<kEECDH>
+
+cipher suites using ephemeral ECDH key agreement, including anonymous
+cipher suites.
+
+=item B<EECDHE>
+
+cipher suites using authenticated ephemeral ECDH key agreement.
+
+=item B<AECDH>
+
+anonymous Elliptic Curve Diffie Hellman cipher suites.
+
+=item B<ECDH>
+
+cipher suites using ECDH key exchange, including anonymous, ephemeral and
+fixed ECDH.
 
 =item B<aRSA>
 
@@ -194,30 +231,39 @@ cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
 cipher suites effectively using DH authentication, i.e. the certificates carry
 DH keys.  Not implemented.
 
+=item B<aECDH>
+
+cipher suites effectively using ECDH authentication, i.e. the certificates
+carry ECDH keys.
+
+=item B<aECDSA>, B<ECDSA>
+
+cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
+keys.
+
 =item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>
 
 ciphers suites using FORTEZZA key exchange, authentication, encryption or all
 FORTEZZA algorithms. Not implemented.
 
-=item B<TLSv1>, B<SSLv3>, B<SSLv2>
-
-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
+=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
 
-=item B<DH>
-
-cipher suites using DH, including anonymous DH.
+TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
+there are no ciphersuites specific to TLS v1.1.
 
-=item B<ADH>
+=item B<AES128>, B<AES256>, B<AES>
 
-anonymous DH cipher suites.
+cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
 
-=item B<AES>
+=item B<AESGCM>
 
-cipher suites using AES.
+AES in Galois Counter Mode (GCM): these ciphersuites are only supported
+in TLS v1.2.
 
-=item B<CAMELLIA>
+=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
 
-cipher suites using Camellia.
+cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
+CAMELLIA.
 
 =item B<3DES>
 
@@ -251,6 +297,10 @@ cipher suites using MD5.
 
 cipher suites using SHA1.
 
+=item B<SHA256>, B<SHA384>
+
+ciphersuites using SHA256 or SHA384.
+
 =item B<aGOST> 
 
 cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
@@ -277,6 +327,9 @@ cipher suites, using HMAC based on GOST R 34.11-94.
 
 cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
 
+=item B<PSK>
+
+cipher suites using pre-shared keys (PSK).
 
 =back
 
@@ -423,7 +476,100 @@ Note: these ciphers can also be used in SSL v3.
  TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
  TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
 
-=head2 SSL v2.0 cipher suites.
+=head2 Elliptic curve cipher suites.
+
+ TLS_ECDH_RSA_WITH_NULL_SHA              ECDH-RSA-NULL-SHA
+ TLS_ECDH_RSA_WITH_RC4_128_SHA           ECDH-RSA-RC4-SHA
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      ECDH-RSA-DES-CBC3-SHA
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       ECDH-RSA-AES128-SHA
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       ECDH-RSA-AES256-SHA
+
+ TLS_ECDH_ECDSA_WITH_NULL_SHA            ECDH-ECDSA-NULL-SHA
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA         ECDH-ECDSA-RC4-SHA
+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    ECDH-ECDSA-DES-CBC3-SHA
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     ECDH-ECDSA-AES128-SHA
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     ECDH-ECDSA-AES256-SHA
+
+ TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE-RSA-NULL-SHA
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE-RSA-RC4-SHA
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA-DES-CBC3-SHA
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE-RSA-AES128-SHA
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE-RSA-AES256-SHA
+
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE-ECDSA-NULL-SHA
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE-ECDSA-RC4-SHA
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA-DES-CBC3-SHA
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE-ECDSA-AES128-SHA
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE-ECDSA-AES256-SHA
+
+ TLS_ECDH_anon_WITH_NULL_SHA             AECDH-NULL-SHA
+ TLS_ECDH_anon_WITH_RC4_128_SHA          AECDH-RC4-SHA
+ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     AECDH-DES-CBC3-SHA
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA      AECDH-AES128-SHA
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA      AECDH-AES256-SHA
+
+=head2 TLS v1.2 cipher suites
+
+ TLS_RSA_WITH_NULL_SHA256                  NULL-SHA256
+
+ TLS_RSA_WITH_AES_128_CBC_SHA256           AES128-SHA256
+ TLS_RSA_WITH_AES_256_CBC_SHA256           AES256-SHA256
+ TLS_RSA_WITH_AES_128_GCM_SHA256           AES128-GCM-SHA256
+ TLS_RSA_WITH_AES_256_GCM_SHA384           AES256-GCM-SHA384
+
+ TLS_DH_RSA_WITH_AES_128_CBC_SHA256        Not implemented.
+ TLS_DH_RSA_WITH_AES_256_CBC_SHA256        Not implemented.
+ TLS_DH_RSA_WITH_AES_128_GCM_SHA256        Not implemented.
+ TLS_DH_RSA_WITH_AES_256_GCM_SHA384        Not implemented.
+
+ TLS_DH_DSS_WITH_AES_128_CBC_SHA256        Not implemented.
+ TLS_DH_DSS_WITH_AES_256_CBC_SHA256        Not implemented.
+ TLS_DH_DSS_WITH_AES_128_GCM_SHA256        Not implemented.
+ TLS_DH_DSS_WITH_AES_256_GCM_SHA384        Not implemented.
+
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384
+
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384
+
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256      ECDH-RSA-AES128-SHA256
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384      ECDH-RSA-AES256-SHA384
+ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256      ECDH-RSA-AES128-GCM-SHA256
+ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384      ECDH-RSA-AES256-GCM-SHA384
+
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256    ECDH-ECDSA-AES128-SHA256
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384    ECDH-ECDSA-AES256-SHA384
+ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256    ECDH-ECDSA-AES128-GCM-SHA256
+ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384    ECDH-ECDSA-AES256-GCM-SHA384
+
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384
+
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384
+
+ TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH-AES128-SHA256
+ TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH-AES256-SHA256
+ TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
+ TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384
+
+=head2 Pre shared keying (PSK) cipheruites
+
+ TLS_PSK_WITH_RC4_128_SHA                  PSK-RC4-SHA
+ TLS_PSK_WITH_3DES_EDE_CBC_SHA             PSK-3DES-EDE-CBC-SHA
+ TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
+ TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
+
+=head2 Deprecated SSL v2.0 cipher suites.
 
  SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
  SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
@@ -452,6 +598,11 @@ strength:
 
  openssl ciphers -v 'ALL:!ADH:@STRENGTH'
 
+Include all ciphers except ones with no encryption (eNULL) or no
+authentication (aNULL):
+
+ openssl ciphers -v 'ALL:!aNULL'
+
 Include only 3DES ciphers and then place RSA ciphers last:
 
  openssl ciphers -v '3DES:+RSA'
diff --git a/crypto/openssl/doc/apps/cms.pod b/crypto/openssl/doc/apps/cms.pod
index a09588a18df4..75b698834a28 100644
--- a/crypto/openssl/doc/apps/cms.pod
+++ b/crypto/openssl/doc/apps/cms.pod
@@ -90,6 +90,11 @@ decrypt mail using the supplied certificate and private key. Expects an
 encrypted mail message in MIME format for the input file. The decrypted mail
 is written to the output file.
 
+=item B<-debug_decrypt>
+
+this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+with caution: see the notes section below.
+
 =item B<-sign>
 
 sign mail using the supplied certificate and private key. Input file is
@@ -138,7 +143,7 @@ output an error.
 
 =item B<-EncryptedData_encrypt>
 
-Encrypt suppled content using supplied symmetric key and algorithm using a CMS
+Encrypt content using supplied symmetric key and algorithm using a CMS
 B<EncrytedData> type and output the content.
 
 =item B<-sign_receipt>
@@ -446,32 +451,42 @@ Streaming is always used for the B<-sign> operation with detached data but
 since the content is no longer part of the CMS structure the encoding
 remains DER.
 
+If the B<-decrypt> option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the MMA attack
+(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is "decrypted" using a random key which will typically output garbage. 
+The B<-debug_decrypt> option can be used to disable the MMA attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>).
+
 =head1 EXIT CODES
 
 =over 4
 
-=item 0
+=item Z<>0
 
 the operation was completely successfully.
 
-=item 1 
+=item Z<>1
 
 an error occurred parsing the command options.
 
-=item 2
+=item Z<>2
 
 one of the input files could not be read.
 
-=item 3
+=item Z<>3
 
 an error occurred creating the CMS file or when reading the MIME
 message.
 
-=item 4
+=item Z<>4
 
 an error occurred decrypting or verifying the message.
 
-=item 5
+=item Z<>5
 
 the message was verified correctly but an error occurred writing out
 the signers certificates.
diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod
index d94b539e26ca..d9796c3c51cb 100644
--- a/crypto/openssl/doc/apps/config.pod
+++ b/crypto/openssl/doc/apps/config.pod
@@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration
 information.
 
 The section pointed to by B<engines> is a table of engine names (though see
-B<engine_id> below) and further sections containing configuration informations
+B<engine_id> below) and further sections containing configuration information
 specific to each ENGINE.
 
 Each ENGINE specific section is used to set default algorithms, load
diff --git a/crypto/openssl/doc/apps/crl.pod b/crypto/openssl/doc/apps/crl.pod
index a40c873b9568..044a9da91545 100644
--- a/crypto/openssl/doc/apps/crl.pod
+++ b/crypto/openssl/doc/apps/crl.pod
@@ -12,6 +12,7 @@ B<openssl> B<crl>
 [B<-text>]
 [B<-in filename>]
 [B<-out filename>]
+[B<-nameopt option>]
 [B<-noout>]
 [B<-hash>]
 [B<-issuer>]
@@ -53,6 +54,11 @@ default.
 
 print out the CRL in text form.
 
+=item B<-nameopt option>
+
+option which determines how the subject or issuer names are displayed. See
+the description of B<-nameopt> in L<x509(1)|x509(1)>.
+
 =item B<-noout>
 
 don't output the encoded version of the CRL.
@@ -62,6 +68,11 @@ don't output the encoded version of the CRL.
 output a hash of the issuer name. This can be use to lookup CRLs in
 a directory by issuer name.
 
+=item B<-hash_old>
+
+outputs the "hash" of the CRL issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-issuer>
 
 output the issuer name.
diff --git a/crypto/openssl/doc/apps/dgst.pod b/crypto/openssl/doc/apps/dgst.pod
index d79fb5cbc1c9..405847ad8cb1 100644
--- a/crypto/openssl/doc/apps/dgst.pod
+++ b/crypto/openssl/doc/apps/dgst.pod
@@ -2,16 +2,19 @@
 
 =head1 NAME
 
-dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
+dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests
 
 =head1 SYNOPSIS
 
 B<openssl> B<dgst> 
-[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
+[B<-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1>]
 [B<-c>]
 [B<-d>]
 [B<-hex>]
 [B<-binary>]
+[B<-r>]
+[B<-hmac arg>]
+[B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
 [B<-keyform arg>]
@@ -20,17 +23,19 @@ B<openssl> B<dgst>
 [B<-prverify filename>]
 [B<-signature filename>]
 [B<-hmac key>]
+[B<-non-fips-allow>]
+[B<-fips-fingerprint>]
 [B<file...>]
 
-[B<md5|md4|md2|sha1|sha|mdc2|ripemd160>]
-[B<-c>]
-[B<-d>]
-[B<file...>]
+B<openssl>
+[I<digest>]
+[B<...>]
 
 =head1 DESCRIPTION
 
 The digest functions output the message digest of a supplied file or files
-in hexadecimal form. They can also be used for digital signing and verification.
+in hexadecimal.  The digest functions also generate and verify digital
+signatures using message digests.
 
 =head1 OPTIONS
 
@@ -48,12 +53,26 @@ print out BIO debugging information.
 =item B<-hex>
 
 digest is to be output as a hex dump. This is the default case for a "normal"
-digest as opposed to a digital signature.
+digest as opposed to a digital signature.  See NOTES below for digital
+signatures using B<-hex>.
 
 =item B<-binary>
 
 output the digest or signature in binary form.
 
+=item B<-r>
+
+output the digest in the "coreutils" format used by programs like B<sha1sum>.
+
+=item B<-hmac arg>
+
+set the HMAC key to "arg".
+
+=item B<-non-fips-allow>
+
+Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in
+FIPS mode.
+
 =item B<-out filename>
 
 filename to output to, or standard output by default.
@@ -64,8 +83,8 @@ digitally sign the digest using the private key in "filename".
 
 =item B<-keyform arg>
 
-Specifies the key format to sign digest with. Only PEM and ENGINE
-formats are supported by the B<dgst> command.
+Specifies the key format to sign digest with. The DER, PEM, P12,
+and ENGINE formats are supported.
 
 =item B<-engine id>
 
@@ -117,7 +136,7 @@ Following options are supported by both by B<HMAC> and B<gost-mac>:
 =over 8
 
 =item B<key:string>
-	
+
 Specifies MAC key as alphnumeric string (use if key contain printable
 characters only). String length must conform to any restrictions of
 the MAC algorithm for example exactly 32 chars for gost-mac.
@@ -138,6 +157,15 @@ Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others. 
 
+=item B<-non-fips-allow>
+
+enable use of non-FIPS algorithms such as MD5 even in FIPS mode.
+
+=item B<-fips-fingerprint>
+
+compute HMAC using a specific key
+for certain OpenSSL-FIPS operations.
+
 =item B<file...>
 
 file or files to digest. If no files are specified then standard input is
@@ -145,18 +173,41 @@ used.
 
 =back
 
+
+=head1 EXAMPLES
+
+To create a hex-encoded message digest of a file:
+ openssl dgst -md5 -hex file.txt
+
+To sign a file using SHA-256 with binary file output:
+ openssl dgst -sha256 -sign privatekey.pem -out signature.sign file.txt
+
+To verify a signature:
+ openssl dgst -sha256 -verify publickey.pem \
+ -signature signature.sign \
+ file.txt
+
+
 =head1 NOTES
 
 The digest of choice for all new applications is SHA1. Other digests are
 however still widely used.
 
-If you wish to sign or verify data using the DSA algorithm then the dss1
-digest must be used.
+When signing a file, B<dgst> will automatically determine the algorithm
+(RSA, ECC, etc) to use for signing based on the private key's ASN.1 info.
+When verifying signatures, it only handles the RSA, DSA, or ECDSA signature
+itself, not the related data to identify the signer and algorithm used in
+formats such as x.509, CMS, and S/MIME.
 
 A source of random numbers is required for certain signing algorithms, in
-particular DSA.
+particular ECDSA and DSA.
 
 The signing and verify options should only be used if a single file is
 being signed or verified.
 
+Hex signatures cannot be verified using B<openssl>.  Instead, use "xxd -r"
+or similar program to transform the hex signature into a binary signature
+prior to verification.
+
+
 =cut
diff --git a/crypto/openssl/doc/apps/dhparam.pod b/crypto/openssl/doc/apps/dhparam.pod
index 9edb4ff4e1dd..6e27cf5c1516 100644
--- a/crypto/openssl/doc/apps/dhparam.pod
+++ b/crypto/openssl/doc/apps/dhparam.pod
@@ -12,6 +12,7 @@ B<openssl dhparam>
 [B<-in> I<filename>]
 [B<-out> I<filename>]
 [B<-dsaparam>]
+[B<-check>]
 [B<-noout>]
 [B<-text>]
 [B<-C>]
@@ -64,6 +65,10 @@ exchange more efficient.  Beware that with such DSA-style DH
 parameters, a fresh DH key should be created for each use to
 avoid small-subgroup attacks that may be possible otherwise.
 
+=item B<-check>
+
+check if the parameters are valid primes and generator.
+
 =item B<-2>, B<-5>
 
 The generator to use, either 2 or 5. 2 is the default. If present then the
diff --git a/crypto/openssl/doc/apps/dsa.pod b/crypto/openssl/doc/apps/dsa.pod
index ddbc9327fabd..8bf6cc9dcad6 100644
--- a/crypto/openssl/doc/apps/dsa.pod
+++ b/crypto/openssl/doc/apps/dsa.pod
@@ -13,6 +13,12 @@ B<openssl> B<dsa>
 [B<-passin arg>]
 [B<-out filename>]
 [B<-passout arg>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
@@ -74,10 +80,10 @@ filename.
 the output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
-=item B<-des|-des3|-idea>
+=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
-IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+These options encrypt the private key with the specified
+cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
 means that using the B<dsa> utility to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
diff --git a/crypto/openssl/doc/apps/ec.pod b/crypto/openssl/doc/apps/ec.pod
index ba6dc4689bf0..5c7b45d4e75e 100644
--- a/crypto/openssl/doc/apps/ec.pod
+++ b/crypto/openssl/doc/apps/ec.pod
@@ -41,7 +41,7 @@ PKCS#8 private key format use the B<pkcs8> command.
 
 This specifies the input format. The B<DER> option with a private key uses
 an ASN.1 DER encoded SEC1 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
+uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
 The B<PEM> form is the default format: it consists of the B<DER> format base64
 encoded with additional header and footer lines. In the case of a private key
 PKCS#8 format is also accepted.
diff --git a/crypto/openssl/doc/apps/ecparam.pod b/crypto/openssl/doc/apps/ecparam.pod
index 788c074d7b45..88e9d1e83d02 100644
--- a/crypto/openssl/doc/apps/ecparam.pod
+++ b/crypto/openssl/doc/apps/ecparam.pod
@@ -16,7 +16,7 @@ B<openssl ecparam>
 [B<-C>]
 [B<-check>]
 [B<-name arg>]
-[B<-list_curve>]
+[B<-list_curves>]
 [B<-conv_form arg>]
 [B<-param_enc arg>]
 [B<-no_seed>]
diff --git a/crypto/openssl/doc/apps/enc.pod b/crypto/openssl/doc/apps/enc.pod
index 3dee4ed99238..41791ad6713c 100644
--- a/crypto/openssl/doc/apps/enc.pod
+++ b/crypto/openssl/doc/apps/enc.pod
@@ -215,6 +215,10 @@ unsupported options (for example B<openssl enc -help>) includes a
 list of ciphers, supported by your versesion of OpenSSL, including
 ones provided by configured engines.
 
+The B<enc> program does not support authenticated encryption modes
+like CCM and GCM. The utility does not store or retrieve the
+authentication tag.
+
 
  base64             Base 64
 
diff --git a/crypto/openssl/doc/apps/gendsa.pod b/crypto/openssl/doc/apps/gendsa.pod
index 8c7f114ca08a..d9f56be890f8 100644
--- a/crypto/openssl/doc/apps/gendsa.pod
+++ b/crypto/openssl/doc/apps/gendsa.pod
@@ -8,6 +8,12 @@ gendsa - generate a DSA private key from a set of parameters
 
 B<openssl> B<gendsa>
 [B<-out filename>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
@@ -24,10 +30,10 @@ The B<gendsa> command generates a DSA private key from a DSA parameter file
 
 =over 4
 
-=item B<-des|-des3|-idea>
+=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
-IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+These options encrypt the private key with specified
+cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified no encryption is used.
 
 =item B<-rand file(s)>
diff --git a/crypto/openssl/doc/apps/genrsa.pod b/crypto/openssl/doc/apps/genrsa.pod
index 7dcac2a779f8..cb03d09b95eb 100644
--- a/crypto/openssl/doc/apps/genrsa.pod
+++ b/crypto/openssl/doc/apps/genrsa.pod
@@ -9,6 +9,18 @@ genrsa - generate an RSA private key
 B<openssl> B<genrsa>
 [B<-out filename>]
 [B<-passout arg>]
+[B<-aes128>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
@@ -36,10 +48,10 @@ used.
 the output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
-=item B<-des|-des3|-idea>
+=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
-IDEA ciphers respectively before outputting it. If none of these options is
+These options encrypt the private key with specified
+cipher before outputting it. If none of these options is
 specified no encryption is used. If encryption is used a pass phrase is prompted
 for if it is not supplied via the B<-passout> argument.
 
diff --git a/crypto/openssl/doc/apps/ocsp.pod b/crypto/openssl/doc/apps/ocsp.pod
index af2e12e418bf..38f026afc1b6 100644
--- a/crypto/openssl/doc/apps/ocsp.pod
+++ b/crypto/openssl/doc/apps/ocsp.pod
@@ -133,6 +133,10 @@ if the B<host> option is present then the OCSP request is sent to the host
 B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
 or "/" by default.
 
+=item B<-timeout seconds>
+
+connection timeout to the OCSP responder in seconds
+
 =item B<-CAfile file>, B<-CApath pathname>
 
 file or pathname containing trusted CA certificates. These are used to verify
diff --git a/crypto/openssl/doc/apps/pkcs12.pod b/crypto/openssl/doc/apps/pkcs12.pod
index f69a5c5a4cda..8e0d91798ac4 100644
--- a/crypto/openssl/doc/apps/pkcs12.pod
+++ b/crypto/openssl/doc/apps/pkcs12.pod
@@ -67,7 +67,7 @@ by default.
 The filename to write certificates and private keys to, standard output by
 default.  They are all written in PEM format.
 
-=item B<-pass arg>, B<-passin arg>
+=item B<-passin arg>
 
 the PKCS#12 file (i.e. input file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
@@ -75,10 +75,15 @@ L<openssl(1)|openssl(1)>.
 
 =item B<-passout arg>
 
-pass phrase source to encrypt any outputed private keys with. For more
+pass phrase source to encrypt any outputted private keys with. For more
 information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
 in L<openssl(1)|openssl(1)>.
 
+=item B<-password arg>
+
+With -export, -password is equivalent to -passout.
+Otherwise, -password is equivalent to -passin.
+
 =item B<-noout>
 
 this option inhibits output of the keys and certificates to the output file
diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod
index ff48bbdf2855..0730d117b39c 100644
--- a/crypto/openssl/doc/apps/req.pod
+++ b/crypto/openssl/doc/apps/req.pod
@@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge>
 
 =item B<-newhdr>
 
-Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+Adds the word B<NEW> to the PEM file header and footer lines on the outputted
 request. Some software (Netscape certificate server) and some CAs need this.
 
 =item B<-batch>
diff --git a/crypto/openssl/doc/apps/rsa.pod b/crypto/openssl/doc/apps/rsa.pod
index 69b2bef82cbe..21cbf8ee009b 100644
--- a/crypto/openssl/doc/apps/rsa.pod
+++ b/crypto/openssl/doc/apps/rsa.pod
@@ -15,6 +15,12 @@ B<openssl> B<rsa>
 [B<-out filename>]
 [B<-passout arg>]
 [B<-sgckey>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
@@ -24,6 +30,8 @@ B<openssl> B<rsa>
 [B<-check>]
 [B<-pubin>]
 [B<-pubout>]
+[B<-RSAPublicKey_in>]
+[B<-RSAPublicKey_out>]
 [B<-engine id>]
 
 =head1 DESCRIPTION
@@ -80,10 +88,10 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 use the modified NET algorithm used with some versions of Microsoft IIS and SGC
 keys.
 
-=item B<-des|-des3|-idea>
+=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
-IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
+These options encrypt the private key with the specified
+cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
 means that using the B<rsa> utility to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
@@ -118,6 +126,10 @@ by default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
 
+=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
+
+like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
+
 =item B<-engine id>
 
 specifying an engine (by its unique B<id> string) will cause B<rsa>
@@ -139,6 +151,11 @@ The PEM public key format uses the header and footer lines:
  -----BEGIN PUBLIC KEY-----
  -----END PUBLIC KEY-----
 
+The PEM B<RSAPublicKey> format uses the header and footer lines:
+
+ -----BEGIN RSA PUBLIC KEY-----
+ -----END RSA PUBLIC KEY-----
+
 The B<NET> form is a format compatible with older Netscape servers
 and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
 It is not very secure and so should only be used when necessary.
@@ -173,6 +190,10 @@ To just output the public part of a private key:
 
  openssl rsa -in key.pem -pubout -out pubkey.pem
 
+Output the public part of a private key in B<RSAPublicKey> format:
+
+ openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
+
 =head1 BUGS
 
 The command line password arguments don't currently work with
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod
index 4ebf7b585474..b021c730c02a 100644
--- a/crypto/openssl/doc/apps/s_client.pod
+++ b/crypto/openssl/doc/apps/s_client.pod
@@ -9,7 +9,9 @@ s_client - SSL/TLS client program
 
 B<openssl> B<s_client>
 [B<-connect host:port>]
+[B<-servername name>]
 [B<-verify depth>]
+[B<-verify_return_error>]
 [B<-cert filename>]
 [B<-certform DER|PEM>]
 [B<-key filename>]
@@ -27,6 +29,7 @@ B<openssl> B<s_client>
 [B<-nbio>]
 [B<-crlf>]
 [B<-ign_eof>]
+[B<-no_ign_eof>]
 [B<-quiet>]
 [B<-ssl2>]
 [B<-ssl3>]
@@ -36,6 +39,7 @@ B<openssl> B<s_client>
 [B<-no_tls1>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
+[B<-serverpref>]
 [B<-starttls protocol>]
 [B<-engine id>]
 [B<-tlsextdebug>]
@@ -43,6 +47,8 @@ B<openssl> B<s_client>
 [B<-sess_out filename>]
 [B<-sess_in filename>]
 [B<-rand file(s)>]
+[B<-status>]
+[B<-nextprotoneg protocols>]
 
 =head1 DESCRIPTION
 
@@ -59,6 +65,10 @@ SSL servers.
 This specifies the host and optional port to connect to. If not specified
 then an attempt is made to connect to the local host on port 4433.
 
+=item B<-servername name>
+
+Set the TLS SNI (Server Name Indication) extension in the ClientHello message.
+
 =item B<-cert certname>
 
 The certificate to use, if one is requested by the server. The default is
@@ -90,6 +100,11 @@ Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
 
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
 =item B<-CApath directory>
 
 The directory to use for server certificate verification. This directory
@@ -166,6 +181,11 @@ input.
 inhibit printing of session and certificate information.  This implicitly
 turns on B<-ign_eof> as well.
 
+=item B<-no_ign_eof>
+
+shut down the connection when end of file is reached in the input.
+Can be used to override the implicit B<-ign_eof> after B<-quiet>.
+
 =item B<-psk_identity identity>
 
 Use the PSK identity B<identity> when using a PSK cipher suite.
@@ -199,6 +219,10 @@ the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
+=item B<-serverpref>
+
+use the server's cipher preferences; only used for SSLV2.
+
 =item B<-starttls protocol>
 
 send the protocol-specific message(s) to switch to TLS for communication.
@@ -237,6 +261,22 @@ Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
 
+=item B<-status>
+
+sends a certificate status request to the server (OCSP stapling). The server
+response (if any) is printed out.
+
+=item B<-nextprotoneg protocols>
+
+enable Next Protocol Negotiation TLS extension and provide a list of
+comma-separated protocol names that the client should advertise
+support for. The list should contain most wanted protocols first.
+Protocol names are printable ASCII strings, for example "http/1.1" or
+"spdy/3".
+Empty list of protocols is treated specially and will cause the client to
+advertise support for the TLS extension but disconnect just after
+reciving ServerHello with a list of server supported protocols.
+
 =back
 
 =head1 CONNECTED COMMANDS
@@ -286,6 +326,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the
 B<-no_sslv2> option.
 
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
 =head1 BUGS
 
 Because this program has a lot of options and also because some of
@@ -293,9 +340,6 @@ the techniques used are rather old, the C source of s_client is rather
 hard to read and not a model of how things should be done. A typical
 SSL client program would be much simpler.
 
-The B<-verify> option should really exit if the server verification
-fails.
-
 The B<-prexit> option is a bit of a hack. We should really report
 information whenever a session is renegotiated.
 
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
index 3e503e17e107..2105b603b7ba 100644
--- a/crypto/openssl/doc/apps/s_server.pod
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -35,6 +35,7 @@ B<openssl> B<s_server>
 [B<-CAfile filename>]
 [B<-nocert>]
 [B<-cipher cipherlist>]
+[B<-serverpref>]
 [B<-quiet>]
 [B<-no_tmp_rsa>]
 [B<-ssl2>]
@@ -44,6 +45,7 @@ B<openssl> B<s_server>
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
+[B<-no_ecdhe>]
 [B<-bugs>]
 [B<-hack>]
 [B<-www>]
@@ -54,6 +56,11 @@ B<openssl> B<s_server>
 [B<-no_ticket>]
 [B<-id_prefix arg>]
 [B<-rand file(s)>]
+[B<-status>]
+[B<-status_verbose>]
+[B<-status_timeout nsec>]
+[B<-status_url url>]
+[B<-nextprotoneg protocols>]
 
 =head1 DESCRIPTION
 
@@ -111,7 +118,7 @@ by using an appropriate certificate.
 
 =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
 
-addtional certificate and private key format and passphrase respectively.
+additional certificate and private key format and passphrase respectively.
 
 =item B<-nocert>
 
@@ -131,6 +138,11 @@ a static set of parameters hard coded into the s_server program will be used.
 if this option is set then no DH parameters will be loaded effectively
 disabling the ephemeral DH cipher suites.
 
+=item B<-no_ecdhe>
+
+if this option is set then no ECDH parameters will be loaded effectively
+disabling the ephemeral ECDH cipher suites.
+
 =item B<-no_tmp_rsa>
 
 certain export cipher suites sometimes use a temporary RSA key, this option
@@ -144,6 +156,9 @@ the client. With the B<-verify> option a certificate is requested but the
 client does not have to send one, with the B<-Verify> option the client
 must supply a certificate or an error occurs.
 
+If the ciphersuite cannot request a client certificate (for example an
+anonymous ciphersuite or PSK) this option has no effect.
+
 =item B<-crl_check>, B<-crl_check_all>
 
 Check the peer certificate has not been revoked by its CA.
@@ -225,6 +240,10 @@ also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist irrelevant. See
 the B<ciphers> command for more information.
 
+=item B<-serverpref>
+
+use the server's cipher preferences, rather than the client's preferences.
+
 =item B<-tlsextdebug>
 
 print out a hex dump of any TLS extensions received from the server.
@@ -276,6 +295,33 @@ Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
 
+=item B<-status>
+
+enables certificate status request support (aka OCSP stapling).
+
+=item B<-status_verbose>
+
+enables certificate status request support (aka OCSP stapling) and gives
+a verbose printout of the OCSP response.
+
+=item B<-status_timeout nsec>
+
+sets the timeout for OCSP response to B<nsec> seconds.
+
+=item B<-status_url url>
+
+sets a fallback responder URL to use if no responder URL is present in the
+server certificate. Without this option an error is returned if the server
+certificate does not contain a responder address.
+
+=item B<-nextprotoneg protocols>
+
+enable Next Protocol Negotiation TLS extension and provide a
+comma-separated list of supported protocol names.
+The list should contain most wanted protocols first.
+Protocol names are printable ASCII strings, for example "http/1.1" or
+"spdy/3".
+
 =back
 
 =head1 CONNECTED COMMANDS
diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod
index e4e89af847ae..d39a59a90d8c 100644
--- a/crypto/openssl/doc/apps/smime.pod
+++ b/crypto/openssl/doc/apps/smime.pod
@@ -159,7 +159,7 @@ EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
 supported by your version of OpenSSL.
 
-If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
+If not specified triple DES is used. Only used with B<-encrypt>.
 
 =item B<-nointern>
 
@@ -308,28 +308,28 @@ remains DER.
 
 =over 4
 
-=item 0
+=item Z<>0
 
 the operation was completely successfully.
 
-=item 1 
+=item Z<>1
 
 an error occurred parsing the command options.
 
-=item 2
+=item Z<>2
 
 one of the input files could not be read.
 
-=item 3
+=item Z<>3
 
 an error occurred creating the PKCS#7 file or when reading the MIME
 message.
 
-=item 4
+=item Z<>4
 
 an error occurred decrypting or verifying the message.
 
-=item 5
+=item Z<>5
 
 the message was verified correctly but an error occurred writing out
 the signers certificates.
diff --git a/crypto/openssl/doc/apps/ts.pod b/crypto/openssl/doc/apps/ts.pod
index 7fb6caa96e54..d6aa47d3144d 100644
--- a/crypto/openssl/doc/apps/ts.pod
+++ b/crypto/openssl/doc/apps/ts.pod
@@ -352,7 +352,7 @@ switch always overrides the settings in the config file.
 
 This is the main section and it specifies the name of another section
 that contains all the options for the B<-reply> command. This default
-section can be overriden with the B<-section> command line switch. (Optional)
+section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
@@ -453,7 +453,7 @@ included. Default is no. (Optional)
 =head1 ENVIRONMENT VARIABLES
 
 B<OPENSSL_CONF> contains the path of the configuration file and can be
-overriden by the B<-config> command line option.
+overridden by the B<-config> command line option.
 
 =head1 EXAMPLES
 
diff --git a/crypto/openssl/doc/apps/tsget.pod b/crypto/openssl/doc/apps/tsget.pod
index b05957beea6b..56db985c4bb1 100644
--- a/crypto/openssl/doc/apps/tsget.pod
+++ b/crypto/openssl/doc/apps/tsget.pod
@@ -124,7 +124,7 @@ The name of an EGD socket to get random data from. (Optional)
 =item [request]...
 
 List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
-requests are specifed only one request will be sent to the server and it will be
+requests are specified only one request will be sent to the server and it will be
 read from the standard input. (Optional)
 
 =back
diff --git a/crypto/openssl/doc/apps/verify.pod b/crypto/openssl/doc/apps/verify.pod
index da683004bd27..0c8e4926ccff 100644
--- a/crypto/openssl/doc/apps/verify.pod
+++ b/crypto/openssl/doc/apps/verify.pod
@@ -25,6 +25,7 @@ B<openssl> B<verify>
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
+[B<-attime timestamp>]
 [B<-verbose>]
 [B<->]
 [certificates]
@@ -47,7 +48,6 @@ of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
 create symbolic links to a directory of certificates.
 
 =item B<-CAfile file>
-
 A file of trusted certificates. The file should contain multiple certificates
 in PEM format concatenated together.
 
@@ -80,6 +80,12 @@ rejected. The presence of rejection messages does not itself imply that
 anything is wrong; during the normal verification process, several
 rejections may take place.
 
+=item B<-attime timestamp>
+
+Perform validation checks using time specified by B<timestamp> and not
+current system time. B<timestamp> is the number of seconds since
+01.01.1970 (UNIX time).
+
 =item B<-policy arg>
 
 Enable policy processing and add B<arg> to the user-initial-policy-set (see
@@ -386,7 +392,7 @@ an application specific error. Unused.
 
 =head1 BUGS
 
-Although the issuer checks are a considerably improvement over the old technique they still
+Although the issuer checks are a considerable improvement over the old technique they still
 suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
 trusted certificates with matching subject name must either appear in a file (as specified by the
 B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
diff --git a/crypto/openssl/doc/apps/version.pod b/crypto/openssl/doc/apps/version.pod
index e00324c446cd..58f543bc3e64 100644
--- a/crypto/openssl/doc/apps/version.pod
+++ b/crypto/openssl/doc/apps/version.pod
@@ -13,6 +13,7 @@ B<openssl version>
 [B<-o>]
 [B<-f>]
 [B<-p>]
+[B<-d>]
 
 =head1 DESCRIPTION
 
@@ -38,7 +39,7 @@ the date the current version of OpenSSL was built.
 
 option information: various options set when the library was built.
 
-=item B<-c>
+=item B<-f>
 
 compilation flags.
 
diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod
index b3c3fcc33b65..878a7c3711ea 100644
--- a/crypto/openssl/doc/apps/x509.pod
+++ b/crypto/openssl/doc/apps/x509.pod
@@ -19,6 +19,7 @@ B<openssl> B<x509>
 [B<-hash>]
 [B<-subject_hash>]
 [B<-issuer_hash>]
+[B<-ocspid>]
 [B<-subject>]
 [B<-issuer>]
 [B<-nameopt option>]
@@ -28,6 +29,7 @@ B<openssl> B<x509>
 [B<-enddate>]
 [B<-purpose>]
 [B<-dates>]
+[B<-checkend num>]
 [B<-modulus>]
 [B<-pubkey>]
 [B<-fingerprint>]
@@ -42,6 +44,7 @@ B<openssl> B<x509>
 [B<-days arg>]
 [B<-set_serial n>]
 [B<-signkey filename>]
+[B<-passin arg>]
 [B<-x509toreq>]
 [B<-req>]
 [B<-CA filename>]
@@ -49,6 +52,7 @@ B<openssl> B<x509>
 [B<-CAcreateserial>]
 [B<-CAserial filename>]
 [B<-text>]
+[B<-certopt option>]
 [B<-C>]
 [B<-md2|-md5|-sha1|-mdc2>]
 [B<-clrext>]
@@ -159,6 +163,10 @@ name.
 
 outputs the "hash" of the certificate issuer name.
 
+=item B<-ocspid>
+
+outputs the OCSP hash values for the subject name and public key.
+
 =item B<-hash>
 
 synonym for "-subject_hash" for backward compatibility reasons.
@@ -208,6 +216,11 @@ prints out the expiry date of the certificate, that is the notAfter date.
 
 prints out the start and expiry dates of a certificate.
 
+=item B<-checkend arg>
+
+checks if the certificate expires within the next B<arg> seconds and exits
+non-zero if yes it will expire or zero if not.
+
 =item B<-fingerprint>
 
 prints out the digest of the DER encoded version of the whole certificate
@@ -313,6 +326,11 @@ If the input is a certificate request then a self signed certificate
 is created using the supplied private key using the subject name in
 the request.
 
+=item B<-passin arg>
+
+the key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-clrext>
 
 delete any extensions from a certificate. This option is used when a
@@ -468,7 +486,7 @@ using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits.
 Also if this option is off any UTF8Strings will be converted to their
 character form first.
 
-=item B<no_type>
+=item B<ignore_type>
 
 this option does not attempt to interpret multibyte characters in any
 way. That is their content octets are merely dumped as though one octet
diff --git a/crypto/openssl/doc/apps/x509v3_config.pod b/crypto/openssl/doc/apps/x509v3_config.pod
index 0450067cf1d9..c82cea1da24e 100644
--- a/crypto/openssl/doc/apps/x509v3_config.pod
+++ b/crypto/openssl/doc/apps/x509v3_config.pod
@@ -174,7 +174,7 @@ The IP address used in the B<IP> options can be in either IPv4 or IPv6 format.
 
 The value of B<dirName> should point to a section containing the distinguished
 name to use as a set of name value pairs. Multi values AVAs can be formed by
-preceeding the name with a B<+> character.
+prefacing the name with a B<+> character.
 
 otherName can include arbitrary data associated with an OID: the value
 should be the OID followed by a semicolon and the content in standard
@@ -301,7 +301,7 @@ Example:
  O=Organisation
  CN=Some Name
 
- 
+
 =head2 Certificate Policies.
 
 This is a I<raw> extension. All the fields of this extension can be set by
@@ -390,7 +390,7 @@ Examples:
  nameConstraints=permitted;email:.somedomain.com
 
  nameConstraints=excluded;email:.com
-issuingDistributionPoint = idp_section
+
 
 =head2 OCSP No Check
 
diff --git a/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod b/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
index 542fd1579ab8..bfa0a04ff974 100644
--- a/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
+++ b/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
@@ -61,7 +61,7 @@ Encode the B<NULL> type, the B<value> string must not be present.
 =item B<INTEGER>, B<INT>
 
 Encodes an ASN1 B<INTEGER> type. The B<value> string represents
-the value of the integer, it can be preceeded by a minus sign and
+the value of the integer, it can be prefaced by a minus sign and
 is normally interpreted as a decimal value unless the prefix B<0x>
 is included.
 
diff --git a/crypto/openssl/doc/crypto/BIO_f_base64.pod b/crypto/openssl/doc/crypto/BIO_f_base64.pod
index 438af3b6b66c..d1d7bf0bd066 100644
--- a/crypto/openssl/doc/crypto/BIO_f_base64.pod
+++ b/crypto/openssl/doc/crypto/BIO_f_base64.pod
@@ -46,11 +46,11 @@ to standard output:
 
  b64 = BIO_new(BIO_f_base64());
  bio = BIO_new_fp(stdout, BIO_NOCLOSE);
- bio = BIO_push(b64, bio);
- BIO_write(bio, message, strlen(message));
- BIO_flush(bio);
+ BIO_push(b64, bio);
+ BIO_write(b64, message, strlen(message));
+ BIO_flush(b64);
 
- BIO_free_all(bio);
+ BIO_free_all(b64);
 
 Read Base64 encoded data from standard input and write the decoded
 data to standard output:
@@ -62,11 +62,12 @@ data to standard output:
  b64 = BIO_new(BIO_f_base64());
  bio = BIO_new_fp(stdin, BIO_NOCLOSE);
  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
- bio = BIO_push(b64, bio);
- while((inlen = BIO_read(bio, inbuf, 512)) > 0) 
+ BIO_push(b64, bio);
+ while((inlen = BIO_read(b64, inbuf, 512)) > 0) 
 	BIO_write(bio_out, inbuf, inlen);
 
- BIO_free_all(bio);
+ BIO_flush(bio_out);
+ BIO_free_all(b64);
 
 =head1 BUGS
 
diff --git a/crypto/openssl/doc/crypto/BIO_push.pod b/crypto/openssl/doc/crypto/BIO_push.pod
index 8af1d3c09751..8a2657cd588c 100644
--- a/crypto/openssl/doc/crypto/BIO_push.pod
+++ b/crypto/openssl/doc/crypto/BIO_push.pod
@@ -40,7 +40,7 @@ If the call:
 
  BIO_push(b64, f);
 
-is made then the new chain will be B<b64-chain>. After making the calls
+is made then the new chain will be B<b64-f>. After making the calls
 
  BIO_push(md2, b64);
  BIO_push(md1, md2);
diff --git a/crypto/openssl/doc/crypto/BIO_s_accept.pod b/crypto/openssl/doc/crypto/BIO_s_accept.pod
index 7b63e4621b66..b80b6ae48836 100644
--- a/crypto/openssl/doc/crypto/BIO_s_accept.pod
+++ b/crypto/openssl/doc/crypto/BIO_s_accept.pod
@@ -59,8 +59,8 @@ the accept socket. See L<BIO_s_fd(3)|BIO_s_fd(3)>
 BIO_set_accept_port() uses the string B<name> to set the accept
 port. The port is represented as a string of the form "host:port",
 where "host" is the interface to use and "port" is the port.
-Either or both values can be "*" which is interpreted as meaning
-any interface or port respectively. "port" has the same syntax
+The host can be can be "*" which is interpreted as meaning
+any interface; "port" has the same syntax
 as the port specified in BIO_set_conn_port() for connect BIOs,
 that is it can be a numerical port string or a string to lookup
 using getservbyname() and a string table.
diff --git a/crypto/openssl/doc/crypto/BN_BLINDING_new.pod b/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
index 5f51fdb47065..da06e4446125 100644
--- a/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
+++ b/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
@@ -48,7 +48,7 @@ necessary parameters are set, by re-creating the blinding parameters.
 
 BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
 If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
-returned in B<r> (this is useful if a B<RSA> object is shared amoung
+returned in B<r> (this is useful if a B<RSA> object is shared among
 several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
 inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
 the inverse blinding.
diff --git a/crypto/openssl/doc/crypto/CMS_sign_add1_signer.pod b/crypto/openssl/doc/crypto/CMS_add1_signer.pod
index bda3ca2adbd1..a055b82695ae 100644
--- a/crypto/openssl/doc/crypto/CMS_sign_add1_signer.pod
+++ b/crypto/openssl/doc/crypto/CMS_add1_signer.pod
@@ -2,20 +2,20 @@
 
 =head1 NAME
 
- CMS_sign_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo signed data structure.
+ CMS_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo signed data structure.
 
 =head1 SYNOPSIS
 
  #include <openssl/cms.h>
 
- CMS_SignerInfo *CMS_sign_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, unsigned int flags);
+ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, unsigned int flags);
 
  int CMS_SignerInfo_sign(CMS_SignerInfo *si);
 
 
 =head1 DESCRIPTION
 
-CMS_sign_add1_signer() adds a signer with certificate B<signcert> and private
+CMS_add1_signer() adds a signer with certificate B<signcert> and private
 key B<pkey> using message digest B<md> to CMS_ContentInfo SignedData
 structure B<cms>.
 
@@ -36,7 +36,7 @@ are both set.
 
 =head1 NOTES
 
-The main purpose of CMS_sign_add1_signer() is to provide finer control
+The main purpose of CMS_add1_signer() is to provide finer control
 over a CMS signed data structure where the simpler CMS_sign() function defaults
 are not appropriate. For example if multiple signers or non default digest
 algorithms are needed. New attributes can also be added using the returned
@@ -80,13 +80,13 @@ bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
 If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
 not loaded.
 
-CMS_sign_add1_signer() returns an internal pointer to the CMS_SignerInfo
+CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo
 structure just added, this can be used to set additional attributes 
 before it is finalized.
 
 =head1 RETURN VALUES
 
-CMS_sign1_add_signers() returns an internal pointer to the CMS_SignerInfo
+CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo
 structure just added or NULL if an error occurs.
 
 =head1 SEE ALSO
@@ -96,6 +96,6 @@ L<CMS_final(3)|CMS_final(3)>,
 
 =head1 HISTORY
 
-CMS_sign_add1_signer() was added to OpenSSL 0.9.8
+CMS_add1_signer() was added to OpenSSL 0.9.8
 
 =cut
diff --git a/crypto/openssl/doc/crypto/CMS_decrypt.pod b/crypto/openssl/doc/crypto/CMS_decrypt.pod
index d857e4f93f6e..3fa9212af32c 100644
--- a/crypto/openssl/doc/crypto/CMS_decrypt.pod
+++ b/crypto/openssl/doc/crypto/CMS_decrypt.pod
@@ -27,7 +27,21 @@ function or errors about unknown algorithms will occur.
 
 Although the recipients certificate is not needed to decrypt the data it is
 needed to locate the appropriate (of possible several) recipients in the CMS
-structure. If B<cert> is set to NULL all possible recipients are tried.
+structure.
+
+If B<cert> is set to NULL all possible recipients are tried. This case however
+is problematic. To thwart the MMA attack (Bleichenbacher's attack on
+PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
+not. If no recipient succeeds then a random symmetric key is used to decrypt
+the content: this will typically output garbage and may (but is not guaranteed
+to) ultimately return a padding error only. If CMS_decrypt() just returned an
+error when all recipient encrypted keys failed to decrypt an attacker could
+use this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set
+then the above behaviour is modified and an error B<is> returned if no
+recipient encrypted key can be decrypted B<without> generating a random
+content encryption key. Applications should use this flag with
+B<extreme caution> especially in automated gateways as it can leave them
+open to attack.
 
 It is possible to determine the correct recipient key by other means (for
 example looking them up in a database) and setting them in the CMS structure
diff --git a/crypto/openssl/doc/crypto/CONF_modules_free.pod b/crypto/openssl/doc/crypto/CONF_modules_free.pod
index 87bc7b783c9e..347020c5fe70 100644
--- a/crypto/openssl/doc/crypto/CONF_modules_free.pod
+++ b/crypto/openssl/doc/crypto/CONF_modules_free.pod
@@ -37,7 +37,7 @@ None of the functions return a value.
 =head1 SEE ALSO
 
 L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_modules_load_file(3), CONF_modules_load_file(3)>
+L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
index 9965d69bf2ec..0c4d926858fb 100644
--- a/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
+++ b/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
@@ -51,7 +51,7 @@ return value of the failing module (this will always be zero or negative).
 =head1 SEE ALSO
 
 L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)>
+L<CONF_free(3)|CONF_free(3)>, L<err(3)|err(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/ERR_get_error.pod b/crypto/openssl/doc/crypto/ERR_get_error.pod
index 34443045fc0d..01e196c95fda 100644
--- a/crypto/openssl/doc/crypto/ERR_get_error.pod
+++ b/crypto/openssl/doc/crypto/ERR_get_error.pod
@@ -49,11 +49,14 @@ additionally store the file name and line number where
 the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
 
 ERR_get_error_line_data(), ERR_peek_error_line_data() and
-ERR_get_last_error_line_data() store additional data and flags
+ERR_peek_last_error_line_data() store additional data and flags
 associated with the error code in *B<data>
 and *B<flags>, unless these are B<NULL>. *B<data> contains a string
-if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by OPENSSL_malloc(),
-*B<flags>&B<ERR_TXT_MALLOCED> is true.
+if *B<flags>&B<ERR_TXT_STRING> is true.
+
+An application B<MUST NOT> free the *B<data> pointer (or any other pointers
+returned by these functions) with OPENSSL_free() as freeing is handled
+automatically by the error library.
 
 =head1 RETURN VALUES
 
diff --git a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
index d375c46e03d5..0ea7d55c0f1f 100644
--- a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
+++ b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
@@ -17,7 +17,7 @@ EVP_BytesToKey - password based encryption routine
 
 EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
 the cipher to derive the key and IV for. B<md> is the message digest to use.
-The B<salt> paramter is used as a salt in the derivation: it should point to
+The B<salt> parameter is used as a salt in the derivation: it should point to
 an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
 B<datal> bytes which is used to derive the keying data. B<count> is the
 iteration count to use. The derived key and IV will be written to B<key>
diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
index 367691cc7aed..ac526bb6dbcb 100644
--- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
@@ -26,13 +26,13 @@ EVP digest routines
  int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
  void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
 
- int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);  
+ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
 
  int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
  int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
         unsigned int *s);
 
- int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
+ int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);
 
  #define EVP_MAX_MD_SIZE 64	/* SHA512 */
 
@@ -136,10 +136,10 @@ reasons.
 EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
 EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
 structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2
-and RIPEMD160 digest algorithms respectively. 
+and RIPEMD160 digest algorithms respectively.
 
 EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
-algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
+algorithms but using DSS (DSA) for the signature algorithm. Note: there is
 no need to use these pseudo-digests in OpenSSL 1.0.0 and later, they are
 however retained for compatibility.
 
@@ -161,9 +161,8 @@ EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure.
 EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
 corresponding OBJECT IDENTIFIER or NID_undef if none exists.
 
-EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(),
-EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
-size in bytes.
+EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
+EVP_MD_CTX_block_size() return the digest or block size in bytes.
 
 EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
 EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
@@ -178,21 +177,21 @@ The B<EVP> interface to message digests should almost always be used in
 preference to the low level interfaces. This is because the code then becomes
 transparent to the digest used and much more flexible.
 
-New applications should use the SHA2 digest algorithms such as SHA256. 
+New applications should use the SHA2 digest algorithms such as SHA256.
 The other digest algorithms are still in common use.
 
 For most applications the B<impl> parameter to EVP_DigestInit_ex() will be
 set to NULL to use the default digest implementation.
 
-The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are 
+The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are
 obsolete but are retained to maintain compatibility with existing code. New
-applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and 
+applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and
 EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context
 instead of initializing and cleaning it up on each call and allow non default
 implementations of digests to be specified.
 
 In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use
-memory leaks will occur. 
+memory leaks will occur.
 
 Stack allocation of EVP_MD_CTX structures is common, for example:
 
@@ -246,15 +245,19 @@ digest name passed on the command line.
  EVP_MD_CTX_destroy(mdctx);
 
  printf("Digest is: ");
- for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
+ for(i = 0; i < md_len; i++)
+ 	printf("%02x", md_value[i]);
  printf("\n");
+
+ /* Call this once before exit. */
+ EVP_cleanup();
+ exit(0);
  }
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+L<dgst(1)|dgst(1)>,
+L<evp(3)|evp(3)>
 
 =head1 HISTORY
 
@@ -270,7 +273,7 @@ EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() were
 changed to return truely const EVP_MD * in OpenSSL 0.9.7.
 
 The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
-later, so now EVP_sha1() can be used with RSA and DSA, there is no need to
+later, so now EVP_sha1() can be used with RSA and DSA; there is no need to
 use EVP_dss1() any more.
 
 OpenSSL 1.0 and later does not include the MD2 digest algorithm in the
diff --git a/crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod b/crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod
index f22448897839..cfeccd96effc 100644
--- a/crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod
@@ -38,7 +38,7 @@ or a negative value for failure. In particular a return value of -2 indicates
 the operation is not supported by the public key algorithm.
 
 Unlike other functions the return value 0 from EVP_DigestVerifyFinal() only
-indicates that the signature did not not verify successfully (that is tbs did
+indicates that the signature did not verify successfully (that is tbs did
 not match the original data or the signature was of invalid form) it is not an
 indication of a more serious error.
 
@@ -59,7 +59,7 @@ For some key types and parameters the random number generator must be seeded
 or the operation will fail. 
 
 The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest
-context. This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can
+context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can
 be called later to digest and verify additional data.
 
 Since only a copy of the digest context is ever finalized the context must
diff --git a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
index 8271d3dfc417..ed027b387aea 100644
--- a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
@@ -115,7 +115,7 @@ writes the encrypted version to B<out>. This function can be called
 multiple times to encrypt successive blocks of data. The amount
 of data written depends on the block alignment of the encrypted data:
 as a result the amount of data written may be anything from zero bytes
-to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
+to (inl + cipher_block_size - 1) so B<out> should contain sufficient
 room. The actual number of bytes written is placed in B<outl>.
 
 If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
@@ -152,7 +152,7 @@ does not remain in memory.
 
 EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
 similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
-EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
+EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
 initialized and they always use the default cipher implementation.
 
 EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
@@ -344,7 +344,10 @@ bits and 12 rounds.
 
 Where possible the B<EVP> interface to symmetric ciphers should be used in
 preference to the low level interfaces. This is because the code then becomes
-transparent to the cipher used and much more flexible.
+transparent to the cipher used and much more flexible. Additionally, the
+B<EVP> interface will ensure the use of platform specific cryptographic
+acceleration such as AES-NI (the low level interfaces do not provide the
+guarantee).
 
 PKCS padding works by adding B<n> padding bytes of value B<n> to make the total 
 length of the encrypted data a multiple of the block size. Padding is always
@@ -384,27 +387,7 @@ for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
 
 =head1 EXAMPLES
 
-Get the number of rounds used in RC5:
-
- int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
-
-Get the RC2 effective key length:
-
- int key_bits;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
-
-Set the number of rounds used in RC5:
-
- int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
-
-Set the effective key length used in RC2:
-
- int key_bits;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
-
-Encrypt a string using blowfish:
+Encrypt a string using IDEA:
 
  int do_crypt(char *outfile)
  	{
@@ -418,8 +401,9 @@ Encrypt a string using blowfish:
 	char intext[] = "Some Crypto Text";
 	EVP_CIPHER_CTX ctx;
 	FILE *out;
+
 	EVP_CIPHER_CTX_init(&ctx);
-	EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
+	EVP_EncryptInit_ex(&ctx, EVP_idea_cbc(), NULL, key, iv);
 
 	if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
 		{
@@ -448,28 +432,34 @@ Encrypt a string using blowfish:
 	}
 
 The ciphertext from the above example can be decrypted using the B<openssl>
-utility with the command line:
+utility with the command line (shown on two lines for clarity):
  
- S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d>
+ openssl idea -d <filename
+          -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708
 
-General encryption, decryption function example using FILE I/O and RC2 with an
-80 bit key:
+General encryption and decryption function example using FILE I/O and AES128
+with a 128-bit key:
 
  int do_crypt(FILE *in, FILE *out, int do_encrypt)
  	{
 	/* Allow enough space in output buffer for additional block */
-	inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
+	unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
 	int inlen, outlen;
+	EVP_CIPHER_CTX ctx;
 	/* Bogus key and IV: we'd normally set these from
 	 * another source.
 	 */
-	unsigned char key[] = "0123456789";
-	unsigned char iv[] = "12345678";
-	/* Don't set key or IV because we will modify the parameters */
+	unsigned char key[] = "0123456789abcdeF";
+	unsigned char iv[] = "1234567887654321";
+
+	/* Don't set key or IV right away; we want to check lengths */
 	EVP_CIPHER_CTX_init(&ctx);
-	EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt);
-	EVP_CIPHER_CTX_set_key_length(&ctx, 10);
-	/* We finished modifying parameters so now we can set key and IV */
+	EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
+		do_encrypt);
+	OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx) == 16);
+	OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx) == 16);
+
+	/* Now we can set key and IV */
 	EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
 
 	for(;;) 
@@ -508,4 +498,7 @@ EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
 EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
 OpenSSL 0.9.7.
 
+IDEA appeared in OpenSSL 0.9.7 but was often disabled due to
+patent concerns; the last patents expired in 2012.
+
 =cut
diff --git a/crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod b/crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod
index e495a81242b9..6799ce1010bd 100644
--- a/crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod
+++ b/crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod
@@ -43,19 +43,23 @@ indicates the operation is not supported by the public key algorithm.
 
 =head1 EXAMPLE
 
-Encrypt data using OAEP (for RSA keys):
+Encrypt data using OAEP (for RSA keys). See also L<PEM_read_PUBKEY(3)|pem(3)> or
+L<d2i_X509(3)|d2i_X509(3)> for means to load a public key. You may also simply
+set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
 
  #include <openssl/evp.h>
  #include <openssl/rsa.h>
+ #include <openssl/engine.h>
 
  EVP_PKEY_CTX *ctx;
+ ENGINE *eng;
  unsigned char *out, *in;
  size_t outlen, inlen; 
  EVP_PKEY *key;
- /* NB: assumes key in, inlen are already set up
+ /* NB: assumes eng, key, in, inlen are already set up,
   * and that key is an RSA public key
   */
- ctx = EVP_PKEY_CTX_new(key);
+ ctx = EVP_PKEY_CTX_new(key,eng);
  if (!ctx)
 	/* Error occurred */
  if (EVP_PKEY_encrypt_init(ctx) <= 0)
@@ -79,6 +83,8 @@ Encrypt data using OAEP (for RSA keys):
 
 =head1 SEE ALSO
 
+L<d2i_X509(3)|d2i_X509(3)>,
+L<engine(3)|engine(3)>,
 L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
diff --git a/crypto/openssl/doc/crypto/EVP_PKEY_set1_RSA.pod b/crypto/openssl/doc/crypto/EVP_PKEY_set1_RSA.pod
index 2db692e2719e..6f1017561516 100644
--- a/crypto/openssl/doc/crypto/EVP_PKEY_set1_RSA.pod
+++ b/crypto/openssl/doc/crypto/EVP_PKEY_set1_RSA.pod
@@ -37,7 +37,7 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
 EVP_PKEY_get1_EC_KEY() return the referenced key in B<pkey> or
 B<NULL> if the key is not of the correct type.
 
-EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
+EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
 and EVP_PKEY_assign_EC_KEY() also set the referenced key to B<key>
 however these use the supplied B<key> internally and so B<key>
 will be freed when the parent B<pkey> is freed.
@@ -54,8 +54,8 @@ In accordance with the OpenSSL naming convention the key obtained
 from or assigned to the B<pkey> using the B<1> functions must be
 freed as well as B<pkey>.
 
-EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-EVP_PKEY_assign_EC_KEY() are implemented as macros.
+EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
+and EVP_PKEY_assign_EC_KEY() are implemented as macros.
 
 =head1 RETURN VALUES
 
@@ -66,7 +66,7 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
 EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if 
 an error occurred.
 
-EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
+EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
 and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
 
 =head1 SEE ALSO
diff --git a/crypto/openssl/doc/crypto/EVP_PKEY_sign.pod b/crypto/openssl/doc/crypto/EVP_PKEY_sign.pod
index a044f2c13127..21974b4b1a9c 100644
--- a/crypto/openssl/doc/crypto/EVP_PKEY_sign.pod
+++ b/crypto/openssl/doc/crypto/EVP_PKEY_sign.pod
@@ -28,9 +28,14 @@ B<sig> and the amount of data written to B<siglen>.
 
 =head1 NOTES
 
+EVP_PKEY_sign() does not hash the data to be signed, and therefore is
+normally used to sign digests. For signing arbitrary messages, see the
+L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)> and
+L<EVP_SignInit(3)|EVP_SignInit(3)> signing interfaces instead.
+
 After the call to EVP_PKEY_sign_init() algorithm specific control
 operations can be performed to set any appropriate parameters for the
-operation.
+operation (see L<EVP_PKEY_CTX_ctrl(3)|EVP_PKEY_CTX_ctrl(3)>).
 
 The function EVP_PKEY_sign() can be called more than once on the same
 context if several operations are performed using the same parameters.
@@ -49,13 +54,17 @@ Sign data using RSA with PKCS#1 padding and SHA256 digest:
  #include <openssl/rsa.h>
 
  EVP_PKEY_CTX *ctx;
+ /* md is a SHA-256 digest in this example. */
  unsigned char *md, *sig;
- size_t mdlen, siglen; 
+ size_t mdlen = 32, siglen;
  EVP_PKEY *signing_key;
- /* NB: assumes signing_key, md and mdlen are already set up
-  * and that signing_key is an RSA private key
+
+ /*
+  * NB: assumes signing_key and md are set up before the next
+  * step. signing_key must be an RSA private key and md must
+  * point to the SHA-256 digest to be signed.
   */
- ctx = EVP_PKEY_CTX_new(signing_key);
+ ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
  if (!ctx)
 	/* Error occurred */
  if (EVP_PKEY_sign_init(ctx) <= 0)
@@ -83,6 +92,7 @@ Sign data using RSA with PKCS#1 padding and SHA256 digest:
 =head1 SEE ALSO
 
 L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_CTX_ctrl(3)|EVP_PKEY_CTX_ctrl(3)>,
 L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
diff --git a/crypto/openssl/doc/crypto/EVP_SignInit.pod b/crypto/openssl/doc/crypto/EVP_SignInit.pod
index 620a623ab620..14ecc775af6a 100644
--- a/crypto/openssl/doc/crypto/EVP_SignInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_SignInit.pod
@@ -30,9 +30,11 @@ signature context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
 
 EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
-places the signature in B<sig>. The number of bytes of data written (i.e. the
-length of the signature) will be written to the integer at B<s>, at most
-EVP_PKEY_size(pkey) bytes will be written. 
+places the signature in B<sig>. B<sig> must be at least EVP_PKEY_size(pkey)
+bytes in size. B<s> is an OUT paramter, and not used as an IN parameter.
+The number of bytes of data written (i.e. the length of the signature)
+will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+will be written.
 
 EVP_SignInit() initializes a signing context B<ctx> to use the default
 implementation of digest B<type>.
diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod
index e7bba2aacae0..888de88f6bbf 100644
--- a/crypto/openssl/doc/crypto/OPENSSL_config.pod
+++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod
@@ -73,7 +73,7 @@ Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
 =head1 SEE ALSO
 
 L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
-L<CONF_modules_free(3),CONF_modules_free(3)>
+L<CONF_modules_free(3)|CONF_modules_free(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/RSA_set_method.pod b/crypto/openssl/doc/crypto/RSA_set_method.pod
index 2c963d7e5bba..0ef078118651 100644
--- a/crypto/openssl/doc/crypto/RSA_set_method.pod
+++ b/crypto/openssl/doc/crypto/RSA_set_method.pod
@@ -125,14 +125,18 @@ the default method is used.
      /* sign. For backward compatibility, this is used only
       * if (flags & RSA_FLAG_SIGN_VER)
       */
-	int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-
+	int (*rsa_sign)(int type,
+		const unsigned char *m, unsigned int m_length,
+		unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
      /* verify. For backward compatibility, this is used only
       * if (flags & RSA_FLAG_SIGN_VER)
       */
-	int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+	int (*rsa_verify)(int dtype,
+		const unsigned char *m, unsigned int m_length,
+		const unsigned char *sigbuf, unsigned int siglen,
+								const RSA *rsa);
+     /* keygen. If NULL builtin RSA key generation will be used */
+	int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
 
  } RSA_METHOD;
 
diff --git a/crypto/openssl/doc/crypto/RSA_sign.pod b/crypto/openssl/doc/crypto/RSA_sign.pod
index 8553be8e99b6..fc16b1f4f806 100644
--- a/crypto/openssl/doc/crypto/RSA_sign.pod
+++ b/crypto/openssl/doc/crypto/RSA_sign.pod
@@ -20,6 +20,10 @@ RSA_sign() signs the message digest B<m> of size B<m_len> using the
 private key B<rsa> as specified in PKCS #1 v2.0. It stores the
 signature in B<sigret> and the signature size in B<siglen>. B<sigret>
 must point to RSA_size(B<rsa>) bytes of memory.
+Note that PKCS #1 adds meta-data, placing limits on the size of the
+key that can be used.
+See L<RSA_private_encrypt(3)|RSA_private_encrypt(3)> for lower-level
+operations.
 
 B<type> denotes the message digest algorithm that was used to generate
 B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
diff --git a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
index 41902c0d4553..4716e7ee7542 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -65,7 +65,7 @@ set first so the relevant field information can be looked up internally.
 =head1 SEE ALSO
 
 L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<OBJ_nid2obj(3),OBJ_nid2obj(3)>
+L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod b/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
index 1afd008cb372..043766cc461b 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
@@ -81,14 +81,14 @@ Create an B<X509_NAME> structure:
  nm = X509_NAME_new();
  if (nm == NULL)
 	/* Some error */
- if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-			"C", "UK", -1, -1, 0))
+ if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, 
+			"UK", -1, -1, 0))
 	/* Error */
- if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-			"O", "Disorganized Organization", -1, -1, 0))
+ if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC,
+			"Disorganized Organization", -1, -1, 0))
 	/* Error */
- if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-			"CN", "Joe Bloggs", -1, -1, 0))
+ if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
+			"Joe Bloggs", -1, -1, 0))
 	/* Error */
 
 =head1 RETURN VALUES
diff --git a/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod b/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
index 3b1f9ff43b65..c8a812879561 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
@@ -59,6 +59,10 @@ X509_NAME_get_index_by_OBJ() should be used followed by
 X509_NAME_get_entry() on any matching indices and then the
 various B<X509_NAME_ENTRY> utility functions on the result.
 
+The list of all relevant B<NID_*> and B<OBJ_* codes> can be found in
+the source code header files E<lt>openssl/obj_mac.hE<gt> and/or
+E<lt>openssl/objects.hE<gt>.
+
 =head1 EXAMPLES
 
 Process all entries:
diff --git a/crypto/openssl/doc/crypto/X509_STORE_CTX_get_error.pod b/crypto/openssl/doc/crypto/X509_STORE_CTX_get_error.pod
index a883f6c09783..60e8332ae9dd 100644
--- a/crypto/openssl/doc/crypto/X509_STORE_CTX_get_error.pod
+++ b/crypto/openssl/doc/crypto/X509_STORE_CTX_get_error.pod
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
 an application specific error. This will never be returned unless explicitly
 set by an application.
 
+=back
+
 =head1 NOTES
 
 The above functions should be used instead of directly referencing the fields
diff --git a/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod b/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
index 8d6b9dda47e7..8a9243d75613 100644
--- a/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
+++ b/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
@@ -15,7 +15,7 @@ X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_
 
  int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg);
 
- char *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
+ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/crypto/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index b68eece03387..46cac2bea2be 100644
--- a/crypto/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/crypto/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it
 to examine the valid policy tree and perform additional checks or simply
 log it for debugging purposes.
 
-By default some addtional features such as indirect CRLs and CRLs signed by
+By default some additional features such as indirect CRLs and CRLs signed by
 different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
 they are enabled.
 
diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod
index 6f0cf1cc5e5f..e1add56b5e81 100644
--- a/crypto/openssl/doc/crypto/des.pod
+++ b/crypto/openssl/doc/crypto/des.pod
@@ -135,9 +135,8 @@ depend on a global variable.
 
 DES_set_odd_parity() sets the parity of the passed I<key> to odd.
 
-DES_is_weak_key() returns 1 is the passed key is a weak key, 0 if it
-is ok.  The probability that a randomly generated key is weak is
-1/2^52, so it is not really worth checking for them.
+DES_is_weak_key() returns 1 if the passed key is a weak key, 0 if it
+is ok.  
 
 The following routines mostly operate on an input and output stream of
 I<DES_cblock>s.
@@ -181,7 +180,7 @@ of 24 bytes.  This is much better than CBC DES.
 
 DES_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
 three keys. This means that each DES operation inside the CBC mode is
-really an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
+an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
 
 The DES_ede2_cbc_encrypt() macro implements two-key Triple-DES by
 reusing I<ks1> for the final encryption.  C<C=E(ks1,D(ks2,E(ks1,M)))>.
diff --git a/crypto/openssl/doc/crypto/ecdsa.pod b/crypto/openssl/doc/crypto/ecdsa.pod
index 20edff97ffd6..59a5916de123 100644
--- a/crypto/openssl/doc/crypto/ecdsa.pod
+++ b/crypto/openssl/doc/crypto/ecdsa.pod
@@ -95,7 +95,7 @@ is ignored.
 
 ECDSA_verify() verifies that the signature in B<sig> of size
 B<siglen> is a valid ECDSA signature of the hash value
-value B<dgst> of size B<dgstlen> using the public key B<eckey>.
+B<dgst> of size B<dgstlen> using the public key B<eckey>.
 The parameter B<type> is ignored.
 
 ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv>
@@ -131,16 +131,12 @@ specific)
 
  int        ret;
  ECDSA_SIG *sig;
- EC_KEY    *eckey = EC_KEY_new();
+ EC_KEY    *eckey;
+ eckey = EC_KEY_new_by_curve_name(NID_secp192k1);
  if (eckey == NULL)
 	{
 	/* error */
 	}
- key->group = EC_GROUP_new_by_nid(NID_secp192k1);
- if (key->group == NULL)
-	{
-	/* error */
-	}
  if (!EC_KEY_generate_key(eckey))
 	{
 	/* error */
diff --git a/crypto/openssl/doc/crypto/err.pod b/crypto/openssl/doc/crypto/err.pod
index 6f729554d2a9..4a5dc6935cc7 100644
--- a/crypto/openssl/doc/crypto/err.pod
+++ b/crypto/openssl/doc/crypto/err.pod
@@ -171,7 +171,6 @@ ERR_get_string_table(void) respectively.
 
 =head1 SEE ALSO
 
-L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>,
 L<CRYPTO_set_locking_callback(3)|CRYPTO_set_locking_callback(3)>,
 L<ERR_get_error(3)|ERR_get_error(3)>,
 L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
diff --git a/crypto/openssl/doc/crypto/pem.pod b/crypto/openssl/doc/crypto/pem.pod
index d5b189611956..21e9fe3b98a9 100644
--- a/crypto/openssl/doc/crypto/pem.pod
+++ b/crypto/openssl/doc/crypto/pem.pod
@@ -201,7 +201,7 @@ handle PKCS#8 format encrypted and unencrypted keys too.
 PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
 write a private key in an EVP_PKEY structure in PKCS#8
 EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
-algorithms. The B<cipher> argument specifies the encryption algoritm to
+algorithms. The B<cipher> argument specifies the encryption algorithm to
 use: unlike all other PEM routines the encryption is applied at the
 PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
 encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
@@ -450,9 +450,9 @@ byte B<salt> encoded as a set of hexadecimal digits.
 
 After this is the base64 encoded encrypted data.
 
-The encryption key is determined using EVP_bytestokey(), using B<salt> and an
+The encryption key is determined using EVP_BytesToKey(), using B<salt> and an
 iteration count of 1. The IV used is the value of B<salt> and *not* the IV
-returned by EVP_bytestokey().
+returned by EVP_BytesToKey().
 
 =head1 BUGS
 
@@ -474,3 +474,7 @@ The read routines return either a pointer to the structure read or NULL
 if an error occurred.
 
 The write routines return 1 for success or 0 for failure.
+
+=head1 SEE ALSO
+
+L<EVP_get_cipherbyname(3)|EVP_get_cipherbyname>, L<EVP_BytesToKey(3)|EVP_BytesToKey(3)>
diff --git a/crypto/openssl/doc/crypto/ui.pod b/crypto/openssl/doc/crypto/ui.pod
index 6df68d604a82..04f8e9c360a8 100644
--- a/crypto/openssl/doc/crypto/ui.pod
+++ b/crypto/openssl/doc/crypto/ui.pod
@@ -119,7 +119,7 @@ verification will fail.
 UI_add_input_boolean() adds a prompt to the UI that's supposed to be answered
 in a boolean way, with a single character for yes and a different character
 for no.  A set of characters that can be used to cancel the prompt is given
-as well.  The prompt itself is really divided in two, one part being the
+as well.  The prompt itself is divided in two, one part being the
 descriptive text (given through the I<prompt> argument) and one describing
 the possible answers (given through the I<action_desc> argument).
 
diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt
index 7d05a855946b..373e90d0a1e7 100644
--- a/crypto/openssl/doc/fingerprints.txt
+++ b/crypto/openssl/doc/fingerprints.txt
@@ -4,12 +4,11 @@ OpenSSL releases are signed with PGP/GnuPG keys.  You can find the
 signatures in separate files in the same location you find the
 distributions themselves.  The normal file name is the same as the
 distribution file, with '.asc' added.  For example, the signature for
-the distribution of OpenSSL 0.9.7f, openssl-0.9.7f.tar.gz, is found in
-the file openssl-0.9.7f.tar.gz.asc.
+the distribution of OpenSSL 1.0.1h, openssl-1.0.1h.tar.gz, is found in
+the file openssl-1.0.1h.tar.gz.asc.
 
 The following is the list of fingerprints for the keys that are
-currently in use (have been used since summer 2004) to sign OpenSSL
-distributions:
+currently in use to sign OpenSSL distributions:
 
 pub   1024D/F709453B 2003-10-20
       Key fingerprint = C4CA B749 C34F 7F4C C04F  DAC9 A7AF 9E78 F709 453B
@@ -21,16 +20,19 @@ pub   2048R/F295C759 1998-12-13
       Key fingerprint = D0 5D 8C 61 6E 27 E6 60  41 EC B1 B8 D5 7E E5 97
 uid                  Dr S N Henson <shenson@drh-consultancy.demon.co.uk>
 
+pub   4096R/FA40E9E2 2005-03-19
+      Key fingerprint = 6260 5AA4 334A F9F0 DDE5  D349 D357 7507 FA40 E9E2
+uid                  Dr Stephen Henson <shenson@opensslfoundation.com>
+uid                  Dr Stephen Henson <shenson@drh-consultancy.co.uk>
+uid                  Dr Stephen N Henson <steve@openssl.org>
+sub   4096R/8811F530 2005-03-19
+
 pub   1024R/49A563D9 1997-02-24
       Key fingerprint = 7B 79 19 FA 71 6B 87 25  0E 77 21 E5 52 D9 83 BF
 uid                  Mark Cox <mjc@redhat.com>
 uid                  Mark Cox <mark@awe.com>
 uid                  Mark Cox <mjc@apache.org>
 
-pub   1024R/26BB437D 1997-04-28
-      Key fingerprint = 00 C9 21 8E D1 AB 70 37  DD 67 A2 3A 0A 6F 8D A5
-uid                  Ralf S. Engelschall <rse@engelschall.com>
-
 pub   1024R/9C58A66D 1997-04-03
       Key fingerprint = 13 D0 B8 9D 37 30 C3 ED  AC 9C 24 7D 45 8C 17 67
 uid                  jaenicke@openssl.org
@@ -55,3 +57,7 @@ uid                  Bodo Moeller <3moeller@informatik.uni-hamburg.de>
 uid                  Bodo Moeller <Bodo_Moeller@public.uni-hamburg.de>
 uid                  Bodo Moeller <3moeller@rzdspc5.informatik.uni-hamburg.de>
 
+pub   2048R/0E604491 2013-04-30            
+      Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
+uid                  Matt Caswell <frodo@baggins.org>
+
diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
index eb772b55de4a..2e113be6065c 100644
--- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
@@ -23,8 +23,12 @@ SSL_CIPHER_get_bits() returns the number of secret bits used for B<cipher>. If
 B<alg_bits> is not NULL, it contains the number of bits processed by the
 chosen algorithm. If B<cipher> is NULL, 0 is returned.
 
-SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently
-"SSLv2", "SSLv3", or "TLSv1". If B<cipher> is NULL, "(NONE)" is returned.
+SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol
+version that first defined the cipher.
+This is currently B<SSLv2> or B<TLSv1/SSLv3>.
+In some cases it should possibly return "TLSv1.2" but does not;
+use SSL_CIPHER_description() instead.
+If B<cipher> is NULL, "(NONE)" is returned.
 
 SSL_CIPHER_description() returns a textual description of the cipher used
 into the buffer B<buf> of length B<len> provided. B<len> must be at least
@@ -52,7 +56,8 @@ Textual representation of the cipher name.
 
 =item <protocol version>
 
-Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3.
+Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
+flagged with SSLv3. No new ciphers were added by TLSv1.1.
 
 =item Kx=<key exchange>
 
@@ -91,6 +96,10 @@ Some examples for the output of SSL_CIPHER_description():
  RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
  EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
 
+A comp[lete list can be retrieved by invoking the following command:
+
+ openssl ciphers -v ALL
+
 =head1 BUGS
 
 If SSL_CIPHER_description() is called with B<cipher> being NULL, the
diff --git a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod
index 42fa66b19751..f4d191c9b6bd 100644
--- a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod
+++ b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The operation succeeded.
 
-=item 1
+=item Z<>1
 
 The operation failed. Check the error queue to find out the reason.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
index ee28f5ccc3a3..5955ee1cb415 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -24,6 +24,16 @@ the library will try to complete the chain from the available CA
 certificates in the trusted CA storage, see
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
 
+The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the B<SSL_CTX> is destroyed. An application B<should not> free the B<x509> object.
+
+=head1 RESTRICTIONS
+
+Only one set of extra chain certificates can be specified per SSL_CTX
+structure. Different chains for different certificates (for example if both
+RSA and DSA certificates are specified by the same server) or different SSL
+structures with the same parent SSL_CTX cannot be specified using this
+function.
+
 =head1 RETURN VALUES
 
 SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
index 82676b26b239..c660a18fc2a1 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod
@@ -41,7 +41,7 @@ If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE
 flag then the internal cache will not be populated automatically by new
 sessions negotiated by the SSL/TLS implementation, even though the internal
 cache will be searched automatically for session-resume requests (the
-latter can be surpressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the
+latter can be suppressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the
 application can use SSL_CTX_add_session() directly to have full control
 over the sessions that can be resumed if desired.
 
@@ -52,13 +52,13 @@ The following values are returned by all functions:
 
 =over 4
 
-=item 0
+=item Z<>0
 
  The operation failed. In case of the add operation, it was tried to add
  the same (identical) session twice. In case of the remove operation, the
  session was not found in the cache.
 
-=item 1
+=item Z<>1
  
  The operation succeeded.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
index 84a799fc71dd..d1d897719531 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -100,13 +100,13 @@ The following return values can occur:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The operation failed because B<CAfile> and B<CApath> are NULL or the
 processing at one of the locations specified failed. Check the error
 stack to find out the reason.
 
-=item 1
+=item Z<>1
 
 The operation succeeded.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
index 73e8c47f9a2e..491ac8c172cb 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod
@@ -51,22 +51,36 @@ SSLv3 client hello messages.
 
 =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
 
-A TLS/SSL connection established with these methods will understand the SSLv2,
-SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages
-and will indicate that it also understands SSLv3 and TLSv1. A server will
-understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
-choice when compatibility is a concern.
+A TLS/SSL connection established with these methods may understand the SSLv2,
+SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+
+If the cipher list does not contain any SSLv2 ciphersuites (the default
+cipher list does not) or extensions are required (for example server name)
+a client will send out TLSv1 client hello messages including extensions and
+will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
+fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+protocols. This is the best choice when compatibility is a concern.
+
+If any SSLv2 ciphersuites are included in the cipher list and no extensions
+are required then SSLv2 compatible client hellos will be used by clients and
+SSLv2 will be accepted by servers. This is B<not> recommended due to the
+insecurity of SSLv2 and the limited nature of the SSLv2 client hello
+prohibiting the use of extensions.
 
 =back
 
 The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
-B<SSL_set_options()> functions. Using these options it is possible to choose
-e.g. SSLv23_server_method() and be able to negotiate with all possible
-clients, but to only allow newer protocols like SSLv3 or TLSv1.
+SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
+options of the SSL_CTX_set_options() or SSL_set_options() functions.
+Using these options it is possible to choose e.g. SSLv23_server_method() and
+be able to negotiate with all possible clients, but to only allow newer
+protocols like TLSv1, TLSv1.1 or TLS v1.2.
+
+Applications which never want to support SSLv2 (even is the cipher string
+is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
 
 SSL_CTX_new() initializes the list of ciphers, the session cache setting,
-the callbacks, the keys and certificates, and the options to its default
+the callbacks, the keys and certificates and the options to its default
 values.
 
 =head1 RETURN VALUES
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
index ed64f6415702..bd4df4abd461 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
@@ -54,6 +54,10 @@ of 512 bits and the server is not configured to use temporary RSA
 keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
 and the handshake will fail.
 
+If the cipher list does not contain any SSLv2 cipher suites (this is the
+default) then SSLv2 is effectively disabled and neither clients nor servers
+will attempt to use SSLv2.
+
 =head1 RETURN VALUES
 
 SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
index 632b556d1262..4965385e97ae 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -35,7 +35,7 @@ the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
 =head1 NOTES
 
 When a TLS/SSL server requests a client certificate (see
-B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which
+B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which
 it will accept certificates, to the client.
 
 This list must explicitly be set using SSL_CTX_set_client_CA_list() for
@@ -66,16 +66,16 @@ values:
 
 =over 4
 
-=item 1
-
-The operation succeeded.
-
-=item 0
+=item Z<>0
 
 A failure while manipulating the STACK_OF(X509_NAME) object occurred or
 the X509_NAME could not be extracted from B<cacert>. Check the error stack
 to find out the reason.
 
+=item Z<>1
+
+The operation succeeded.
+
 =back
 
 =head1 EXAMPLES
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod
index 3465b5c7bbaf..d0df69a9bc18 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod
@@ -29,7 +29,7 @@ using the B<x509> and B<pkey> arguments and "1" must be returned. The
 certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
 If no certificate should be set, "0" has to be returned and no certificate
 will be sent. A negative return value will suspend the handshake and the
-handshake function will return immediatly. L<SSL_get_error(3)|SSL_get_error(3)>
+handshake function will return immediately. L<SSL_get_error(3)|SSL_get_error(3)>
 will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was
 suspended. The next call to the handshake function will again lead to the call
 of client_cert_cb(). It is the job of the client_cert_cb() to store information
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
index 8cb669daeb78..2a5aaa555e13 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
@@ -71,6 +71,16 @@ SSL_CTX->freelist_max_len, which defaults to 32.  Using this flag can
 save around 34k per idle SSL connection.
 This flag has no effect on SSL v2 connections, or on DTLS connections.
 
+=item SSL_MODE_SEND_FALLBACK_SCSV
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+To be set only by applications that reconnect with a downgraded protocol
+version; see draft-ietf-tls-downgrade-scsv-00 for details.
+
+DO NOT ENABLE THIS if your application attempts a normal handshake.
+Only use this in explicit fallback retries, following the guidance
+in draft-ietf-tls-downgrade-scsv-00.
+
 =back
 
 =head1 RETURN VALUES
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
index 0015e6ea7923..8b82d94a389e 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
@@ -11,8 +11,8 @@ SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SS
  void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
  void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
 
- void SSL_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
- void SSL_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+ void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index c4b9ac20c231..e80a72cd4d06 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 
 ...
 
-=item SSL_OP_MSIE_SSLV2_RSA_PADDING
+=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
 
-As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 
@@ -111,6 +112,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some
 broken SSL implementations.  This option has no effect for connections
 using other ciphers.
 
+=item SSL_OP_TLSEXT_PADDING
+
+Adds a padding extension to ensure the ClientHello size is never between
+256 and 511 bytes in length. This is needed as a workaround for some
+implementations.
+
 =item SSL_OP_ALL
 
 All of the above bug workarounds.
@@ -241,7 +248,7 @@ Connections and renegotiation are always permitted by OpenSSL implementations.
 
 =head2 Unpatched client and patched OpenSSL server
 
-The initial connection suceeds but client renegotiation is denied by the
+The initial connection succeeds but client renegotiation is denied by the
 server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
 B<handshake_failure> alert in SSL v3.0.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
index 58fc685506eb..7c9e5153360a 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -64,13 +64,13 @@ return the following values:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
 the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
 is logged to the error stack.
 
-=item 1
+=item Z<>1
 
 The operation succeeded.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
index 254f2b4397fa..e254f9657bd5 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The new choice failed, check the error stack to find out the reason.
 
-=item 1
+=item Z<>1
 
 The operation succeeded.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
new file mode 100644
index 000000000000..da0dd0f597e4
--- /dev/null
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -0,0 +1,195 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tlsext_ticket_key_cb - set a callback for session ticket processing
+
+=head1 SYNOPSIS
+
+ #include <openssl/tls1.h>
+
+ long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx,
+        int (*cb)(SSL *s, unsigned char key_name[16],
+	          unsigned char iv[EVP_MAX_IV_LENGTH],
+		  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_tlsext_ticket_key_cb() sets a callback fuction I<cb> for handling 
+session tickets for the ssl context I<sslctx>. Session tickets, defined in 
+RFC5077 provide an enhanced session resumption capability where the server
+implementation is not required to maintain per session state. It only applies
+to TLS and there is no SSLv3 implementation.
+
+The callback is available when the OpenSSL library was built without 
+I<OPENSSL_NO_TLSEXT> being defined.
+
+The callback function I<cb> will be called for every client instigated TLS
+session when session ticket extension is presented in the TLS hello
+message. It is the responsibility of this function to create or retrieve the
+cryptographic parameters and to maintain their state.
+
+The OpenSSL library uses your callback function to help implement a common TLS 
+ticket construction state according to RFC5077 Section 4 such that per session
+state is unnecessary and a small set of cryptographic variables needs to be 
+maintained by the callback function implementation.
+
+In order to reuse a session, a TLS client must send the a session ticket
+extension to the server. The client can only send exactly one session ticket.
+The server, through the callback function, either agrees to reuse the session
+ticket information or it starts a full TLS handshake to create a new session
+ticket.
+
+Before the callback function is started I<ctx> and I<hctx> have been 
+initialised with EVP_CIPHER_CTX_init and HMAC_CTX_init respectively.
+
+For new sessions tickets, when the client doesn't present a session ticket, or
+an attempted retreival of the ticket failed, or a renew option was indicated,
+the callback function will be called with I<enc> equal to 1. The OpenSSL
+library expects that the function will set an arbitary I<name>, initialize
+I<iv>, and set the cipher context I<ctx> and the hash context I<hctx>.
+
+The I<name> is 16 characters long and is used as a key identifier.
+
+The I<iv> length is the length of the IV of the corresponding cipher. The
+maximum IV length is L<EVP_MAX_IV_LENGTH> bytes defined in B<evp.h>.
+
+The initialization vector I<iv> should be a random value. The cipher context 
+I<ctx> should use the initialisation vector I<iv>. The cipher context can be 
+set using L<EVP_EncryptInit_ex>. The hmac context can be set using L<HMAC_Init_ex>.
+
+When the client presents a session ticket, the callback function with be called 
+with I<enc> set to 0 indicating that the I<cb> function should retreive a set
+of parameters. In this case I<name> and I<iv> have already been parsed out of
+the session ticket. The OpenSSL library expects that the I<name> will be used
+to retrieve a cryptographic parameters and that the cryptographic context
+I<ctx> will be set with the retreived parameters and the initialization vector
+I<iv>. using a function like L<EVP_DecryptInit_ex>. The I<hctx> needs to be set
+using L<HMAC_Init_ex>.
+
+If the I<name> is still valid but a renewal of the ticket is required the
+callback function should return 2. The library will call the callback again
+with an arguement of enc equal to 1 to set the new ticket.
+
+The return value of the I<cb> function is used by OpenSSL to determine what
+further processing will occur. The following return values have meaning:
+
+=over 4
+
+=item Z<>2
+
+This indicates that the I<ctx> and I<hctx> have been set and the session can 
+continue on those parameters. Additionally it indicates that the session
+ticket is in a renewal period and should be replaced. The OpenSSL library will
+call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077
+3.3 paragraph 2).
+
+=item Z<>1
+
+This indicates that the I<ctx> and I<hctx> have been set and the session can 
+continue on those parameters.
+
+=item Z<>0
+
+This indicates that it was not possible to set/retrieve a session ticket and 
+the SSL/TLS session will continue by by negiotationing a set of cryptographic
+parameters or using the alternate SSL/TLS resumption mechanism, session ids.
+
+If called with enc equal to 0 the library will call the I<cb> again to get
+a new set of parameters.
+
+=item less than 0
+
+This indicates an error.
+
+=back
+
+=head1 NOTES
+
+Session resumption shortcuts the TLS so that the client certificate
+negiotation don't occur. It makes up for this by storing client certificate
+an all other negotiated state information encrypted within the ticket. In a
+resumed session the applications will have all this state information available
+exactly as if a full negiotation had occured.
+
+If an attacker can obtain the key used to encrypt a session ticket, they can
+obtain the master secret for any ticket using that key and decrypt any traffic
+using that session: even if the ciphersuite supports forward secrecy. As
+a result applications may wish to use multiple keys and avoid using long term
+keys stored in files.
+
+Applications can use longer keys to maintain a consistent level of security.
+For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key
+the overall security is only 128 bits because breaking the ticket key will
+enable an attacker to obtain the session keys.
+
+=head1 EXAMPLES
+
+Reference Implemention:
+  SSL_CTX_set_tlsext_ticket_key_cb(SSL,ssl_tlsext_ticket_key_cb);
+  ....
+
+  static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
+  {
+      if (enc) { /* create new session */
+          if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) {
+              return -1; /* insufficient random */
+          }
+  
+          key = currentkey(); /* something that you need to implement */
+          if ( !key ) {
+              /* current key doesn't exist or isn't valid */
+              key = createkey(); /* something that you need to implement.
+                                   * createkey needs to initialise, a name,
+                                   * an aes_key, a hmac_key and optionally
+                                   * an expire time. */
+              if ( !key ) { /* key couldn't be created */
+                  return 0;
+              }
+          }
+          memcpy(key_name, key->name, 16);
+  
+          EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv);
+          HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
+  
+          return 1;
+  
+      } else { /* retrieve session */
+          key = findkey(name);
+  
+          if  (!key || key->expire < now() ) {
+              return 0;
+          }
+  
+          HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
+          EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv );
+
+          if (key->expire < ( now() - RENEW_TIME ) ) {
+              /* return 2 - this session will get a new ticket even though the current is still valid */
+              return 2;
+          }
+          return 1;
+  
+      }
+  }
+
+
+
+=head1 RETURN VALUES
+
+returns 0 to indicate the callback function was set.
+
+=head1 SEE ALSO
+
+L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
+L<SSL_session_reused(3)|SSL_session_reused(3)>,
+L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
+L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
+
+=head1 HISTORY
+
+This function was introduced in OpenSSL 0.9.8h
+
+=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
index 29d1f8a6fbfe..7a27eef50b17 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
@@ -12,12 +12,10 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_se
             DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
  long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
 
- void SSL_set_tmp_dh_callback(SSL_CTX *ctx,
+ void SSL_set_tmp_dh_callback(SSL *ctx,
             DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
  long SSL_set_tmp_dh(SSL *ssl, DH *dh)
 
- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
-
 =head1 DESCRIPTION
 
 SSL_CTX_set_tmp_dh_callback() sets the callback function for B<ctx> to be
@@ -50,12 +48,13 @@ even if he gets hold of the normal (certified) key, as this key was
 only used for signing.
 
 In order to perform a DH key exchange the server must use a DH group
-(DH parameters) and generate a DH key. The server will always generate a new
-DH key during the negotiation, when the DH parameters are supplied via
-callback and/or when the SSL_OP_SINGLE_DH_USE option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will
-immediately create a DH key, when DH parameters are supplied via
-SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,
+(DH parameters) and generate a DH key.
+The server will always generate a new DH key during the negotiation
+if either the DH parameters are supplied via callback or the
+SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both).
+It will  immediately create a DH key if DH parameters are supplied via
+SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set.
+In this case,
 it may happen that a key is generated on initialization without later
 being needed, while on the other hand the computer time during the
 negotiation is being saved.
@@ -81,7 +80,7 @@ instead (see L<dhparam(1)|dhparam(1)>), but in this case SSL_OP_SINGLE_DH_USE
 is mandatory.
 
 Application authors may compile in DH parameters. Files dh512.pem,
-dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current
+dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current
 version of the OpenSSL distribution contain the 'SKIP' DH parameters,
 which use safe primes and were generated verifiably pseudo-randomly.
 These files can be converted into C code using the B<-C> option of the
@@ -141,7 +140,7 @@ partly left out.)
       dh_tmp = dh_512;
       break;
     case 1024:
-      if (!dh_1024) 
+      if (!dh_1024)
         dh_1024 = get_dh1024();
       dh_tmp = dh_1024;
       break;
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
index 81566839d3d8..b6ba6bb51cad 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
@@ -109,8 +109,8 @@ certificates would not be present, most likely a
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued.
 The depth count is "level 0:peer certificate", "level 1: CA certificate",
 "level 2: higher level CA certificate", and so on. Setting the maximum
-depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9,
-allowing for the peer certificate and additional 9 CA certificates.
+depth to 2 allows the levels 0, 1, and 2. The default depth limit is 100,
+allowing for the peer certificate and additional 100 CA certificates.
 
 The B<verify_callback> function is used to control the behaviour when the
 SSL_VERIFY_PEER flag is set. It must be supplied by the application and
@@ -169,8 +169,8 @@ that will always continue the TLS/SSL handshake regardless of verification
 failure, if wished. The callback realizes a verification depth limit with
 more informational output.
 
-All verification errors are printed, informations about the certificate chain
-are printed on request.
+All verification errors are printed; information about the certificate chain
+is printed on request.
 The example is realized for a server that does allow but not require client
 certificates.
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
index b80e25be7eaa..9da7201a9990 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
 
 Return values from the server callback are interpreted as follows:
 
+=over 4
+
 =item > 0
 
 PSK identity was found and the server callback has provided the PSK
@@ -94,9 +96,11 @@ data to B<psk> and return the length of the random data, so the
 connection will fail with decryption_error before it will be finished
 completely.
 
-=item 0
+=item Z<>0
 
 PSK identity was not found. An "unknown_psk_identity" alert message
 will be sent and the connection setup fails.
 
+=back
+
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod
index cc724c0d561a..22394441741f 100644
--- a/crypto/openssl/doc/ssl/SSL_accept.pod
+++ b/crypto/openssl/doc/ssl/SSL_accept.pod
@@ -44,17 +44,17 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
-=item 0
+=item Z<>0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value B<ret> to find out the reason.
 
+=item Z<>1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
 =item E<lt>0
 
 The TLS/SSL handshake was not successful because a fatal error occurred either
diff --git a/crypto/openssl/doc/ssl/SSL_clear.pod b/crypto/openssl/doc/ssl/SSL_clear.pod
index d4df1bfac316..ba192bd518ae 100644
--- a/crypto/openssl/doc/ssl/SSL_clear.pod
+++ b/crypto/openssl/doc/ssl/SSL_clear.pod
@@ -56,12 +56,12 @@ The following return values can occur:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The SSL_clear() operation could not be performed. Check the error stack to
 find out the reason.
 
-=item 1
+=item Z<>1
 
 The SSL_clear() operation was successful.
 
diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod
index cc56ebb75f3f..68e2b82b8dbb 100644
--- a/crypto/openssl/doc/ssl/SSL_connect.pod
+++ b/crypto/openssl/doc/ssl/SSL_connect.pod
@@ -41,17 +41,17 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
-=item 0
+=item Z<>0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value B<ret> to find out the reason.
 
+=item Z<>1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
 =item E<lt>0
 
 The TLS/SSL handshake was not successful, because a fatal error occurred either
diff --git a/crypto/openssl/doc/ssl/SSL_do_handshake.pod b/crypto/openssl/doc/ssl/SSL_do_handshake.pod
index 243576451b7f..b35ddf5f14e1 100644
--- a/crypto/openssl/doc/ssl/SSL_do_handshake.pod
+++ b/crypto/openssl/doc/ssl/SSL_do_handshake.pod
@@ -45,17 +45,17 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
-=item 0
+=item Z<>0
 
 The TLS/SSL handshake was not successful but was shut down controlled and
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
 return value B<ret> to find out the reason.
 
+=item Z<>1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
 =item E<lt>0
 
 The TLS/SSL handshake was not successful because a fatal error occurred either
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
index 49fb88f86faf..059376c76b24 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -8,11 +8,11 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
 
  #include <openssl/ssl.h>
 
- STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
+ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 
 =head1 DESCRIPTION
 
-SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
+SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
 forming the certificate chain of the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
 side, the peer's certificate must be obtained separately using
@@ -24,7 +24,7 @@ If the peer did not present a certificate, NULL is returned.
 The peer certificate chain is not necessarily available after reusing
 a session, in which case a NULL pointer is returned.
 
-The reference count of the STACKOF(X509) object is not incremented.
+The reference count of the STACK_OF(X509) object is not incremented.
 If the corresponding session is freed, the pointer must not be used
 any longer.
 
@@ -39,7 +39,7 @@ The following return values can occur:
 No certificate was presented by the peer or no connection was established
 or the certificate chain is no longer available when a session is reused.
 
-=item Pointer to a STACKOF(X509)
+=item Pointer to a STACK_OF(X509)
 
 The return value points to the certificate chain presented by the peer.
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_version.pod b/crypto/openssl/doc/ssl/SSL_get_version.pod
index cc271db2c534..9ae6f2550858 100644
--- a/crypto/openssl/doc/ssl/SSL_get_version.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_version.pod
@@ -12,12 +12,12 @@ SSL_get_version - get the protocol version of a connection.
 
 =head1 DESCRIPTION
 
-SSL_get_cipher_version() returns the name of the protocol used for the
+SSL_get_version() returns the name of the protocol used for the
 connection B<ssl>.
 
 =head1 RETURN VALUES
 
-The following strings can occur:
+The following strings can be returned:
 
 =over 4
 
@@ -31,7 +31,15 @@ The connection uses the SSLv3 protocol.
 
 =item TLSv1
 
-The connection uses the TLSv1 protocol.
+The connection uses the TLSv1.0 protocol.
+
+=item TLSv1.1
+
+The connection uses the TLSv1.1 protocol.
+
+=item TLSv1.2
+
+The connection uses the TLSv1.2 protocol.
 
 =item unknown
 
diff --git a/crypto/openssl/doc/ssl/SSL_read.pod b/crypto/openssl/doc/ssl/SSL_read.pod
index 7038cd2d7520..8ca0ce5058da 100644
--- a/crypto/openssl/doc/ssl/SSL_read.pod
+++ b/crypto/openssl/doc/ssl/SSL_read.pod
@@ -86,7 +86,7 @@ The following return values can occur:
 The read operation was successful; the return value is the number of
 bytes actually read from the TLS/SSL connection.
 
-=item 0
+=item Z<>0
 
 The read operation was not successful. The reason may either be a clean
 shutdown due to a "close notify" alert sent by the peer (in which case
diff --git a/crypto/openssl/doc/ssl/SSL_session_reused.pod b/crypto/openssl/doc/ssl/SSL_session_reused.pod
index da7d06264d04..b09d8a71b062 100644
--- a/crypto/openssl/doc/ssl/SSL_session_reused.pod
+++ b/crypto/openssl/doc/ssl/SSL_session_reused.pod
@@ -27,11 +27,11 @@ The following return values can occur:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 A new session was negotiated.
 
-=item 1
+=item Z<>1
 
 A session was reused.
 
diff --git a/crypto/openssl/doc/ssl/SSL_set_fd.pod b/crypto/openssl/doc/ssl/SSL_set_fd.pod
index 70291128fcec..14808716055d 100644
--- a/crypto/openssl/doc/ssl/SSL_set_fd.pod
+++ b/crypto/openssl/doc/ssl/SSL_set_fd.pod
@@ -35,11 +35,11 @@ The following return values can occur:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The operation failed. Check the error stack to find out why.
 
-=item 1
+=item Z<>1
 
 The operation succeeded.
 
diff --git a/crypto/openssl/doc/ssl/SSL_set_session.pod b/crypto/openssl/doc/ssl/SSL_set_session.pod
index 5f54714ad86a..197b5218305b 100644
--- a/crypto/openssl/doc/ssl/SSL_set_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_set_session.pod
@@ -37,11 +37,11 @@ The following return values can occur:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 The operation failed; check the error stack to find out the reason.
 
-=item 1
+=item Z<>1
 
 The operation succeeded.
 
diff --git a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
index 011a022a12c3..fe013085d39d 100644
--- a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
@@ -24,7 +24,7 @@ The shutdown state of an ssl connection is a bitmask of:
 
 =over 4
 
-=item 0
+=item Z<>0
 
 No shutdown setting, yet.
 
diff --git a/crypto/openssl/doc/ssl/SSL_shutdown.pod b/crypto/openssl/doc/ssl/SSL_shutdown.pod
index 89911acbcac8..85d4a64b03f9 100644
--- a/crypto/openssl/doc/ssl/SSL_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_shutdown.pod
@@ -92,18 +92,18 @@ The following return values can occur:
 
 =over 4
 
-=item 1
-
-The shutdown was successfully completed. The "close notify" alert was sent
-and the peer's "close notify" alert was received.
-
-=item 0
+=item Z<>0
 
 The shutdown is not yet finished. Call SSL_shutdown() for a second time,
 if a bidirectional shutdown shall be performed.
 The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
 erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
 
+=item Z<>1
+
+The shutdown was successfully completed. The "close notify" alert was sent
+and the peer's "close notify" alert was received.
+
 =item -1
 
 The shutdown was not successful because a fatal error occurred either
diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod
index e013c12d5254..a57617f3ee9a 100644
--- a/crypto/openssl/doc/ssl/SSL_write.pod
+++ b/crypto/openssl/doc/ssl/SSL_write.pod
@@ -79,7 +79,7 @@ The following return values can occur:
 The write operation was successful, the return value is the number of
 bytes actually written to the TLS/SSL connection.
 
-=item 0
+=item Z<>0
 
 The write operation was not successful. Probably the underlying connection
 was closed. Call SSL_get_error() with the return value B<ret> to find out,
diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
index 81d276477f9f..bce06e23b619 100644
--- a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
+++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
@@ -48,6 +48,16 @@ known limit on the size of the created ASN1 representation, so the necessary
 amount of space should be obtained by first calling i2d_SSL_SESSION() with
 B<pp=NULL>, and obtain the size needed, then allocate the memory and
 call i2d_SSL_SESSION() again.
+Note that this will advance the value contained in B<*pp> so it is necessary
+to save a copy of the original allocation.
+For example:
+ int i,j;
+ char *p, *temp;
+ i = i2d_SSL_SESSION(sess, NULL);
+ p = temp = malloc(i);
+ j = i2d_SSL_SESSION(sess, &temp);
+ assert(i == j);
+ assert(p+i == temp);
 
 =head1 RETURN VALUES
 
diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h
index 79c139257340..4df285b5b5a0 100644
--- a/crypto/openssl/e_os.h
+++ b/crypto/openssl/e_os.h
@@ -290,7 +290,7 @@ extern "C" {
 #    ifdef _WIN64
 #      define strlen(s) _strlen31(s)
 /* cut strings to 2GB */
-static unsigned int _strlen31(const char *str)
+static __inline unsigned int _strlen31(const char *str)
 	{
 	unsigned int len=0;
 	while (*str && len<0x80000000U) str++, len++;
@@ -368,6 +368,15 @@ static unsigned int _strlen31(const char *str)
 #    define DEFAULT_HOME  "C:"
 #  endif
 
+/* Avoid Visual Studio 13 GetVersion deprecated problems */
+#if defined(_MSC_VER) && _MSC_VER>=1800
+#  define check_winnt() (1)
+#  define check_win_minplat(x) (1)
+#else
+#  define check_winnt() (GetVersion() < 0x80000000)
+#  define check_win_minplat(x) (LOBYTE(LOWORD(GetVersion())) >= (x))
+#endif
+
 #else /* The non-microsoft world */
 
 #  ifdef OPENSSL_SYS_VMS
@@ -725,10 +734,25 @@ struct servent *getservbyname(const char *name, const char *proto);
 #include <OS.h>
 #endif
 
+#if !defined(inline) && !defined(__cplusplus)
+# if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901L
+   /* do nothing, inline works */
+# elif defined(__GNUC__) && __GNUC__>=2
+#  define inline __inline__
+# elif defined(_MSC_VER)
+  /*
+   * Visual Studio: inline is available in C++ only, however
+   * __inline is available for C, see
+   * http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx
+   */
+#  define inline __inline
+# else
+#  define inline
+# endif
+#endif
 
 #ifdef  __cplusplus
 }
 #endif
 
 #endif
-
diff --git a/crypto/openssl/engines/ccgost/gost89.h b/crypto/openssl/engines/ccgost/gost89.h
index 2157852519fd..8da2407b0332 100644
--- a/crypto/openssl/engines/ccgost/gost89.h
+++ b/crypto/openssl/engines/ccgost/gost89.h
@@ -87,10 +87,6 @@ extern gost_subst_block Gost28147_CryptoProParamSetB;
 extern gost_subst_block Gost28147_CryptoProParamSetC;
 extern gost_subst_block Gost28147_CryptoProParamSetD;
 extern const byte CryptoProKeyMeshingKey[]; 
-#if __LONG_MAX__ > 2147483647L 
 typedef unsigned int word32; 
-#else 
-typedef unsigned long word32; 
-#endif 
 
 #endif
diff --git a/crypto/openssl/engines/ccgost/gost_ameth.c b/crypto/openssl/engines/ccgost/gost_ameth.c
index 2cde1fcfd9df..8b9230b9ab42 100644
--- a/crypto/openssl/engines/ccgost/gost_ameth.c
+++ b/crypto/openssl/engines/ccgost/gost_ameth.c
@@ -269,7 +269,7 @@ static int pkey_ctrl_gost(EVP_PKEY *pkey, int op,
 		case ASN1_PKEY_CTRL_CMS_ENVELOPE:
 			if (arg1 == 0)
 				{
-				X509_ALGOR *alg;
+				X509_ALGOR *alg = NULL;
 				ASN1_STRING * params = encode_gost_algor_params(pkey);
 				if (!params) 
 					{
diff --git a/crypto/openssl/engines/ccgost/gosthash.c b/crypto/openssl/engines/ccgost/gosthash.c
index 8c278aa6452e..91b2ce8829d8 100644
--- a/crypto/openssl/engines/ccgost/gosthash.c
+++ b/crypto/openssl/engines/ccgost/gosthash.c
@@ -180,8 +180,6 @@ int start_hash(gost_hash_ctx *ctx)
  */
 int hash_block(gost_hash_ctx *ctx,const byte *block, size_t length)
 	{
-	const byte *curptr=block;
-	const byte *barrier=block+(length-32);/* Last byte we can safely hash*/
 	if (ctx->left)
 		{
 		/*There are some bytes from previous step*/
@@ -196,24 +194,25 @@ int hash_block(gost_hash_ctx *ctx,const byte *block, size_t length)
 			{
 			return 1;
 			}	
-		curptr=block+add_bytes;
+		block+=add_bytes;
+		length-=add_bytes;
 		hash_step(ctx->cipher_ctx,ctx->H,ctx->remainder);
 		add_blocks(32,ctx->S,ctx->remainder);
 		ctx->len+=32;
 		ctx->left=0;
 		}
-	while (curptr<=barrier)
+	while (length>=32)
 		{	
-		hash_step(ctx->cipher_ctx,ctx->H,curptr);
+		hash_step(ctx->cipher_ctx,ctx->H,block);
 			
-		add_blocks(32,ctx->S,curptr);
+		add_blocks(32,ctx->S,block);
 		ctx->len+=32;
-		curptr+=32;
+		block+=32;
+		length-=32;
 		}	
-	if (curptr!=block+length)
+	if (length)
 		{
-		ctx->left=block+length-curptr;
-		memcpy(ctx->remainder,curptr,ctx->left);
+		memcpy(ctx->remainder,block,ctx->left=length);
 		}	
 	return 1;	
 	}
diff --git a/crypto/openssl/engines/e_padlock.c b/crypto/openssl/engines/e_padlock.c
index 9f7a85a8da57..5d252f62a9ca 100644
--- a/crypto/openssl/engines/e_padlock.c
+++ b/crypto/openssl/engines/e_padlock.c
@@ -384,6 +384,7 @@ padlock_available(void)
 }
 
 #ifndef OPENSSL_NO_AES
+#ifndef AES_ASM
 /* Our own htonl()/ntohl() */
 static inline void
 padlock_bswapl(AES_KEY *ks)
@@ -397,6 +398,7 @@ padlock_bswapl(AES_KEY *ks)
 	}
 }
 #endif
+#endif
 
 /* Force key reload from memory to the CPU microcode.
    Loading EFLAGS from the stack clears EFLAGS[30] 
diff --git a/crypto/openssl/ssl/Makefile b/crypto/openssl/ssl/Makefile
index debe07405bf8..8dd390e67f99 100644
--- a/crypto/openssl/ssl/Makefile
+++ b/crypto/openssl/ssl/Makefile
@@ -15,7 +15,7 @@ KRB5_INCLUDES=
 CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile README ssl-lib.com install.com
-TEST=ssltest.c
+TEST=ssltest.c heartbeat_test.c
 APPS=
 
 LIB=$(TOP)/libssl.a
@@ -30,7 +30,7 @@ LIBSRC=	\
 	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
 	ssl_ciph.c ssl_stat.c ssl_rsa.c \
 	ssl_asn1.c ssl_txt.c ssl_algs.c \
-	bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c
+	bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c ssl_utst.c
 LIBOBJ= \
 	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
 	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
@@ -41,7 +41,7 @@ LIBOBJ= \
 	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
 	ssl_ciph.o ssl_stat.o ssl_rsa.o \
 	ssl_asn1.o ssl_txt.o ssl_algs.o \
-	bio_ssl.o ssl_err.o kssl.o tls_srp.o t1_reneg.o
+	bio_ssl.o ssl_err.o kssl.o tls_srp.o t1_reneg.o ssl_utst.o
 
 SRC= $(LIBSRC)
 
@@ -547,26 +547,27 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h
-s3_cbc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_cbc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_cbc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s3_cbc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_cbc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_cbc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_cbc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_cbc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s3_cbc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-s3_cbc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_cbc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_cbc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_cbc.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s3_cbc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_cbc.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s3_cbc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_cbc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_cbc.o: ../include/openssl/x509_vfy.h s3_cbc.c ssl_locl.h
+s3_cbc.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h
+s3_cbc.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+s3_cbc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_cbc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_cbc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_cbc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s3_cbc.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_cbc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s3_cbc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+s3_cbc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_cbc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_cbc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_cbc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_cbc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s3_cbc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_cbc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_cbc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_cbc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_cbc.c
+s3_cbc.o: ssl_locl.h
 s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -671,28 +672,29 @@ s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h
-s3_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s3_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h
-s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-s3_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_srvr.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_srvr.c ssl_locl.h
+s3_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h
+s3_srvr.o: ../include/openssl/bio.h ../include/openssl/bn.h
+s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s3_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_srvr.o: ../include/openssl/hmac.h ../include/openssl/krb5_asn.h
+s3_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_srvr.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h
+s3_srvr.o: s3_srvr.c ssl_locl.h
 ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -915,6 +917,26 @@ ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
 ssl_txt.o: ssl_txt.c
+ssl_utst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_utst.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ssl_utst.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
+ssl_utst.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ssl_utst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ssl_utst.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+ssl_utst.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_utst.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_utst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_utst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_utst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_utst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_utst.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_utst.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_utst.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_utst.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_utst.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_utst.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_utst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_utst.o: ssl_utst.c
 t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
diff --git a/crypto/openssl/ssl/d1_both.c b/crypto/openssl/ssl/d1_both.c
index bf40ccbeabc5..1b9d64bf6027 100644
--- a/crypto/openssl/ssl/d1_both.c
+++ b/crypto/openssl/ssl/d1_both.c
@@ -156,9 +156,8 @@ static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe
 static unsigned char bitmask_end_values[]   = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
 
 /* XDTLS:  figure out the right values */
-static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
+static const unsigned int g_probable_mtu[] = {1500, 512, 256};
 
-static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 
 	unsigned long frag_len);
 static unsigned char *dtls1_write_message_header(SSL *s,
@@ -211,8 +210,7 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
 	return frag;
 	}
 
-static void
-dtls1_hm_fragment_free(hm_fragment *frag)
+void dtls1_hm_fragment_free(hm_fragment *frag)
 	{
 
 	if (frag->msg_header.is_ccs)
@@ -225,53 +223,50 @@ dtls1_hm_fragment_free(hm_fragment *frag)
 	OPENSSL_free(frag);
 	}
 
-/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
-int dtls1_do_write(SSL *s, int type)
-	{
-	int ret;
-	int curr_mtu;
-	unsigned int len, frag_off, mac_size, blocksize;
+static int dtls1_query_mtu(SSL *s)
+{
+	if(s->d1->link_mtu)
+		{
+		s->d1->mtu = s->d1->link_mtu-BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
+		s->d1->link_mtu = 0;
+		}
 
 	/* AHA!  Figure out the MTU, and stick to the right size */
-	if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
+	if (s->d1->mtu < dtls1_min_mtu(s))
 		{
-		s->d1->mtu = 
-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
-
-		/* I've seen the kernel return bogus numbers when it doesn't know
-		 * (initial write), so just make sure we have a reasonable number */
-		if (s->d1->mtu < dtls1_min_mtu())
+		if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
 			{
-			s->d1->mtu = 0;
-			s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, 
-				s->d1->mtu, NULL);
+			s->d1->mtu =
+				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+
+			/* I've seen the kernel return bogus numbers when it doesn't know
+			 * (initial write), so just make sure we have a reasonable number */
+			if (s->d1->mtu < dtls1_min_mtu(s))
+				{
+				/* Set to min mtu */
+				s->d1->mtu = dtls1_min_mtu(s);
+				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU,
+					s->d1->mtu, NULL);
+				}
 			}
+		else
+			return 0;
 		}
-#if 0 
-	mtu = s->d1->mtu;
-
-	fprintf(stderr, "using MTU = %d\n", mtu);
-
-	mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
-
-	curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s));
+	return 1;
+}
 
-	if ( curr_mtu > 0)
-		mtu = curr_mtu;
-	else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
-		return ret;
+/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
+int dtls1_do_write(SSL *s, int type)
+	{
+	int ret;
+	unsigned int curr_mtu;
+	int retry = 1;
+	unsigned int len, frag_off, mac_size, blocksize, used_len;
 
-	if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu)
-		{
-		ret = BIO_flush(SSL_get_wbio(s));
-		if ( ret <= 0)
-			return ret;
-		mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
-		}
-#endif
+	if(!dtls1_query_mtu(s))
+		return -1;
 
-	OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());  /* should have something reasonable now */
+	OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu(s));  /* should have something reasonable now */
 
 	if ( s->init_off == 0  && type == SSL3_RT_HANDSHAKE)
 		OPENSSL_assert(s->init_num == 
@@ -289,10 +284,15 @@ int dtls1_do_write(SSL *s, int type)
 		blocksize = 0;
 
 	frag_off = 0;
-	while( s->init_num)
+	/* s->init_num shouldn't ever be < 0...but just in case */
+	while(s->init_num > 0)
 		{
-		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
-			DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+		used_len = BIO_wpending(SSL_get_wbio(s)) +  DTLS1_RT_HEADER_LENGTH
+			+ mac_size + blocksize;
+		if(s->d1->mtu > used_len)
+			curr_mtu = s->d1->mtu - used_len;
+		else
+			curr_mtu = 0;
 
 		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
 			{
@@ -300,15 +300,27 @@ int dtls1_do_write(SSL *s, int type)
 			ret = BIO_flush(SSL_get_wbio(s));
 			if ( ret <= 0)
 				return ret;
-			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
-				mac_size - blocksize;
+			used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
+			if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH)
+				{
+				curr_mtu = s->d1->mtu - used_len;
+				}
+			else
+				{
+				/* Shouldn't happen */
+				return -1;
+				}
 			}
 
-		if ( s->init_num > curr_mtu)
+		/* We just checked that s->init_num > 0 so this cast should be safe */
+		if (((unsigned int)s->init_num) > curr_mtu)
 			len = curr_mtu;
 		else
 			len = s->init_num;
 
+		/* Shouldn't ever happen */
+		if(len > INT_MAX)
+			len = INT_MAX;
 
 		/* XDTLS: this function is too long.  split out the CCS part */
 		if ( type == SSL3_RT_HANDSHAKE)
@@ -319,17 +331,29 @@ int dtls1_do_write(SSL *s, int type)
 				s->init_off -= DTLS1_HM_HEADER_LENGTH;
 				s->init_num += DTLS1_HM_HEADER_LENGTH;
 
-				/* write atleast DTLS1_HM_HEADER_LENGTH bytes */
-				if ( len <= DTLS1_HM_HEADER_LENGTH)  
-					len += DTLS1_HM_HEADER_LENGTH;
+				/* We just checked that s->init_num > 0 so this cast should be safe */
+				if (((unsigned int)s->init_num) > curr_mtu)
+					len = curr_mtu;
+				else
+					len = s->init_num;
 				}
 
+			/* Shouldn't ever happen */
+			if(len > INT_MAX)
+				len = INT_MAX;
+
+			if ( len < DTLS1_HM_HEADER_LENGTH )
+				{
+				/*
+				 * len is so small that we really can't do anything sensible
+				 * so fail
+				 */
+				return -1;
+				}
 			dtls1_fix_message_header(s, frag_off, 
 				len - DTLS1_HM_HEADER_LENGTH);
 
 			dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
-
-			OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
 			}
 
 		ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],
@@ -342,12 +366,23 @@ int dtls1_do_write(SSL *s, int type)
 			 * is fine and wait for an alert to handle the
 			 * retransmit 
 			 */
-			if ( BIO_ctrl(SSL_get_wbio(s),
+			if ( retry && BIO_ctrl(SSL_get_wbio(s),
 				BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 )
-				s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
-					BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+				{
+				if(!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
+					{
+					if(!dtls1_query_mtu(s))
+						return -1;
+					/* Have one more go */
+					retry = 0;
+					}
+				else
+					return -1;
+				}
 			else
+				{
 				return(-1);
+				}
 			}
 		else
 			{
@@ -684,8 +719,8 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st* msg_hdr, int *ok)
 		item = pitem_new(seq64be, frag);
 		if (item == NULL)
 			{
-			goto err;
 			i = -1;
+			goto err;
 			}
 
 		item = pqueue_insert(s->d1->buffered_messages, item);
@@ -1193,6 +1228,8 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 	OPENSSL_assert(s->init_off == 0);
 
 	frag = dtls1_hm_fragment_new(s->init_num, 0);
+	if (!frag)
+		return 0;
 
 	memcpy(frag->fragment, s->init_buf->data, s->init_num);
 
@@ -1409,28 +1446,20 @@ dtls1_write_message_header(SSL *s, unsigned char *p)
 	return p;
 	}
 
-unsigned int 
-dtls1_min_mtu(void)
+unsigned int
+dtls1_link_min_mtu(void)
 	{
 	return (g_probable_mtu[(sizeof(g_probable_mtu) / 
 		sizeof(g_probable_mtu[0])) - 1]);
 	}
 
-static unsigned int 
-dtls1_guess_mtu(unsigned int curr_mtu)
+unsigned int
+dtls1_min_mtu(SSL *s)
 	{
-	unsigned int i;
-
-	if ( curr_mtu == 0 )
-		return g_probable_mtu[0] ;
-
-	for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++)
-		if ( curr_mtu > g_probable_mtu[i])
-			return g_probable_mtu[i];
-
-	return curr_mtu;
+	return dtls1_link_min_mtu()-BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
 	}
 
+
 void
 dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
 	{
@@ -1489,6 +1518,9 @@ dtls1_process_heartbeat(SSL *s)
 	/* Read type and payload length first */
 	if (1 + 2 + 16 > s->s3->rrec.length)
 		return 0; /* silently discard */
+	if (s->s3->rrec.length > SSL3_RT_MAX_PLAIN_LENGTH)
+		return 0; /* silently discard per RFC 6520 sec. 4 */
+
 	hbtype = *p++;
 	n2s(p, payload);
 	if (1 + 2 + payload + 16 > s->s3->rrec.length)
diff --git a/crypto/openssl/ssl/d1_clnt.c b/crypto/openssl/ssl/d1_clnt.c
index 6493796ad13b..9045fb9902f5 100644
--- a/crypto/openssl/ssl/d1_clnt.c
+++ b/crypto/openssl/ssl/d1_clnt.c
@@ -249,6 +249,9 @@ int dtls1_connect(SSL *s)
 			memset(s->s3->client_random,0,sizeof(s->s3->client_random));
 			s->d1->send_cookie = 0;
 			s->hit = 0;
+			s->d1->change_cipher_spec_ok = 0;
+			/* Should have been reset by ssl3_get_finished, too. */
+			s->s3->change_cipher_spec = 0;
 			break;
 
 #ifndef OPENSSL_NO_SCTP
@@ -370,20 +373,6 @@ int dtls1_connect(SSL *s)
 
 		case SSL3_ST_CR_CERT_A:
 		case SSL3_ST_CR_CERT_B:
-#ifndef OPENSSL_NO_TLSEXT
-			ret=ssl3_check_finished(s);
-			if (ret <= 0) goto end;
-			if (ret == 2)
-				{
-				s->hit = 1;
-				if (s->tlsext_ticket_expected)
-					s->state=SSL3_ST_CR_SESSION_TICKET_A;
-				else
-					s->state=SSL3_ST_CR_FINISHED_A;
-				s->init_num=0;
-				break;
-				}
-#endif
 			/* Check if it is anon DH or PSK */
 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
@@ -506,7 +495,6 @@ int dtls1_connect(SSL *s)
 				else
 #endif
 					s->state=SSL3_ST_CW_CHANGE_A;
-				s->s3->change_cipher_spec=0;
 				}
 
 			s->init_num=0;
@@ -527,7 +515,6 @@ int dtls1_connect(SSL *s)
 #endif
 				s->state=SSL3_ST_CW_CHANGE_A;
 			s->init_num=0;
-			s->s3->change_cipher_spec=0;
 			break;
 
 		case SSL3_ST_CW_CHANGE_A:
@@ -538,13 +525,6 @@ int dtls1_connect(SSL *s)
 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
 			if (ret <= 0) goto end;
 
-#ifndef OPENSSL_NO_SCTP
-			/* Change to new shared key of SCTP-Auth,
-			 * will be ignored if no SCTP used.
-			 */
-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-#endif
-
 			s->state=SSL3_ST_CW_FINISHED_A;
 			s->init_num=0;
 
@@ -571,6 +551,16 @@ int dtls1_connect(SSL *s)
 				goto end;
 				}
 			
+#ifndef OPENSSL_NO_SCTP
+				if (s->hit)
+					{
+					/* Change to new shared key of SCTP-Auth,
+					 * will be ignored if no SCTP used.
+					 */
+					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+					}
+#endif
+
 			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
 			break;
 
@@ -613,6 +603,13 @@ int dtls1_connect(SSL *s)
 				}
 			else
 				{
+#ifndef OPENSSL_NO_SCTP
+				/* Change to new shared key of SCTP-Auth,
+				 * will be ignored if no SCTP used.
+				 */
+				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
 				/* Allow NewSessionTicket if ticket expected */
 				if (s->tlsext_ticket_expected)
@@ -773,7 +770,7 @@ int dtls1_client_hello(SSL *s)
 	unsigned char *buf;
 	unsigned char *p,*d;
 	unsigned int i,j;
-	unsigned long Time,l;
+	unsigned long l;
 	SSL_COMP *comp;
 
 	buf=(unsigned char *)s->init_buf->data;
@@ -798,13 +795,11 @@ int dtls1_client_hello(SSL *s)
 
 		/* if client_random is initialized, reuse it, we are
 		 * required to use same upon reply to HelloVerify */
-		for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
+		for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++)
+			;
 		if (i==sizeof(s->s3->client_random))
-			{
-			Time=(unsigned long)time(NULL);	/* Time */
-			l2n(Time,p);
-			RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
-			}
+			ssl_fill_hello_random(s, 0, p,
+					      sizeof(s->s3->client_random));
 
 		/* Do the message type and length last */
 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
@@ -868,12 +863,18 @@ int dtls1_client_hello(SSL *s)
 		*(p++)=0; /* Add the NULL method */
 
 #ifndef OPENSSL_NO_TLSEXT
+		/* TLS extensions*/
+		if (ssl_prepare_clienthello_tlsext(s) <= 0)
+			{
+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+			goto err;
+			}
 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
-#endif		
+#endif
 
 		l=(p-d);
 		d=buf;
@@ -1716,6 +1717,12 @@ int dtls1_send_client_certificate(SSL *s)
 		s->state=SSL3_ST_CW_CERT_D;
 		l=dtls1_output_cert_chain(s,
 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		if (!l)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		s->init_num=(int)l;
 		s->init_off=0;
 
diff --git a/crypto/openssl/ssl/d1_enc.c b/crypto/openssl/ssl/d1_enc.c
index 712c4647f24c..3da2b4c8c2a7 100644
--- a/crypto/openssl/ssl/d1_enc.c
+++ b/crypto/openssl/ssl/d1_enc.c
@@ -241,7 +241,8 @@ int dtls1_enc(SSL *s, int send)
 				return 0;
 			}
 		
-		EVP_Cipher(ds,rec->data,rec->input,l);
+		if(EVP_Cipher(ds,rec->data,rec->input,l) < 1)
+			return -1;
 
 #ifdef KSSL_DEBUG
 		{
diff --git a/crypto/openssl/ssl/d1_lib.c b/crypto/openssl/ssl/d1_lib.c
index 43d3d9ee4b29..14337b31a4e9 100644
--- a/crypto/openssl/ssl/d1_lib.c
+++ b/crypto/openssl/ssl/d1_lib.c
@@ -113,6 +113,9 @@ int dtls1_new(SSL *s)
 		d1->cookie_len = sizeof(s->d1->cookie);
 		}
 
+	d1->link_mtu = 0;
+	d1->mtu = 0;
+
 	if( ! d1->unprocessed_rcds.q || ! d1->processed_rcds.q 
         || ! d1->buffered_messages || ! d1->sent_messages || ! d1->buffered_app_data.q)
 		{
@@ -161,24 +164,25 @@ static void dtls1_clear_queues(SSL *s)
     while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 
     while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
         {
         frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
+        dtls1_hm_fragment_free(frag);
         pitem_free(item);
         }
 
 	while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
 		{
-		frag = (hm_fragment *)item->data;
-		OPENSSL_free(frag->fragment);
-		OPENSSL_free(frag);
+		rdata = (DTLS1_RECORD_DATA *) item->data;
+		if (rdata->rbuf.buf)
+			{
+			OPENSSL_free(rdata->rbuf.buf);
+			}
+		OPENSSL_free(item->data);
 		pitem_free(item);
 		}
 	}
@@ -196,6 +200,7 @@ void dtls1_free(SSL *s)
 	pqueue_free(s->d1->buffered_app_data.q);
 
 	OPENSSL_free(s->d1);
+	s->d1 = NULL;
 	}
 
 void dtls1_clear(SSL *s)
@@ -206,6 +211,7 @@ void dtls1_clear(SSL *s)
 	pqueue sent_messages;
 	pqueue buffered_app_data;
 	unsigned int mtu;
+	unsigned int link_mtu;
 
 	if (s->d1)
 		{
@@ -215,6 +221,7 @@ void dtls1_clear(SSL *s)
 		sent_messages = s->d1->sent_messages;
 		buffered_app_data = s->d1->buffered_app_data.q;
 		mtu = s->d1->mtu;
+		link_mtu = s->d1->link_mtu;
 
 		dtls1_clear_queues(s);
 
@@ -228,6 +235,7 @@ void dtls1_clear(SSL *s)
 		if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
 			{
 			s->d1->mtu = mtu;
+			s->d1->link_mtu = link_mtu;
 			}
 
 		s->d1->unprocessed_rcds.q = unprocessed_rcds;
@@ -272,7 +280,22 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
 		/* Just one protocol version is supported so far;
 		 * fail closed if the version is not as expected. */
 		return s->version == DTLS_MAX_VERSION;
-
+	case DTLS_CTRL_SET_LINK_MTU:
+		if (larg < (long)dtls1_link_min_mtu())
+			return 0;
+		s->d1->link_mtu = larg;
+		return 1;
+	case DTLS_CTRL_GET_LINK_MIN_MTU:
+		return (long)dtls1_link_min_mtu();
+	case SSL_CTRL_SET_MTU:
+		/*
+		 *  We may not have a BIO set yet so can't call dtls1_min_mtu()
+		 *  We'll have to make do with dtls1_link_min_mtu() and max overhead
+		 */
+		if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
+			return 0;
+		s->d1->mtu = larg;
+		return larg;
 	default:
 		ret = ssl3_ctrl(s, cmd, larg, parg);
 		break;
@@ -411,12 +434,17 @@ void dtls1_stop_timer(SSL *s)
 
 int dtls1_check_timeout_num(SSL *s)
 	{
+	unsigned int mtu;
+
 	s->d1->timeout.num_alerts++;
 
 	/* Reduce MTU after 2 unsuccessful retransmissions */
-	if (s->d1->timeout.num_alerts > 2)
+	if (s->d1->timeout.num_alerts > 2
+			&& !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
 		{
-		s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);		
+		mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
+		if(mtu < s->d1->mtu)
+			s->d1->mtu = mtu;
 		}
 
 	if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c
index 2a07d966a1fe..0059fe2f152d 100644
--- a/crypto/openssl/ssl/d1_pkt.c
+++ b/crypto/openssl/ssl/d1_pkt.c
@@ -855,6 +855,12 @@ start:
 			}
 		}
 
+	if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
+		{
+		rr->length = 0;
+		goto start;
+		}
+
 	/* we now have a packet which can be read and processed */
 
 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1063,6 +1069,7 @@ start:
 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
 			!s->s3->renegotiate)
 			{
+			s->d1->handshake_read_seq++;
 			s->new_session = 1;
 			ssl3_renegotiate(s);
 			if (ssl3_renegotiate_check(s))
@@ -1623,7 +1630,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 		wr->length += bs;
 		}
 
-	s->method->ssl3_enc->enc(s,1);
+	if(s->method->ssl3_enc->enc(s,1) < 1) goto err;
 
 	/* record length after mac and block padding */
 /*	if (type == SSL3_RT_APPLICATION_DATA ||
diff --git a/crypto/openssl/ssl/d1_srvr.c b/crypto/openssl/ssl/d1_srvr.c
index d1a11ad9edbd..da4c21e06a1c 100644
--- a/crypto/openssl/ssl/d1_srvr.c
+++ b/crypto/openssl/ssl/d1_srvr.c
@@ -233,6 +233,7 @@ int dtls1_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
@@ -246,6 +247,9 @@ int dtls1_accept(SSL *s)
 				}
 
 			s->init_num=0;
+			s->d1->change_cipher_spec_ok = 0;
+			/* Should have been reset by ssl3_get_finished, too. */
+			s->s3->change_cipher_spec = 0;
 
 			if (s->state != SSL_ST_RENEGOTIATE)
 				{
@@ -276,10 +280,11 @@ int dtls1_accept(SSL *s)
 		case SSL3_ST_SW_HELLO_REQ_B:
 
 			s->shutdown=0;
+			dtls1_clear_record_buffer(s);
 			dtls1_start_timer(s);
 			ret=dtls1_send_hello_request(s);
 			if (ret <= 0) goto end;
-			s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
+			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
 			s->state=SSL3_ST_SW_FLUSH;
 			s->init_num=0;
 
@@ -588,10 +593,11 @@ int dtls1_accept(SSL *s)
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
 				}
 			else {
-				/* could be sent for a DH cert, even if we
-				 * have not asked for it :-) */
-				ret=ssl3_get_client_certificate(s);
-				if (ret <= 0) goto end;
+				if (s->s3->tmp.cert_request)
+					{
+					ret=ssl3_get_client_certificate(s);
+					if (ret <= 0) goto end;
+					}
 				s->init_num=0;
 				s->state=SSL3_ST_SR_KEY_EXCH_A;
 			}
@@ -647,8 +653,14 @@ int dtls1_accept(SSL *s)
 
 		case SSL3_ST_SR_CERT_VRFY_A:
 		case SSL3_ST_SR_CERT_VRFY_B:
-
-			s->d1->change_cipher_spec_ok = 1;
+			/*
+			 * This *should* be the first time we enable CCS, but be
+			 * extra careful about surrounding code changes. We need
+			 * to set this here because we don't know if we're
+			 * expecting a CertificateVerify or not.
+			 */
+			if (!s->s3->change_cipher_spec)
+				s->d1->change_cipher_spec_ok = 1;
 			/* we should decide if we expected this one */
 			ret=ssl3_get_cert_verify(s);
 			if (ret <= 0) goto end;
@@ -664,7 +676,18 @@ int dtls1_accept(SSL *s)
 
 		case SSL3_ST_SR_FINISHED_A:
 		case SSL3_ST_SR_FINISHED_B:
-			s->d1->change_cipher_spec_ok = 1;
+			/*
+			 * Enable CCS for resumed handshakes.
+			 * In a full handshake, we end up here through
+			 * SSL3_ST_SR_CERT_VRFY_B, so change_cipher_spec_ok was
+			 * already set. Receiving a CCS clears the flag, so make
+			 * sure not to re-enable it to ban duplicates.
+			 * s->s3->change_cipher_spec is set when a CCS is
+			 * processed in d1_pkt.c, and remains set until
+			 * the client's Finished message is read.
+			 */
+			if (!s->s3->change_cipher_spec)
+				s->d1->change_cipher_spec_ok = 1;
 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
 				SSL3_ST_SR_FINISHED_B);
 			if (ret <= 0) goto end;
@@ -712,10 +735,13 @@ int dtls1_accept(SSL *s)
 			if (ret <= 0) goto end;
 
 #ifndef OPENSSL_NO_SCTP
-			/* Change to new shared key of SCTP-Auth,
-			 * will be ignored if no SCTP used.
-			 */
-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+			if (!s->hit)
+				{
+				/* Change to new shared key of SCTP-Auth,
+				 * will be ignored if no SCTP used.
+				 */
+				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+				}
 #endif
 
 			s->state=SSL3_ST_SW_FINISHED_A;
@@ -740,7 +766,16 @@ int dtls1_accept(SSL *s)
 			if (ret <= 0) goto end;
 			s->state=SSL3_ST_SW_FLUSH;
 			if (s->hit)
+				{
 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+
+#ifndef OPENSSL_NO_SCTP
+				/* Change to new shared key of SCTP-Auth,
+				 * will be ignored if no SCTP used.
+				 */
+				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+#endif
+				}
 			else
 				{
 				s->s3->tmp.next_state=SSL_ST_OK;
@@ -903,15 +938,13 @@ int dtls1_send_server_hello(SSL *s)
 	unsigned char *p,*d;
 	int i;
 	unsigned int sl;
-	unsigned long l,Time;
+	unsigned long l;
 
 	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
 		{
 		buf=(unsigned char *)s->init_buf->data;
 		p=s->s3->server_random;
-		Time=(unsigned long)time(NULL);			/* Time */
-		l2n(Time,p);
-		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
+		ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE);
 		/* Do the message type and length last */
 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
 
@@ -960,6 +993,11 @@ int dtls1_send_server_hello(SSL *s)
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
+		if (ssl_prepare_serverhello_tlsext(s) <= 0)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
+			return -1;
+			}
 		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
 			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
@@ -1336,6 +1374,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 			    (unsigned char *)encodedPoint, 
 			    encodedlen);
 			OPENSSL_free(encodedPoint);
+			encodedPoint = NULL;
 			p += encodedlen;
 			}
 #endif
@@ -1577,6 +1616,11 @@ int dtls1_send_server_certificate(SSL *s)
 			}
 
 		l=dtls1_output_cert_chain(s,x);
+		if (!l)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
diff --git a/crypto/openssl/ssl/dtls1.h b/crypto/openssl/ssl/dtls1.h
index 192c5deff98a..338575268f9e 100644
--- a/crypto/openssl/ssl/dtls1.h
+++ b/crypto/openssl/ssl/dtls1.h
@@ -117,6 +117,9 @@ extern "C" {
 #define DTLS1_SCTP_AUTH_LABEL	"EXPORTER_DTLS_OVER_SCTP"
 #endif
 
+/* Max MTU overhead we know about so far is 40 for IPv6 + 8 for UDP */
+#define DTLS1_MAX_MTU_OVERHEAD                   48
+
 typedef struct dtls1_bitmap_st
 	{
 	unsigned long map;		/* track 32 packets on 32-bit systems
@@ -231,6 +234,7 @@ typedef struct dtls1_state_st
 	/* Is set when listening for new connections with dtls1_listen() */
 	unsigned int listen;
 
+	unsigned int link_mtu; /* max on-the-wire DTLS packet size */
 	unsigned int mtu; /* max DTLS packet size */
 
 	struct hm_header_st w_msg_hdr;
@@ -252,6 +256,10 @@ typedef struct dtls1_state_st
 	unsigned int handshake_fragment_len;
 
 	unsigned int retransmitting;
+	/*
+	 * Set when the handshake is ready to process peer's ChangeCipherSpec message.
+	 * Cleared after the message has been processed.
+	 */
 	unsigned int change_cipher_spec_ok;
 
 #ifndef OPENSSL_NO_SCTP
diff --git a/crypto/openssl/ssl/heartbeat_test.c b/crypto/openssl/ssl/heartbeat_test.c
new file mode 100644
index 000000000000..de9d39761ef8
--- /dev/null
+++ b/crypto/openssl/ssl/heartbeat_test.c
@@ -0,0 +1,466 @@
+/* test/heartbeat_test.c */
+/*
+ * Unit test for TLS heartbeats.
+ *
+ * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
+ *
+ * Author:  Mike Bland (mbland@acm.org, http://mike-bland.com/)
+ * Date:    2014-04-12
+ * License: Creative Commons Attribution 4.0 International (CC By 4.0)
+ *          http://creativecommons.org/licenses/by/4.0/deed.en_US
+ *
+ * OUTPUT
+ * ------
+ * The program returns zero on success. It will print a message with a count
+ * of the number of failed tests and return nonzero if any tests fail.
+ *
+ * It will print the contents of the request and response buffers for each
+ * failing test. In a "fixed" version, all the tests should pass and there
+ * should be no output.
+ *
+ * In a "bleeding" version, you'll see:
+ *
+ *   test_dtls1_heartbleed failed:
+ *     expected payload len: 0
+ *     received: 1024
+ *   sent 26 characters
+ *     "HEARTBLEED                "
+ *   received 1024 characters
+ *     "HEARTBLEED                \xde\xad\xbe\xef..."
+ *   ** test_dtls1_heartbleed failed **
+ *
+ * The contents of the returned buffer in the failing test will depend on the
+ * contents of memory on your machine.
+ *
+ * MORE INFORMATION
+ * ----------------
+ * http://mike-bland.com/2014/04/12/heartbleed.html
+ * http://mike-bland.com/tags/heartbleed.html
+ */
+
+#define OPENSSL_UNIT_TEST
+
+#include "../test/testutil.h"
+
+#include "../ssl/ssl_locl.h"
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if !defined(OPENSSL_NO_HEARTBEATS) && !defined(OPENSSL_NO_UNIT_TEST)
+
+/* As per https://tools.ietf.org/html/rfc6520#section-4 */
+#define MIN_PADDING_SIZE	16
+
+/* Maximum number of payload characters to print as test output */
+#define MAX_PRINTABLE_CHARACTERS	1024
+
+typedef struct heartbeat_test_fixture
+	{
+	SSL_CTX *ctx;
+	SSL *s;
+	const char* test_case_name;
+	int (*process_heartbeat)(SSL* s);
+	unsigned char* payload;
+	int sent_payload_len;
+	int expected_return_value;
+	int return_payload_offset;
+	int expected_payload_len;
+	const char* expected_return_payload;
+	} HEARTBEAT_TEST_FIXTURE;
+
+static HEARTBEAT_TEST_FIXTURE set_up(const char* const test_case_name,
+	const SSL_METHOD* meth)
+	{
+	HEARTBEAT_TEST_FIXTURE fixture;
+	int setup_ok = 1;
+	memset(&fixture, 0, sizeof(fixture));
+	fixture.test_case_name = test_case_name;
+
+	fixture.ctx = SSL_CTX_new(meth);
+	if (!fixture.ctx)
+		{
+		fprintf(stderr, "Failed to allocate SSL_CTX for test: %s\n",
+			test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	fixture.s = SSL_new(fixture.ctx);
+	if (!fixture.s)
+		{
+		fprintf(stderr, "Failed to allocate SSL for test: %s\n", test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	if (!ssl_init_wbio_buffer(fixture.s, 1))
+		{
+		fprintf(stderr, "Failed to set up wbio buffer for test: %s\n",
+			test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	if (!ssl3_setup_buffers(fixture.s))
+		{
+		fprintf(stderr, "Failed to setup buffers for test: %s\n",
+			test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	/* Clear the memory for the return buffer, since this isn't automatically
+	 * zeroed in opt mode and will cause spurious test failures that will change
+	 * with each execution.
+	 */
+	memset(fixture.s->s3->wbuf.buf, 0, fixture.s->s3->wbuf.len);
+
+	fail:
+	if (!setup_ok)
+		{
+		ERR_print_errors_fp(stderr);
+		exit(EXIT_FAILURE);
+		}
+	return fixture;
+	}
+
+static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char* const test_case_name)
+	{
+	HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
+		DTLSv1_server_method());
+	fixture.process_heartbeat = dtls1_process_heartbeat;
+
+	/* As per dtls1_get_record(), skipping the following from the beginning of
+	 * the returned heartbeat message:
+	 * type-1 byte; version-2 bytes; sequence number-8 bytes; length-2 bytes
+	 *
+	 * And then skipping the 1-byte type encoded by process_heartbeat for
+	 * a total of 14 bytes, at which point we can grab the length and the
+	 * payload we seek.
+	 */
+	fixture.return_payload_offset = 14;
+	return fixture;
+	}
+
+/* Needed by ssl3_write_bytes() */
+static int dummy_handshake(SSL* s)
+	{
+	return 1;
+	}
+
+static HEARTBEAT_TEST_FIXTURE set_up_tls(const char* const test_case_name)
+	{
+	HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
+		TLSv1_server_method());
+	fixture.process_heartbeat = tls1_process_heartbeat;
+	fixture.s->handshake_func = dummy_handshake;
+
+	/* As per do_ssl3_write(), skipping the following from the beginning of
+	 * the returned heartbeat message:
+	 * type-1 byte; version-2 bytes; length-2 bytes
+	 *
+	 * And then skipping the 1-byte type encoded by process_heartbeat for
+	 * a total of 6 bytes, at which point we can grab the length and the payload
+	 * we seek.
+	 */
+	fixture.return_payload_offset = 6;
+	return fixture;
+	}
+
+static void tear_down(HEARTBEAT_TEST_FIXTURE fixture)
+	{
+	ERR_print_errors_fp(stderr);
+	SSL_free(fixture.s);
+	SSL_CTX_free(fixture.ctx);
+	}
+
+static void print_payload(const char* const prefix,
+		const unsigned char *payload, const int n)
+	{
+	const int end = n < MAX_PRINTABLE_CHARACTERS ? n
+	    : MAX_PRINTABLE_CHARACTERS;
+	int i = 0;
+
+	printf("%s %d character%s", prefix, n, n == 1 ? "" : "s");
+	if (end != n) printf(" (first %d shown)", end);
+	printf("\n  \"");
+
+	for (; i != end; ++i)
+		{
+		const unsigned char c = payload[i];
+		if (isprint(c)) fputc(c, stdout);
+		else printf("\\x%02x", c);
+		}
+	printf("\"\n");
+	}
+
+static int execute_heartbeat(HEARTBEAT_TEST_FIXTURE fixture)
+	{
+	int result = 0;
+	SSL* s = fixture.s;
+	unsigned char *payload = fixture.payload;
+	unsigned char sent_buf[MAX_PRINTABLE_CHARACTERS + 1];
+	int return_value;
+	unsigned const char *p;
+	int actual_payload_len;
+
+	s->s3->rrec.data = payload;
+	s->s3->rrec.length = strlen((const char*)payload);
+	*payload++ = TLS1_HB_REQUEST;
+	s2n(fixture.sent_payload_len, payload);
+
+	/* Make a local copy of the request, since it gets overwritten at some
+	 * point */
+	memcpy((char *)sent_buf, (const char*)payload, sizeof(sent_buf));
+
+	return_value = fixture.process_heartbeat(s);
+
+	if (return_value != fixture.expected_return_value)
+		{
+		printf("%s failed: expected return value %d, received %d\n",
+					 fixture.test_case_name, fixture.expected_return_value,
+					 return_value);
+		result = 1;
+		}
+
+	/* If there is any byte alignment, it will be stored in wbuf.offset. */
+	p = &(s->s3->wbuf.buf[
+			fixture.return_payload_offset + s->s3->wbuf.offset]);
+	actual_payload_len = 0;
+	n2s(p, actual_payload_len);
+
+	if (actual_payload_len != fixture.expected_payload_len)
+		{
+		printf("%s failed:\n  expected payload len: %d\n  received: %d\n",
+					 fixture.test_case_name, fixture.expected_payload_len,
+					 actual_payload_len);
+		print_payload("sent", sent_buf, strlen((const char*)sent_buf));
+		print_payload("received", p, actual_payload_len);
+		result = 1;
+		}
+	else
+		{
+		char* actual_payload = BUF_strndup((const char*)p, actual_payload_len);
+		if (strcmp(actual_payload, fixture.expected_return_payload) != 0)
+			{
+			printf("%s failed:\n  expected payload: \"%s\"\n  received: \"%s\"\n",
+						 fixture.test_case_name, fixture.expected_return_payload,
+						 actual_payload);
+			result = 1;
+			}
+		OPENSSL_free(actual_payload);
+		}
+
+	if (result != 0)
+		{
+		printf("** %s failed **\n--------\n", fixture.test_case_name);
+		}
+	return result;
+	}
+
+static int honest_payload_size(unsigned char payload_buf[])
+	{
+	/* Omit three-byte pad at the beginning for type and payload length */
+	return strlen((const char*)&payload_buf[3]) - MIN_PADDING_SIZE;
+	}
+
+#define SETUP_HEARTBEAT_TEST_FIXTURE(type)\
+  SETUP_TEST_FIXTURE(HEARTBEAT_TEST_FIXTURE, set_up_##type)
+
+#define EXECUTE_HEARTBEAT_TEST()\
+  EXECUTE_TEST(execute_heartbeat, tear_down)
+
+static int test_dtls1_not_bleeding()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   Not bleeding, sixteen spaces of padding"
+		"                ";
+	const int payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_not_bleeding_empty_payload()
+	{
+	int payload_buf_len;
+
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Three-byte pad at the beginning for type and payload length, plus a NUL
+	 * at the end */
+	unsigned char payload_buf[4 + MIN_PADDING_SIZE];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+	payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_heartbleed()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   HEARTBLEED                ";
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_heartbleed_empty_payload()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Excluding the NUL at the end, one byte short of type + payload length +
+	 * minimum padding */
+	unsigned char payload_buf[MIN_PADDING_SIZE + 3];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_heartbleed_excessive_plaintext_length()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Excluding the NUL at the end, one byte in excess of maximum allowed
+	 * heartbeat message length */
+	unsigned char payload_buf[SSL3_RT_MAX_PLAIN_LENGTH + 2];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = honest_payload_size(payload_buf);
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_not_bleeding()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   Not bleeding, sixteen spaces of padding"
+					"                ";
+	const int payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_not_bleeding_empty_payload()
+	{
+	int payload_buf_len;
+
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Three-byte pad at the beginning for type and payload length, plus a NUL
+	 * at the end */
+	unsigned char payload_buf[4 + MIN_PADDING_SIZE];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+	payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_heartbleed()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   HEARTBLEED                ";
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_heartbleed_empty_payload()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Excluding the NUL at the end, one byte short of type + payload length +
+	 * minimum padding */
+	unsigned char payload_buf[MIN_PADDING_SIZE + 3];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+#undef EXECUTE_HEARTBEAT_TEST
+#undef SETUP_HEARTBEAT_TEST_FIXTURE
+
+int main(int argc, char *argv[])
+	{
+	int num_failed;
+
+	SSL_library_init();
+	SSL_load_error_strings();
+
+	num_failed = test_dtls1_not_bleeding() +
+	    test_dtls1_not_bleeding_empty_payload() +
+	    test_dtls1_heartbleed() +
+	    test_dtls1_heartbleed_empty_payload() +
+	    /* The following test causes an assertion failure at
+	     * ssl/d1_pkt.c:dtls1_write_bytes() in versions prior to 1.0.1g: */
+	    (OPENSSL_VERSION_NUMBER >= 0x1000107fL ?
+	     test_dtls1_heartbleed_excessive_plaintext_length() : 0) +
+	    test_tls1_not_bleeding() +
+	    test_tls1_not_bleeding_empty_payload() +
+	    test_tls1_heartbleed() +
+	    test_tls1_heartbleed_empty_payload() +
+	    0;
+
+	ERR_print_errors_fp(stderr);
+
+	if (num_failed != 0)
+		{
+		printf("%d test%s failed\n", num_failed, num_failed != 1 ? "s" : "");
+		return EXIT_FAILURE;
+		}
+	return EXIT_SUCCESS;
+	}
+
+#else /* OPENSSL_NO_HEARTBEATS*/
+
+int main(int argc, char *argv[])
+	{
+		return EXIT_SUCCESS;
+	}
+#endif /* OPENSSL_NO_HEARTBEATS */
diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c
index fd7c67bb1fcb..950a0c56f1a9 100644
--- a/crypto/openssl/ssl/kssl.c
+++ b/crypto/openssl/ssl/kssl.c
@@ -954,15 +954,15 @@ print_krb5_data(char *label, krb5_data *kdata)
         {
 	int i;
 
-	printf("%s[%d] ", label, kdata->length);
+	fprintf(stderr,"%s[%d] ", label, kdata->length);
 	for (i=0; i < (int)kdata->length; i++)
                 {
 		if (0 &&  isprint((int) kdata->data[i]))
-                        printf(	"%c ",  kdata->data[i]);
+                        fprintf(stderr,	"%c ",  kdata->data[i]);
 		else
-                        printf(	"%02x ", (unsigned char) kdata->data[i]);
+                        fprintf(stderr,	"%02x ", (unsigned char) kdata->data[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
         }
 
 
@@ -973,20 +973,20 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
         {
 	if (adata == NULL)
                 {
-		printf("%s, authdata==0\n", label);
+		fprintf(stderr,"%s, authdata==0\n", label);
 		return;
 		}
-	printf("%s [%p]\n", label, (void *)adata);
+	fprintf(stderr,"%s [%p]\n", label, (void *)adata);
 #if 0
 	{
         int 	i;
-	printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+	fprintf(stderr,"%s[at%d:%d] ", label, adata->ad_type, adata->length);
 	for (i=0; i < adata->length; i++)
                 {
-                printf((isprint(adata->contents[i]))? "%c ": "%02x",
+                fprintf(stderr,(isprint(adata->contents[i]))? "%c ": "%02x",
                         adata->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 	}
 #endif
 	}
@@ -1001,24 +1001,24 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 	if (keyblk == NULL)
                 {
-		printf("%s, keyblk==0\n", label);
+		fprintf(stderr,"%s, keyblk==0\n", label);
 		return;
 		}
 #ifdef KRB5_HEIMDAL
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->keytype,
 					   keyblk->keyvalue->length);
 	for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
-		printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
+		fprintf(stderr,"%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #else
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
 	for (i=0; i < (int)keyblk->length; i++)
                 {
-		printf("%02x",keyblk->contents[i]);
+		fprintf(stderr,"%02x",keyblk->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #endif
         }
 
@@ -1031,17 +1031,17 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         {
 	int i, ui, uj;
 
-	printf("%s principal Realm: ", label);
+	fprintf(stderr,"%s principal Realm: ", label);
 	if (princ == NULL)  return;
 	for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
-	printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
+	fprintf(stderr," (nametype %d) has %d strings:\n", princ->type,princ->length);
 	for (i=0; i < (int)princ->length; i++)
                 {
-		printf("\t%d [%d]: ", i, princ->data[i].length);
+		fprintf(stderr,"\t%d [%d]: ", i, princ->data[i].length);
 		for (uj=0; uj < (int)princ->data[i].length; uj++)  {
 			putchar(princ->data[i].data[uj]);
 			}
-		printf("\n");
+		fprintf(stderr,"\n");
 		}
 	return;
         }
@@ -1332,7 +1332,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		}
 
 #ifdef KSSL_DEBUG
-	printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
+	fprintf(stderr,"in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
 #endif	/* KSSL_DEBUG */
 
 	if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
@@ -1481,18 +1481,18 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 #ifdef KSSL_DEBUG
 		{
 		int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
-		printf("Decrypted ticket fields:\n");
-		printf("\tflags: %X, transit-type: %X",
+		fprintf(stderr,"Decrypted ticket fields:\n");
+		fprintf(stderr,"\tflags: %X, transit-type: %X",
 			krb5ticket->enc_part2->flags,
 			krb5ticket->enc_part2->transited.tr_type);
 		print_krb5_data("\ttransit-data: ",
 			&(krb5ticket->enc_part2->transited.tr_contents));
-		printf("\tcaddrs: %p, authdata: %p\n",
+		fprintf(stderr,"\tcaddrs: %p, authdata: %p\n",
 			krb5ticket->enc_part2->caddrs,
 			krb5ticket->enc_part2->authorization_data);
 		if (paddr)
 			{
-			printf("\tcaddrs:\n");
+			fprintf(stderr,"\tcaddrs:\n");
 			for (i=0; paddr[i] != NULL; i++)
 				{
 				krb5_data d;
@@ -1501,7 +1501,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 				print_krb5_data("\t\tIP: ", &d);
 				}
 			}
-		printf("\tstart/auth/end times: %d / %d / %d\n",
+		fprintf(stderr,"\tstart/auth/end times: %d / %d / %d\n",
 			krb5ticket->enc_part2->times.starttime,
 			krb5ticket->enc_part2->times.authtime,
 			krb5ticket->enc_part2->times.endtime);
@@ -1976,7 +1976,7 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 	if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
 
 #ifdef KSSL_DEBUG
-	printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
+	fprintf(stderr,"kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
 		start, atime, now, skew, ttimes->endtime);
 #endif	/* KSSL_DEBUG */
 
@@ -2027,10 +2027,10 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
         {
         unsigned int ui;
-	printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
+	fprintf(stderr,"kssl_check_authent: authenticator[%d]:\n",authentp->length);
 	p = authentp->data; 
-	for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
-	printf("\n");
+	for (ui=0; ui < authentp->length; ui++)  fprintf(stderr,"%02x ",p[ui]);
+	fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -2095,9 +2095,9 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
 	{
 	int padl;
-	printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
-	for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
-	printf("\n");
+	fprintf(stderr,"kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+	for (padl=0; padl < outl; padl++) fprintf(stderr,"%02x ",unenc_authent[padl]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -2132,10 +2132,10 @@ krb5_error_code  kssl_check_authent(
  		}
 
 #ifdef KSSL_DEBUG
-	printf("kssl_check_authent: returns %d for client time ", *atimep);
+	fprintf(stderr,"kssl_check_authent: returns %d for client time ", *atimep);
 	if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
-		printf("%.*s\n", auth->ctime->length, auth->ctime->data);
-	else	printf("NULL\n");
+		fprintf(stderr,"%.*s\n", auth->ctime->length, auth->ctime->data);
+	else	fprintf(stderr,"NULL\n");
 #endif	/* KSSL_DEBUG */
 
  err:
diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h
index 8242fd5eeb65..e4df84307313 100644
--- a/crypto/openssl/ssl/kssl.h
+++ b/crypto/openssl/ssl/kssl.h
@@ -70,6 +70,15 @@
 #include <stdio.h>
 #include <ctype.h>
 #include <krb5.h>
+#ifdef OPENSSL_SYS_WIN32
+/* These can sometimes get redefined indirectly by krb5 header files
+ * after they get undefed in ossl_typ.h
+ */
+#undef X509_NAME
+#undef X509_EXTENSIONS
+#undef OCSP_REQUEST
+#undef OCSP_RESPONSE
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index 617f70e76006..86ab3de1c123 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -271,12 +271,35 @@ static int ssl23_no_ssl2_ciphers(SSL *s)
 	return 1;
 	}
 
+/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
+ * on failure, 1 on success. */
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
+	{
+	int send_time = 0;
+
+	if (len < 4)
+		return 0;
+	if (server)
+		send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
+	else
+		send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
+	if (send_time)
+		{
+		unsigned long Time = (unsigned long)time(NULL);
+		unsigned char *p = result;
+		l2n(Time, p);
+		return RAND_pseudo_bytes(p, len-4);
+		}
+	else
+		return RAND_pseudo_bytes(result, len);
+	}
+
 static int ssl23_client_hello(SSL *s)
 	{
 	unsigned char *buf;
 	unsigned char *p,*d;
 	int i,ch_len;
-	unsigned long Time,l;
+	unsigned long l;
 	int ssl2_compat;
 	int version = 0, version_major, version_minor;
 #ifndef OPENSSL_NO_COMP
@@ -357,9 +380,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
 		p=s->s3->client_random;
-		Time=(unsigned long)time(NULL);		/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+		if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
 			return -1;
 
 		if (version == TLS1_2_VERSION)
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index 3bf728318a4c..f3c29d1dde61 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -107,6 +107,13 @@ int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	long l;
 
 	/* We can write SSLv2 and SSLv3 ciphers */
+	/* but no ECC ciphers */
+	if (c->algorithm_mkey == SSL_kECDHr ||
+		c->algorithm_mkey == SSL_kECDHe ||
+		c->algorithm_mkey == SSL_kEECDH ||
+		c->algorithm_auth == SSL_aECDH ||
+		c->algorithm_auth == SSL_aECDSA)
+		return 0;
 	if (p != NULL)
 		{
 		l=c->id;
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index de909b180851..3178815ec99b 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -192,6 +192,7 @@ int ssl23_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index ff3395f459e7..a35968f63a7f 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -117,8 +117,9 @@ err:
 
 /* read/writes from s->s2->mac_data using length for encrypt and 
  * decrypt.  It sets s->s2->padding and s->[rw]length
- * if we are encrypting */
-void ssl2_enc(SSL *s, int send)
+ * if we are encrypting
+ * Returns 0 on error and 1 on success */
+int ssl2_enc(SSL *s, int send)
 	{
 	EVP_CIPHER_CTX *ds;
 	unsigned long l;
@@ -136,7 +137,7 @@ void ssl2_enc(SSL *s, int send)
 		}
 
 	/* check for NULL cipher */
-	if (ds == NULL) return;
+	if (ds == NULL) return 1;
 
 
 	bs=ds->cipher->block_size;
@@ -145,7 +146,10 @@ void ssl2_enc(SSL *s, int send)
 	if (bs == 8)
 		l=(l+7)/8*8;
 
-	EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l);
+	if(EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l) < 1)
+		return 0;
+
+	return 1;
 	}
 
 void ssl2_mac(SSL *s, unsigned char *md, int send)
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index 8c9b642882eb..c63be3052b28 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
 	SSL_SSLV2,
 	SSL_NOT_EXP|SSL_HIGH,
 	0,
-	168,
+	112,
 	168,
 	},
 
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index 8bb6ab8baa33..acd61dc546af 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -265,7 +265,11 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
 		if ((!s->s2->clear_text) &&
 			(s->s2->rlength >= (unsigned int)mac_size))
 			{
-			ssl2_enc(s,0);
+			if(!ssl2_enc(s,0))
+				{
+				SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_DECRYPTION_FAILED);
+				return(-1);
+				}
 			s->s2->ract_data_length-=mac_size;
 			ssl2_mac(s,mac,0);
 			s->s2->ract_data_length-=s->s2->padding;
@@ -616,7 +620,8 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
 		s->s2->wact_data_length=len+p;
 		ssl2_mac(s,s->s2->mac_data,1);
 		s->s2->wlength+=p+mac_size;
-		ssl2_enc(s,1);
+		if(ssl2_enc(s,1) < 1)
+			return -1;
 		}
 
 	/* package up the header */
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index 2cba426bb7ef..59ced3f3052f 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -188,13 +188,21 @@ int ssl2_accept(SSL *s)
 			s->version=SSL2_VERSION;
 			s->type=SSL_ST_ACCEPT;
 
-			buf=s->init_buf;
-			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
-				{ ret= -1; goto end; }
-			if (!BUF_MEM_grow(buf,(int)
-				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-				{ ret= -1; goto end; }
-			s->init_buf=buf;
+			if(s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,(int) SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+					{
+					BUF_MEM_free(buf);
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
 			s->init_num=0;
 			s->ctx->stats.sess_accept++;
 			s->handshake_func=ssl2_accept;
diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
index ae0ee27c41aa..3581fbf4ff42 100644
--- a/crypto/openssl/ssl/s3_both.c
+++ b/crypto/openssl/ssl/s3_both.c
@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
 
 		i=s->method->ssl3_enc->final_finish_mac(s,
 			sender,slen,s->s3->tmp.finish_md);
+		if (i == 0)
+			return 0;
 		s->s3->tmp.finish_md_len = i;
 		memcpy(p, s->s3->tmp.finish_md, i);
 		p+=i;
@@ -437,6 +439,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 			goto f_err;
 			}
 		*ok=1;
+		s->state = stn;
 		s->init_msg = s->init_buf->data + 4;
 		s->init_num = (int)s->s3->tmp.message_size;
 		return s->init_num;
diff --git a/crypto/openssl/ssl/s3_cbc.c b/crypto/openssl/ssl/s3_cbc.c
index 443a31e74627..11f13adbf7c2 100644
--- a/crypto/openssl/ssl/s3_cbc.c
+++ b/crypto/openssl/ssl/s3_cbc.c
@@ -53,6 +53,7 @@
  *
  */
 
+#include "../crypto/constant_time_locl.h"
 #include "ssl_locl.h"
 
 #include <openssl/md5.h>
@@ -67,37 +68,6 @@
  * supported by TLS.) */
 #define MAX_HASH_BLOCK_SIZE 128
 
-/* Some utility functions are needed:
- *
- * These macros return the given value with the MSB copied to all the other
- * bits. They use the fact that arithmetic shift shifts-in the sign bit.
- * However, this is not ensured by the C standard so you may need to replace
- * them with something else on odd CPUs. */
-#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
-#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
-
-/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
-static unsigned constant_time_lt(unsigned a, unsigned b)
-	{
-	a -= b;
-	return DUPLICATE_MSB_TO_ALL(a);
-	}
-
-/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
-static unsigned constant_time_ge(unsigned a, unsigned b)
-	{
-	a -= b;
-	return DUPLICATE_MSB_TO_ALL(~a);
-	}
-
-/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
-static unsigned char constant_time_eq_8(unsigned a, unsigned b)
-	{
-	unsigned c = a ^ b;
-	c--;
-	return DUPLICATE_MSB_TO_ALL_8(c);
-	}
-
 /* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  * record in |rec| by updating |rec->length| in constant time.
  *
@@ -126,8 +96,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
 	padding_length = good & (padding_length+1);
 	rec->length -= padding_length;
 	rec->type |= padding_length<<8;	/* kludge: pass padding length */
-	return (int)((good & 1) | (~good & -1));
-}
+	return constant_time_select_int(good, 1, -1);
+	}
 
 /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
  * record in |rec| in constant time and returns 1 if the padding is valid and
@@ -208,7 +178,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 
 	for (i = 0; i < to_check; i++)
 		{
-		unsigned char mask = constant_time_ge(padding_length, i);
+		unsigned char mask = constant_time_ge_8(padding_length, i);
 		unsigned char b = rec->data[rec->length-1-i];
 		/* The final |padding_length+1| bytes should all have the value
 		 * |padding_length|. Therefore the XOR should be zero. */
@@ -216,20 +186,14 @@ int tls1_cbc_remove_padding(const SSL* s,
 		}
 
 	/* If any of the final |padding_length+1| bytes had the wrong value,
-	 * one or more of the lower eight bits of |good| will be cleared. We
-	 * AND the bottom 8 bits together and duplicate the result to all the
-	 * bits. */
-	good &= good >> 4;
-	good &= good >> 2;
-	good &= good >> 1;
-	good <<= sizeof(good)*8-1;
-	good = DUPLICATE_MSB_TO_ALL(good);
-
+	 * one or more of the lower eight bits of |good| will be cleared.
+	 */
+	good = constant_time_eq(0xff, good & 0xff);
 	padding_length = good & (padding_length+1);
 	rec->length -= padding_length;
 	rec->type |= padding_length<<8;	/* kludge: pass padding length */
 
-	return (int)((good & 1) | (~good & -1));
+	return constant_time_select_int(good, 1, -1);
 	}
 
 /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
@@ -296,8 +260,8 @@ void ssl3_cbc_copy_mac(unsigned char* out,
 	memset(rotated_mac, 0, md_size);
 	for (i = scan_start, j = 0; i < orig_len; i++)
 		{
-		unsigned char mac_started = constant_time_ge(i, mac_start);
-		unsigned char mac_ended = constant_time_ge(i, mac_end);
+		unsigned char mac_started = constant_time_ge_8(i, mac_start);
+		unsigned char mac_ended = constant_time_ge_8(i, mac_end);
 		unsigned char b = rec->data[i];
 		rotated_mac[j++] |= b & mac_started & ~mac_ended;
 		j &= constant_time_lt(j,md_size);
@@ -683,12 +647,12 @@ void ssl3_cbc_digest_record(
 				b = data[k-header_length];
 			k++;
 
-			is_past_c = is_block_a & constant_time_ge(j, c);
-			is_past_cp1 = is_block_a & constant_time_ge(j, c+1);
+			is_past_c = is_block_a & constant_time_ge_8(j, c);
+			is_past_cp1 = is_block_a & constant_time_ge_8(j, c+1);
 			/* If this is the block containing the end of the
 			 * application data, and we are at the offset for the
 			 * 0x80 value, then overwrite b with 0x80. */
-			b = (b&~is_past_c) | (0x80&is_past_c);
+                        b =  constant_time_select_8(is_past_c, 0x80, b);
 			/* If this the the block containing the end of the
 			 * application data and we're past the 0x80 value then
 			 * just write zero. */
@@ -704,7 +668,8 @@ void ssl3_cbc_digest_record(
 			if (j >= md_block_size - md_length_size)
 				{
 				/* If this is index_b, write a length byte. */
-				b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);
+				b = constant_time_select_8(
+					is_block_b, length_bytes[j-(md_block_size-md_length_size)], b);
 				}
 			block[j] = b;
 			}
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index 741347ccfc4d..7692716988ac 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -167,9 +167,9 @@
 #include <openssl/engine.h>
 #endif
 
-static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
 
+#ifndef OPENSSL_NO_SSL3_METHOD
 static const SSL_METHOD *ssl3_get_client_method(int ver)
 	{
 	if (ver == SSL3_VERSION)
@@ -182,6 +182,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
 			ssl_undefined_function,
 			ssl3_connect,
 			ssl3_get_client_method)
+#endif
 
 int ssl3_connect(SSL *s)
 	{
@@ -272,6 +273,9 @@ int ssl3_connect(SSL *s)
 			s->state=SSL3_ST_CW_CLNT_HELLO_A;
 			s->ctx->stats.sess_connect++;
 			s->init_num=0;
+			s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+			/* Should have been reset by ssl3_get_finished, too. */
+			s->s3->change_cipher_spec = 0;
 			break;
 
 		case SSL3_ST_CW_CLNT_HELLO_A:
@@ -312,23 +316,9 @@ int ssl3_connect(SSL *s)
 
 		case SSL3_ST_CR_CERT_A:
 		case SSL3_ST_CR_CERT_B:
-#ifndef OPENSSL_NO_TLSEXT
-			ret=ssl3_check_finished(s);
-			if (ret <= 0) goto end;
-			if (ret == 2)
-				{
-				s->hit = 1;
-				if (s->tlsext_ticket_expected)
-					s->state=SSL3_ST_CR_SESSION_TICKET_A;
-				else
-					s->state=SSL3_ST_CR_FINISHED_A;
-				s->init_num=0;
-				break;
-				}
-#endif
-			/* Check if it is anon DH/ECDH */
+			/* Check if it is anon DH/ECDH, SRP auth */
 			/* or PSK */
-			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+			if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) &&
 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
 				{
 				ret=ssl3_get_server_certificate(s);
@@ -433,12 +423,10 @@ int ssl3_connect(SSL *s)
 			else
 				{
 				s->state=SSL3_ST_CW_CHANGE_A;
-				s->s3->change_cipher_spec=0;
 				}
 			if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY)
 				{
 				s->state=SSL3_ST_CW_CHANGE_A;
-				s->s3->change_cipher_spec=0;
 				}
 
 			s->init_num=0;
@@ -450,7 +438,6 @@ int ssl3_connect(SSL *s)
 			if (ret <= 0) goto end;
 			s->state=SSL3_ST_CW_CHANGE_A;
 			s->init_num=0;
-			s->s3->change_cipher_spec=0;
 			break;
 
 		case SSL3_ST_CW_CHANGE_A:
@@ -558,7 +545,6 @@ int ssl3_connect(SSL *s)
 
 		case SSL3_ST_CR_FINISHED_A:
 		case SSL3_ST_CR_FINISHED_B:
-
 			s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
 				SSL3_ST_CR_FINISHED_B);
@@ -656,7 +642,7 @@ int ssl3_client_hello(SSL *s)
 	unsigned char *buf;
 	unsigned char *p,*d;
 	int i;
-	unsigned long Time,l;
+	unsigned long l;
 #ifndef OPENSSL_NO_COMP
 	int j;
 	SSL_COMP *comp;
@@ -668,11 +654,7 @@ int ssl3_client_hello(SSL *s)
 		SSL_SESSION *sess = s->session;
 		if ((sess == NULL) ||
 			(sess->ssl_version != s->version) ||
-#ifdef OPENSSL_NO_TLSEXT
 			!sess->session_id_length ||
-#else
-			(!sess->session_id_length && !sess->tlsext_tick) ||
-#endif
 			(sess->not_resumable))
 			{
 			if (!ssl_get_new_session(s,0))
@@ -681,9 +663,8 @@ int ssl3_client_hello(SSL *s)
 		/* else use the pre-loaded session */
 
 		p=s->s3->client_random;
-		Time=(unsigned long)time(NULL);			/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+
+		if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
 			goto err;
 
 		/* Do the message type and length last */
@@ -879,6 +860,8 @@ int ssl3_get_server_hello(SSL *s)
 	memcpy(s->s3->server_random,p,SSL3_RANDOM_SIZE);
 	p+=SSL3_RANDOM_SIZE;
 
+	s->hit = 0;
+
 	/* get the session-id */
 	j= *(p++);
 
@@ -902,11 +885,12 @@ int ssl3_get_server_hello(SSL *s)
 			{
 			s->session->cipher = pref_cipher ?
 				pref_cipher : ssl_get_cipher_by_char(s, p+j);
+			s->hit = 1;
 			}
 		}
 #endif /* OPENSSL_NO_TLSEXT */
 
-	if (j != 0 && j == s->session->session_id_length
+	if (!s->hit && j != 0 && j == s->session->session_id_length
 	    && memcmp(p,s->session->session_id,j) == 0)
 	    {
 	    if(s->sid_ctx_length != s->session->sid_ctx_length
@@ -917,14 +901,13 @@ int ssl3_get_server_hello(SSL *s)
 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
 		goto f_err;
 		}
-	    s->s3->flags |= SSL3_FLAGS_CCS_OK;
 	    s->hit=1;
 	    }
-	else	/* a miss or crap from the other end */
+	/* a miss or crap from the other end */
+	if (!s->hit)
 		{
 		/* If we were trying for session-id reuse, make a new
 		 * SSL_SESSION so we don't stuff up other people */
-		s->hit=0;
 		if (s->session->session_id_length > 0)
 			{
 			if (!ssl_get_new_session(s,0))
@@ -1202,9 +1185,9 @@ int ssl3_get_server_certificate(SSL *s)
 	            ? 0 : 1;
 
 #ifdef KSSL_DEBUG
-	printf("pkey,x = %p, %p\n", pkey,x);
-	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-	printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
+	fprintf(stderr,"pkey,x = %p, %p\n", pkey,x);
+	fprintf(stderr,"ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
+	fprintf(stderr,"cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
 		s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
 #endif    /* KSSL_DEBUG */
 
@@ -1918,6 +1901,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 		if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
 			{
 			int num;
+			unsigned int size;
 
 			j=0;
 			q=md_buf;
@@ -1930,9 +1914,9 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 				EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 				EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 				EVP_DigestUpdate(&md_ctx,param,param_len);
-				EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
-				q+=i;
-				j+=i;
+				EVP_DigestFinal_ex(&md_ctx,q,&size);
+				q+=size;
+				j+=size;
 				}
 			i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
 								pkey->pkey.rsa);
@@ -1968,8 +1952,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 		}
 	else
 		{
-		if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
-			/* aNULL or kPSK do not need public keys */
+		/* aNULL, aSRP or kPSK do not need public keys */
+		if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK))
 			{
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
 			goto err;
@@ -2191,24 +2175,13 @@ int ssl3_get_new_session_ticket(SSL *s)
 	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_SESSION_TICKET_A,
 		SSL3_ST_CR_SESSION_TICKET_B,
-		-1,
+		SSL3_MT_NEWSESSION_TICKET,
 		16384,
 		&ok);
 
 	if (!ok)
 		return((int)n);
 
-	if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
-		{
-		s->s3->tmp.reuse_message=1;
-		return(1);
-		}
-	if (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET)
-		{
-		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_BAD_MESSAGE_TYPE);
-		goto f_err;
-		}
 	if (n < 6)
 		{
 		/* need at least ticket_lifetime_hint + ticket length */
@@ -2240,7 +2213,7 @@ int ssl3_get_new_session_ticket(SSL *s)
 		}
 	memcpy(s->session->tlsext_tick, p, ticklen);
 	s->session->tlsext_ticklen = ticklen;
-	/* There are two ways to detect a resumed ticket sesion.
+	/* There are two ways to detect a resumed ticket session.
 	 * One is to set an appropriate session ID and then the server
 	 * must return a match in ServerHello. This allows the normal
 	 * client session ID matching to work and we know much 
@@ -2479,7 +2452,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 			EVP_CIPHER_CTX_init(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
-			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+			fprintf(stderr,"ssl3_send_client_key_exchange(%lx & %lx)\n",
 				alg_k, SSL_kKRB5);
 #endif	/* KSSL_DEBUG */
 
@@ -2495,9 +2468,9 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    goto err;
 #ifdef KSSL_DEBUG
 			{
-			printf("kssl_cget_tkt rtn %d\n", krb5rc);
+			fprintf(stderr,"kssl_cget_tkt rtn %d\n", krb5rc);
 			if (krb5rc && kssl_err.text)
-			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+			  fprintf(stderr,"kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
 			}
 #endif	/* KSSL_DEBUG */
 
@@ -2978,7 +2951,11 @@ int ssl3_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_PSK
 		else if (alg_k & SSL_kPSK)
 			{
-			char identity[PSK_MAX_IDENTITY_LEN];
+			/* The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes
+			 * to return a \0-terminated identity. The last byte
+			 * is for us for simulating strnlen. */
+			char identity[PSK_MAX_IDENTITY_LEN + 2];
+			size_t identity_len;
 			unsigned char *t = NULL;
 			unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
 			unsigned int pre_ms_len = 0, psk_len = 0;
@@ -2992,8 +2969,9 @@ int ssl3_send_client_key_exchange(SSL *s)
 				goto err;
 				}
 
+			memset(identity, 0, sizeof(identity));
 			psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
-				identity, PSK_MAX_IDENTITY_LEN,
+				identity, sizeof(identity) - 1,
 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
 			if (psk_len > PSK_MAX_PSK_LEN)
 				{
@@ -3007,7 +2985,14 @@ int ssl3_send_client_key_exchange(SSL *s)
 					SSL_R_PSK_IDENTITY_NOT_FOUND);
 				goto psk_err;
 				}
-
+			identity[PSK_MAX_IDENTITY_LEN + 1] = '\0';
+			identity_len = strlen(identity);
+			if (identity_len > PSK_MAX_IDENTITY_LEN)
+				{
+				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+					ERR_R_INTERNAL_ERROR);
+				goto psk_err;
+				}
 			/* create PSK pre_master_secret */
 			pre_ms_len = 2+psk_len+2+psk_len;
 			t = psk_or_pre_ms;
@@ -3041,14 +3026,13 @@ int ssl3_send_client_key_exchange(SSL *s)
 			s->session->master_key_length =
 				s->method->ssl3_enc->generate_master_secret(s,
 					s->session->master_key,
-					psk_or_pre_ms, pre_ms_len); 
-			n = strlen(identity);
-			s2n(n, p);
-			memcpy(p, identity, n);
-			n+=2;
+					psk_or_pre_ms, pre_ms_len);
+			s2n(identity_len, p);
+			memcpy(p, identity, identity_len);
+			n = 2 + identity_len;
 			psk_err = 0;
 		psk_err:
-			OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
+			OPENSSL_cleanse(identity, sizeof(identity));
 			OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
 			if (psk_err != 0)
 				{
@@ -3315,6 +3299,12 @@ int ssl3_send_client_certificate(SSL *s)
 		s->state=SSL3_ST_CW_CERT_D;
 		l=ssl3_output_cert_chain(s,
 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		if (!l)
+			{
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		s->init_num=(int)l;
 		s->init_off=0;
 		}
@@ -3484,40 +3474,9 @@ int ssl3_send_next_proto(SSL *s)
 		}
 
 	return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-}
+        }
 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
 
-/* Check to see if handshake is full or resumed. Usually this is just a
- * case of checking to see if a cache hit has occurred. In the case of
- * session tickets we have to check the next message to be sure.
- */
-
-#ifndef OPENSSL_NO_TLSEXT
-int ssl3_check_finished(SSL *s)
-	{
-	int ok;
-	long n;
-	/* If we have no ticket it cannot be a resumed session. */
-	if (!s->session->tlsext_tick)
-		return 1;
-	/* this function is called when we really expect a Certificate
-	 * message, so permit appropriate message length */
-	n=s->method->ssl_get_message(s,
-		SSL3_ST_CR_CERT_A,
-		SSL3_ST_CR_CERT_B,
-		-1,
-		s->max_cert_list,
-		&ok);
-	if (!ok) return((int)n);
-	s->s3->tmp.reuse_message = 1;
-	if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
-		|| (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
-		return 2;
-
-	return 1;
-	}
-#endif
-
 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
 	{
 	int i = 0;
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 5cd3be3254d6..89c133e681ed 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -535,7 +535,8 @@ int ssl3_enc(SSL *s, int send)
 			/* otherwise, rec->length >= bs */
 			}
 		
-		EVP_Cipher(ds,rec->data,rec->input,l);
+		if(EVP_Cipher(ds,rec->data,rec->input,l) < 1)
+			return -1;
 
 		if (EVP_MD_CTX_md(s->read_hash) != NULL)
 			mac_size = EVP_MD_CTX_size(s->read_hash);
@@ -642,10 +643,18 @@ int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
 int ssl3_final_finish_mac(SSL *s, 
 	     const char *sender, int len, unsigned char *p)
 	{
-	int ret;
+	int ret, sha1len;
 	ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
+	if(ret == 0)
+		return 0;
+
 	p+=ret;
-	ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
+
+	sha1len=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
+	if(sha1len == 0)
+		return 0;
+
+	ret+=sha1len;
 	return(ret);
 	}
 static int ssl3_handshake_mac(SSL *s, int md_nid,
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index fe1f654dcda5..e7cbef4814a5 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_SSLV3,
 	SSL_NOT_EXP|SSL_HIGH,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -1683,9 +1683,9 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_3DES,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES128,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	128,
 	128,
@@ -1715,7 +1715,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_AES256,
 	SSL_SHA1,
 	SSL_TLSV1,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
 	256,
 	256,
@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2432,7 +2432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL_TLSV1,
 	SSL_NOT_EXP|SSL_HIGH,
 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-	168,
+	112,
 	168,
 	},
 
@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
 		s->s3->tmp.ecdh = NULL;
 		}
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+	s->s3->is_probably_safari = 0;
+#endif /* !OPENSSL_NO_EC */
+#endif /* !OPENSSL_NO_TLSEXT */
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
@@ -3805,17 +3810,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 
 #ifdef CIPHER_DEBUG
-	printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
+	fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
 	for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
 		{
 		c=sk_SSL_CIPHER_value(srvr,i);
-		printf("%p:%s\n",(void *)c,c->name);
+		fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 		}
-	printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
+	fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
 	for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
 	    {
 	    c=sk_SSL_CIPHER_value(clnt,i);
-	    printf("%p:%s\n",(void *)c,c->name);
+	    fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 	    }
 #endif
 
@@ -3845,12 +3850,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		emask_k = cert->export_mask_k;
 		emask_a = cert->export_mask_a;
 #ifndef OPENSSL_NO_SRP
-		mask_k=cert->mask_k | s->srp_ctx.srp_Mask;
-		emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask;
+		if (s->srp_ctx.srp_Mask & SSL_kSRP)
+			{
+			mask_k |= SSL_kSRP;
+			emask_k |= SSL_kSRP;
+			mask_a |= SSL_aSRP;
+			emask_a |= SSL_aSRP;
+			}
 #endif
-			
+
 #ifdef KSSL_DEBUG
-/*		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
+/*		fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
 #endif    /* KSSL_DEBUG */
 
 		alg_k=c->algorithm_mkey;
@@ -3873,7 +3883,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & emask_k) && (alg_a & emask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
 			       (void *)c,c->name);
 #endif
 			}
@@ -3881,7 +3891,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & mask_k) && (alg_a & mask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
 			       c->name);
 #endif
 			}
@@ -3990,6 +4000,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 				}
 			ok = ok && ec_ok;
 			}
+#ifndef OPENSSL_NO_ECDH
 		if (
 			/* if we are considering an ECC cipher suite that uses an ephemeral EC key */
 			(alg_k & SSL_kEECDH)
@@ -4037,6 +4048,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 				}
 			ok = ok && ec_ok;
 			}
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 
@@ -4044,6 +4056,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		ii=sk_SSL_CIPHER_find(allow,c);
 		if (ii >= 0)
 			{
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+			if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+				{
+				if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
+				continue;
+				}
+#endif
 			ret=sk_SSL_CIPHER_value(allow,ii);
 			break;
 			}
diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c
index cdddb17b627d..4dec7033d6c9 100644
--- a/crypto/openssl/ssl/s3_meth.c
+++ b/crypto/openssl/ssl/s3_meth.c
@@ -60,7 +60,7 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-static const SSL_METHOD *ssl3_get_method(int ver);
+#ifndef OPENSSL_NO_SSL3_METHOD
 static const SSL_METHOD *ssl3_get_method(int ver)
 	{
 	if (ver == SSL3_VERSION)
@@ -73,5 +73,4 @@ IMPLEMENT_ssl3_meth_func(SSLv3_method,
 			 ssl3_accept,
 			 ssl3_connect,
 			 ssl3_get_method)
-
-
+#endif
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index 811a047f9f27..1ec9e6ea46da 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -110,6 +110,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include <errno.h>
 #define USE_SOCKETS
 #include "ssl_locl.h"
@@ -274,6 +275,12 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 	return(n);
 	}
 
+/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will
+ * be processed per call to ssl3_get_record. Without this limit an attacker
+ * could send empty records at a faster rate than we can process and cause
+ * ssl3_get_record to loop forever. */
+#define MAX_EMPTY_RECORDS 32
+
 /* Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
@@ -294,6 +301,7 @@ static int ssl3_get_record(SSL *s)
 	short version;
 	unsigned mac_size, orig_len;
 	size_t extra;
+	unsigned empty_record_count = 0;
 
 	rr= &(s->s3->rrec);
 	sess=s->session;
@@ -337,7 +345,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 			if (version != s->version)
 				{
 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                                if ((s->version & 0xFF00) == (version & 0xFF00))
+                                if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
                                 	/* Send back error using their minor version number :-) */
 					s->version = (unsigned short)version;
 				al=SSL_AD_PROTOCOL_VERSION;
@@ -524,7 +532,17 @@ printf("\n");
 	s->packet_length=0;
 
 	/* just read a 0 length packet */
-	if (rr->length == 0) goto again;
+	if (rr->length == 0)
+		{
+		empty_record_count++;
+		if (empty_record_count > MAX_EMPTY_RECORDS)
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL);
+			goto f_err;
+			}
+		goto again;
+		}
 
 #if 0
 fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
@@ -582,10 +600,11 @@ int ssl3_do_compress(SSL *ssl)
 int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 	{
 	const unsigned char *buf=buf_;
-	unsigned int tot,n,nw;
-	int i;
+	unsigned int n,nw;
+	int i,tot;
 
 	s->rwstate=SSL_NOTHING;
+	OPENSSL_assert(s->s3->wnum <= INT_MAX);
 	tot=s->s3->wnum;
 	s->s3->wnum=0;
 
@@ -600,6 +619,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 			}
 		}
 
+	/* ensure that if we end up with a smaller value of data to write 
+	 * out than the the original len from a write which didn't complete 
+	 * for non-blocking I/O and also somehow ended up avoiding 
+	 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+	 * it must never be possible to end up with (len-tot) as a large
+	 * number that will then promptly send beyond the end of the users
+	 * buffer ... so we trap and report the error in a way the user
+	 * will notice
+	 */
+	if (len < tot)
+		{
+		SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
+		return(-1);
+		}
+
+
 	n=(len-tot);
 	for (;;)
 		{
@@ -643,9 +678,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	SSL3_BUFFER *wb=&(s->s3->wbuf);
 	SSL_SESSION *sess;
 
- 	if (wb->buf == NULL)
-		if (!ssl3_setup_write_buffer(s))
-			return -1;
 
 	/* first check if there is a SSL3_BUFFER still being written
 	 * out.  This will happen with non blocking IO */
@@ -659,12 +691,12 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 		if (i <= 0)
 			return(i);
 		/* if it went, fall through and send more stuff */
-		/* we may have released our buffer, so get it again */
-		if (wb->buf == NULL)
-			if (!ssl3_setup_write_buffer(s))
-				return -1;
 		}
 
+ 	if (wb->buf == NULL)
+		if (!ssl3_setup_write_buffer(s))
+			return -1;
+
 	if (len == 0 && !create_empty_fragment)
 		return 0;
 
@@ -826,8 +858,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 		wr->length += eivlen;
 		}
 
-	/* ssl3_enc can only have an error on read */
-	s->method->ssl3_enc->enc(s,1);
+	if(s->method->ssl3_enc->enc(s,1)<1) goto err;
 
 	/* record length after mac and block padding */
 	s2n(wr->length,plen);
@@ -955,7 +986,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 		if (!ssl3_setup_read_buffer(s))
 			return(-1);
 
-	if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+	if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) ||
 	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
 		{
 		SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
@@ -1474,8 +1505,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
 		slen=s->method->ssl3_enc->client_finished_label_len;
 		}
 
-	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
+	i = s->method->ssl3_enc->final_finish_mac(s,
 		sender,slen,s->s3->tmp.peer_finish_md);
+	if (i == 0)
+		{
+		SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+		return 0;
+		}
+	s->s3->tmp.peer_finish_md_len = i;
 
 	return(1);
 	}
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index 5cb1a4b17cb5..fadca74ec269 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -154,6 +154,7 @@
 #include <stdio.h>
 #include "ssl_locl.h"
 #include "kssl_lcl.h"
+#include "../crypto/constant_time_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
@@ -169,6 +170,7 @@
 #endif
 #include <openssl/md5.h>
 
+#ifndef OPENSSL_NO_SSL3_METHOD
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 static const SSL_METHOD *ssl3_get_server_method(int ver)
@@ -179,6 +181,12 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
 		return(NULL);
 	}
 
+IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+			ssl3_accept,
+			ssl_undefined_function,
+			ssl3_get_server_method)
+#endif
+
 #ifndef OPENSSL_NO_SRP
 static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
 	{
@@ -205,11 +213,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
 	}
 #endif
 
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
-			ssl3_accept,
-			ssl_undefined_function,
-			ssl3_get_server_method)
-
 int ssl3_accept(SSL *s)
 	{
 	BUF_MEM *buf;
@@ -283,6 +286,7 @@ int ssl3_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
@@ -297,6 +301,9 @@ int ssl3_accept(SSL *s)
 
 			s->init_num=0;
 			s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
+			s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+			/* Should have been reset by ssl3_get_finished, too. */
+			s->s3->change_cipher_spec = 0;
 
 			if (s->state != SSL_ST_RENEGOTIATE)
 				{
@@ -410,9 +417,8 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SW_CERT_B:
 			/* Check if it is anon DH or anon ECDH, */
 			/* normal PSK or KRB5 or SRP */
-			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
-				&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
-				&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
+			if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aKRB5|SSL_aSRP))
+				&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
 				{
 				ret=ssl3_send_server_certificate(s);
 				if (ret <= 0) goto end;
@@ -506,7 +512,9 @@ int ssl3_accept(SSL *s)
 				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
 				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
 				 /* never request cert in Kerberos ciphersuites */
-				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
+				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) ||
+				/* don't request certificate for SRP auth */
+				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
 				/* With normal PSK Certificates and
 				 * Certificate Requests are omitted */
 				|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
@@ -663,8 +671,14 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SR_CERT_VRFY_A:
 		case SSL3_ST_SR_CERT_VRFY_B:
-
-			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+			/*
+			 * This *should* be the first time we enable CCS, but be
+			 * extra careful about surrounding code changes. We need
+			 * to set this here because we don't know if we're
+			 * expecting a CertificateVerify or not.
+			 */
+			if (!s->s3->change_cipher_spec)
+				s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			/* we should decide if we expected this one */
 			ret=ssl3_get_cert_verify(s);
 			if (ret <= 0) goto end;
@@ -683,6 +697,19 @@ int ssl3_accept(SSL *s)
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 		case SSL3_ST_SR_NEXT_PROTO_A:
 		case SSL3_ST_SR_NEXT_PROTO_B:
+			/*
+			 * Enable CCS for resumed handshakes with NPN.
+			 * In a full handshake with NPN, we end up here through
+			 * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was
+			 * already set. Receiving a CCS clears the flag, so make
+			 * sure not to re-enable it to ban duplicates.
+			 * s->s3->change_cipher_spec is set when a CCS is
+			 * processed in s3_pkt.c, and remains set until
+			 * the client's Finished message is read.
+			 */
+			if (!s->s3->change_cipher_spec)
+				s->s3->flags |= SSL3_FLAGS_CCS_OK;
+
 			ret=ssl3_get_next_proto(s);
 			if (ret <= 0) goto end;
 			s->init_num = 0;
@@ -692,7 +719,18 @@ int ssl3_accept(SSL *s)
 
 		case SSL3_ST_SR_FINISHED_A:
 		case SSL3_ST_SR_FINISHED_B:
-			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+			/*
+			 * Enable CCS for resumed handshakes without NPN.
+			 * In a full handshake, we end up here through
+			 * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was
+			 * already set. Receiving a CCS clears the flag, so make
+			 * sure not to re-enable it to ban duplicates.
+			 * s->s3->change_cipher_spec is set when a CCS is
+			 * processed in s3_pkt.c, and remains set until
+			 * the client's Finished message is read.
+			 */
+			if (!s->s3->change_cipher_spec)
+				s->s3->flags |= SSL3_FLAGS_CCS_OK;
 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
 				SSL3_ST_SR_FINISHED_B);
 			if (ret <= 0) goto end;
@@ -764,7 +802,6 @@ int ssl3_accept(SSL *s)
 #else
 				if (s->s3->next_proto_neg_seen)
 					{
-					s->s3->flags |= SSL3_FLAGS_CCS_OK;
 					s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
 					}
 				else
@@ -954,7 +991,8 @@ int ssl3_get_client_hello(SSL *s)
 	    (s->version != DTLS1_VERSION && s->client_version < s->version))
 		{
 		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
+		if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 
+			!s->enc_write_ctx && !s->write_hash)
 			{
 			/* similar to ssl3_get_record, send alert using remote version number */
 			s->version = s->client_version;
@@ -1005,7 +1043,16 @@ int ssl3_get_client_hello(SSL *s)
 	else
 		{
 		i=ssl_get_prev_session(s, p, j, d + n);
-		if (i == 1)
+		/*
+		 * Only resume if the session's version matches the negotiated
+		 * version.
+		 * RFC 5246 does not provide much useful advice on resumption
+		 * with a different protocol version. It doesn't forbid it but
+		 * the sanity of such behaviour would be questionable.
+		 * In practice, clients do not accept a version mismatch and
+		 * will abort the handshake with an error.
+		 */
+		if (i == 1 && s->version == s->session->ssl_version)
 			{ /* previous session */
 			s->hit=1;
 			}
@@ -1100,14 +1147,15 @@ int ssl3_get_client_hello(SSL *s)
 		id=s->session->cipher->id;
 
 #ifdef CIPHER_DEBUG
-		printf("client sent %d ciphers\n",sk_num(ciphers));
+		fprintf(stderr,"client sent %d ciphers\n",sk_SSL_CIPHER_num(ciphers));
 #endif
 		for (i=0; i<sk_SSL_CIPHER_num(ciphers); i++)
 			{
 			c=sk_SSL_CIPHER_value(ciphers,i);
 #ifdef CIPHER_DEBUG
-			printf("client [%2d of %2d]:%s\n",
-				i,sk_num(ciphers),SSL_CIPHER_get_name(c));
+			fprintf(stderr,"client [%2d of %2d]:%s\n",
+				i,sk_SSL_CIPHER_num(ciphers),
+				SSL_CIPHER_get_name(c));
 #endif
 			if (c->id == id)
 				{
@@ -1189,12 +1237,9 @@ int ssl3_get_client_hello(SSL *s)
 	 * server_random before calling tls_session_secret_cb in order to allow
 	 * SessionTicket processing to use it in key derivation. */
 	{
-		unsigned long Time;
 		unsigned char *pos;
-		Time=(unsigned long)time(NULL);			/* Time */
 		pos=s->s3->server_random;
-		l2n(Time,pos);
-		if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
+		if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0)
 			{
 			al=SSL_AD_INTERNAL_ERROR;
 			goto f_err;
@@ -1431,19 +1476,13 @@ int ssl3_send_server_hello(SSL *s)
 	unsigned char *p,*d;
 	int i,sl;
 	unsigned long l;
-#ifdef OPENSSL_NO_TLSEXT
-	unsigned long Time;
-#endif
 
 	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
 		{
 		buf=(unsigned char *)s->init_buf->data;
 #ifdef OPENSSL_NO_TLSEXT
 		p=s->s3->server_random;
-		/* Generate server_random if it was not needed previously */
-		Time=(unsigned long)time(NULL);			/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+		if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
 			return -1;
 #endif
 		/* Do the message type and length last */
@@ -1834,7 +1873,7 @@ int ssl3_send_server_key_exchange(SSL *s)
 			SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
 			goto f_err;
 			}
-		for (i=0; r[i] != NULL && i<4; i++)
+		for (i=0; i < 4 && r[i] != NULL; i++)
 			{
 			nr[i]=BN_num_bytes(r[i]);
 #ifndef OPENSSL_NO_SRP
@@ -1845,7 +1884,7 @@ int ssl3_send_server_key_exchange(SSL *s)
 			n+=2+nr[i];
 			}
 
-		if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
+		if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
 			&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
 			{
 			if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md))
@@ -1870,7 +1909,7 @@ int ssl3_send_server_key_exchange(SSL *s)
 		d=(unsigned char *)s->init_buf->data;
 		p= &(d[4]);
 
-		for (i=0; r[i] != NULL && i<4; i++)
+		for (i=0; i < 4 && r[i] != NULL; i++)
 			{
 #ifndef OPENSSL_NO_SRP
 			if ((i == 2) && (type & SSL_kSRP))
@@ -2101,6 +2140,11 @@ int ssl3_send_certificate_request(SSL *s)
 		s->init_num=n+4;
 		s->init_off=0;
 #ifdef NETSCAPE_HANG_BUG
+		if (!BUF_MEM_grow_clean(buf, s->init_num + 4))
+			{
+			SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+			goto err;
+			}
 		p=(unsigned char *)s->init_buf->data + s->init_num;
 
 		/* do the header */
@@ -2160,6 +2204,11 @@ int ssl3_get_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_RSA
 	if (alg_k & SSL_kRSA)
 		{
+		unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
+		int decrypt_len;
+		unsigned char decrypt_good, version_good;
+		size_t j;
+
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
 			{
@@ -2197,8 +2246,9 @@ int ssl3_get_client_key_exchange(SSL *s)
 				{
 				if (!(s->options & SSL_OP_TLS_D5_BUG))
 					{
+					al = SSL_AD_DECODE_ERROR;
 					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-					goto err;
+					goto f_err;
 					}
 				else
 					p-=2;
@@ -2207,59 +2257,84 @@ int ssl3_get_client_key_exchange(SSL *s)
 				n=i;
 			}
 
-		i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
-
-		al = -1;
-		
-		if (i != SSL_MAX_MASTER_KEY_LENGTH)
+		/*
+		 * Reject overly short RSA ciphertext because we want to be sure
+		 * that the buffer size makes it safe to iterate over the entire
+		 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
+		 * actual expected size is larger due to RSA padding, but the
+		 * bound is sufficient to be safe.
+		 */
+		if (n < SSL_MAX_MASTER_KEY_LENGTH)
 			{
-			al=SSL_AD_DECODE_ERROR;
-			/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
+			al = SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+			goto f_err;
 			}
 
-		if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
-			{
-			/* The premaster secret must contain the same version number as the
-			 * ClientHello to detect version rollback attacks (strangely, the
-			 * protocol does not offer such protection for DH ciphersuites).
-			 * However, buggy clients exist that send the negotiated protocol
-			 * version instead if the server does not support the requested
-			 * protocol version.
-			 * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
-			if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
-				(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
-				{
-				al=SSL_AD_DECODE_ERROR;
-				/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-
-				/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
-				 * (http://eprint.iacr.org/2003/052/) exploits the version
-				 * number check as a "bad version oracle" -- an alert would
-				 * reveal that the plaintext corresponding to some ciphertext
-				 * made up by the adversary is properly formatted except
-				 * that the version number is wrong.  To avoid such attacks,
-				 * we should treat this just like any other decryption error. */
-				}
-			}
+		/* We must not leak whether a decryption failure occurs because
+		 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
+		 * RFC 2246, section 7.4.7.1). The code follows that advice of
+		 * the TLS RFC and generates a random premaster secret for the
+		 * case that the decrypt fails. See
+		 * https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */
 
-		if (al != -1)
+		/* should be RAND_bytes, but we cannot work around a failure. */
+		if (RAND_pseudo_bytes(rand_premaster_secret,
+				      sizeof(rand_premaster_secret)) <= 0)
+			goto err;
+		decrypt_len = RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
+		ERR_clear_error();
+
+		/* decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH.
+		 * decrypt_good will be 0xff if so and zero otherwise. */
+		decrypt_good = constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
+
+		/* If the version in the decrypted pre-master secret is correct
+		 * then version_good will be 0xff, otherwise it'll be zero.
+		 * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
+		 * (http://eprint.iacr.org/2003/052/) exploits the version
+		 * number check as a "bad version oracle". Thus version checks
+		 * are done in constant time and are treated like any other
+		 * decryption error. */
+		version_good = constant_time_eq_8(p[0], (unsigned)(s->client_version>>8));
+		version_good &= constant_time_eq_8(p[1], (unsigned)(s->client_version&0xff));
+
+		/* The premaster secret must contain the same version number as
+		 * the ClientHello to detect version rollback attacks
+		 * (strangely, the protocol does not offer such protection for
+		 * DH ciphersuites). However, buggy clients exist that send the
+		 * negotiated protocol version instead if the server does not
+		 * support the requested protocol version. If
+		 * SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. */
+		if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
+			{
+			unsigned char workaround_good;
+			workaround_good = constant_time_eq_8(p[0], (unsigned)(s->version>>8));
+			workaround_good &= constant_time_eq_8(p[1], (unsigned)(s->version&0xff));
+			version_good |= workaround_good;
+			}
+
+		/* Both decryption and version must be good for decrypt_good
+		 * to remain non-zero (0xff). */
+		decrypt_good &= version_good;
+
+		/*
+		 * Now copy rand_premaster_secret over from p using
+		 * decrypt_good_mask. If decryption failed, then p does not
+		 * contain valid plaintext, however, a check above guarantees
+		 * it is still sufficiently large to read from.
+		 */
+		for (j = 0; j < sizeof(rand_premaster_secret); j++)
 			{
-			/* Some decryption failure -- use random value instead as countermeasure
-			 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
-			 * (see RFC 2246, section 7.4.7.1). */
-			ERR_clear_error();
-			i = SSL_MAX_MASTER_KEY_LENGTH;
-			p[0] = s->client_version >> 8;
-			p[1] = s->client_version & 0xff;
-			if (RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */
-				goto err;
+			p[j] = constant_time_select_8(decrypt_good, p[j],
+						      rand_premaster_secret[j]);
 			}
-	
+
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,
-				p,i);
-		OPENSSL_cleanse(p,i);
+				p,sizeof(rand_premaster_secret));
+		OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
 		}
 	else
 #endif
@@ -2401,10 +2476,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_sget_tkt rtn %d [%d]\n",
+			fprintf(stderr,"kssl_sget_tkt rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
@@ -2418,10 +2493,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&authtime, &kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_check_authent rtn %d [%d]\n",
+			fprintf(stderr,"kssl_check_authent rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
@@ -2824,6 +2899,8 @@ int ssl3_get_client_key_exchange(SSL *s)
 			unsigned char premaster_secret[32], *start;
 			size_t outlen=32, inlen;
 			unsigned long alg_a;
+			int Ttag, Tclass;
+			long Tlen;
 
 			/* Get our certificate private key*/
 			alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -2845,26 +2922,15 @@ int ssl3_get_client_key_exchange(SSL *s)
 					ERR_clear_error();
 				}
 			/* Decrypt session key */
-			if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) 
-				{
-				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
-				goto gerr;
-				}
-			if (p[1] == 0x81)
-				{
-				start = p+3;
-				inlen = p[2];
-				}
-			else if (p[1] < 0x80)
-				{
-				start = p+2;
-				inlen = p[1];
-				}
-			else
+			if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED || 
+				Ttag != V_ASN1_SEQUENCE ||
+			 	Tclass != V_ASN1_UNIVERSAL) 
 				{
 				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
 				goto gerr;
 				}
+			start = p;
+			inlen = Tlen;
 			if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) 
 
 				{
@@ -2928,7 +2994,7 @@ int ssl3_get_cert_verify(SSL *s)
 		SSL3_ST_SR_CERT_VRFY_A,
 		SSL3_ST_SR_CERT_VRFY_B,
 		-1,
-		516, /* Enough for 4096 bit RSA key with TLS v1.2 */
+		SSL3_RT_MAX_PLAIN_LENGTH,
 		&ok);
 
 	if (!ok) return((int)n);
@@ -3352,6 +3418,11 @@ int ssl3_send_server_certificate(SSL *s)
 			}
 
 		l=ssl3_output_cert_chain(s,x);
+		if (!l)
+			{
+			SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
diff --git a/crypto/openssl/ssl/srtp.h b/crypto/openssl/ssl/srtp.h
index 1e9ed3a345a4..3edff417cbd5 100644
--- a/crypto/openssl/ssl/srtp.h
+++ b/crypto/openssl/ssl/srtp.h
@@ -1,4 +1,4 @@
-/* ssl/tls1.h */
+/* ssl/srtp.h */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,6 +118,8 @@
 #ifndef HEADER_D1_SRTP_H
 #define HEADER_D1_SRTP_H
 
+#include <openssl/ssl.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -130,12 +132,16 @@ extern "C" {
 #define SRTP_NULL_SHA1_80      0x0005
 #define SRTP_NULL_SHA1_32      0x0006
 
+#ifndef OPENSSL_NO_SRTP
+
 int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles);
 int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles);
 SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
 
 STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
 
+#endif
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index 8332947a4e0d..2ba5923204d2 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -554,13 +554,18 @@ struct ssl_session_st
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+#define SSL_OP_TLSEXT_PADDING				0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG			0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
 #define SSL_OP_TLS_D5_BUG				0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
 
+/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x0
+/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x0
+
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
  * the workaround is not needed.  Unfortunately some broken SSL/TLS
@@ -641,9 +646,20 @@ struct ssl_session_st
  * TLS only.)  "Released" buffers are put onto a free-list in the context
  * or just freed (depending on the context's setting for freelist_max_len). */
 #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* Send the current time in the Random fields of the ClientHello and
+ * ServerHello records for compatibility with hypothetical implementations
+ * that require it.
+ */
+#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
+#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
 /* Send TLS_FALLBACK_SCSV in the ClientHello.
- * To be set by applications that reconnect with a downgraded protocol
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
 
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
@@ -676,6 +692,10 @@ struct ssl_session_st
         SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
 #define SSL_set_mtu(ssl, mtu) \
         SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
+#define DTLS_set_link_mtu(ssl, mtu) \
+        SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL)
+#define DTLS_get_link_min_mtu(ssl) \
+        SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL)
 
 #define SSL_get_secure_renegotiation_support(ssl) \
 	SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
@@ -910,7 +930,7 @@ struct ssl_ctx_st
 	 */
 	unsigned int max_send_fragment;
 
-#ifndef OPENSSL_ENGINE
+#ifndef OPENSSL_NO_ENGINE
 	/* Engine to pass requests for client certs to
 	 */
 	ENGINE *client_cert_engine;
@@ -1615,6 +1635,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS	83
 
 #define SSL_CTRL_CHECK_PROTO_VERSION		119
+#define DTLS_CTRL_SET_LINK_MTU			120
+#define DTLS_CTRL_GET_LINK_MIN_MTU		121
 
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
@@ -1866,13 +1888,15 @@ const SSL_METHOD *SSLv2_server_method(void);	/* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void);	/* SSLv2 */
 #endif
 
+#ifndef OPENSSL_NO_SSL3_METHOD
 const SSL_METHOD *SSLv3_method(void);		/* SSLv3 */
 const SSL_METHOD *SSLv3_server_method(void);	/* SSLv3 */
 const SSL_METHOD *SSLv3_client_method(void);	/* SSLv3 */
+#endif
 
-const SSL_METHOD *SSLv23_method(void);	/* SSLv3 but can rollback to v2 */
-const SSL_METHOD *SSLv23_server_method(void);	/* SSLv3 but can rollback to v2 */
-const SSL_METHOD *SSLv23_client_method(void);	/* SSLv3 but can rollback to v2 */
+const SSL_METHOD *SSLv23_method(void);	/* Negotiate highest available SSL/TLS version */
+const SSL_METHOD *SSLv23_server_method(void);	/* Negotiate highest available SSL/TLS version */
+const SSL_METHOD *SSLv23_client_method(void);	/* Negotiate highest available SSL/TLS version */
 
 const SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
 const SSL_METHOD *TLSv1_server_method(void);	/* TLSv1.0 */
@@ -2051,6 +2075,10 @@ int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secre
 void SSL_set_debug(SSL *s, int debug);
 int SSL_cache_hit(SSL *s);
 
+#ifndef OPENSSL_NO_UNIT_TEST
+const struct openssl_ssl_test_functions *SSL_test_functions(void);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h
index 78883abef4b7..6fad054e03c5 100644
--- a/crypto/openssl/ssl/ssl3.h
+++ b/crypto/openssl/ssl/ssl3.h
@@ -393,7 +393,12 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
- 
+/*
+ * Set when the handshake is ready to process peer's ChangeCipherSpec message.
+ * Cleared after the message has been processed.
+ */
+#define SSL3_FLAGS_CCS_OK			0x0080
+
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
  * restart a handshake because of MS SGC and so prevents us
  * from restarting the handshake in a loop. It's reset on a
@@ -404,7 +409,6 @@ typedef struct ssl3_buffer_st
  * effected, but we can't prevent that.
  */
 #define SSL3_FLAGS_SGC_RESTART_DONE		0x0040
-#define SSL3_FLAGS_CCS_OK			0x0080
 
 #ifndef OPENSSL_NO_SSL_INTERN
 
@@ -456,8 +460,11 @@ typedef struct ssl3_state_st
 	 * and freed and MD_CTX-es for all required digests are stored in
 	 * this array */
 	EVP_MD_CTX **handshake_dgst;
-	/* this is set whenerver we see a change_cipher_spec message
-	 * come in when we are not looking for one */
+	/*
+	 * Set whenever an expected ChangeCipherSpec message is processed.
+	 * Unset when the peer's Finished message is received.
+	 * Unexpected ChangeCipherSpec messages trigger a fatal alert.
+	 */
 	int change_cipher_spec;
 
 	int warn_alert;
@@ -545,6 +552,15 @@ typedef struct ssl3_state_st
 	/* Set if we saw the Next Protocol Negotiation extension from our peer. */
 	int next_proto_neg_seen;
 #endif
+
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+	/* This is set to true if we believe that this is a version of Safari
+	 * running on OS X 10.6 or newer. We wish to know this because Safari
+	 * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
+	char is_probably_safari;
+#endif /* !OPENSSL_NO_EC */
+#endif /* !OPENSSL_NO_TLSEXT */
 	} SSL3_STATE;
 
 #endif
diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c
index 38540be1e538..477500371027 100644
--- a/crypto/openssl/ssl/ssl_asn1.c
+++ b/crypto/openssl/ssl/ssl_asn1.c
@@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 		if (os.length != 3)
 			{
 			c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+			c.line=__LINE__;
 			goto err;
 			}
 		id=0x02000000L|
@@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 		if (os.length != 2)
 			{
 			c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+			c.line=__LINE__;
 			goto err;
 			}
 		id=0x03000000L|
@@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 	else
 		{
 		c.error=SSL_R_UNKNOWN_SSL_VERSION;
+		c.line=__LINE__;
 		goto err;
 		}
 	
@@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 	    if (os.length > SSL_MAX_SID_CTX_LENGTH)
 		{
 		c.error=SSL_R_BAD_LENGTH;
+		c.line=__LINE__;
 		goto err;
 		}
 	    else
diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c
index 5123a89182e5..cef3ff46e4a3 100644
--- a/crypto/openssl/ssl/ssl_cert.c
+++ b/crypto/openssl/ssl/ssl_cert.c
@@ -286,35 +286,6 @@ CERT *ssl_cert_dup(CERT *cert)
 			ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
 			CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
 				CRYPTO_LOCK_EVP_PKEY);
-
-			switch(i) 
-				{
-				/* If there was anything special to do for
-				 * certain types of keys, we'd do it here.
-				 * (Nothing at the moment, I think.) */
-
-			case SSL_PKEY_RSA_ENC:
-			case SSL_PKEY_RSA_SIGN:
-				/* We have an RSA key. */
-				break;
-				
-			case SSL_PKEY_DSA_SIGN:
-				/* We have a DSA key. */
-				break;
-				
-			case SSL_PKEY_DH_RSA:
-			case SSL_PKEY_DH_DSA:
-				/* We have a DH key. */
-				break;
-
-			case SSL_PKEY_ECC:
-				/* We have an ECC key */
-				break;
-
-			default:
-				/* Can't happen. */
-				SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
-				}
 			}
 		}
 	
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index 06da26acc587..b767361e79b8 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -563,7 +563,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		break;
 		}
 
-	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
 		*enc=NULL;
 	else
 		{
@@ -597,7 +597,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		i= -1;
 		break;
 		}
-	if ((i < 0) || (i > SSL_MD_NUM_IDX))
+	if ((i < 0) || (i >= SSL_MD_NUM_IDX))
 	{
 		*md=NULL; 
 		if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
@@ -814,7 +814,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 			co_list[co_list_num].active = 0;
 			co_list_num++;
 #ifdef KSSL_DEBUG
-			printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
+			fprintf(stderr,"\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
 #endif	/* KSSL_DEBUG */
 			/*
 			if (!sk_push(ca_list,(char *)c)) goto err;
@@ -926,12 +926,12 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 		int rule, int strength_bits,
 		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 	{
-	CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
+	CIPHER_ORDER *head, *tail, *curr, *next, *last;
 	const SSL_CIPHER *cp;
 	int reverse = 0;
 
 #ifdef CIPHER_DEBUG
-	printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
+	fprintf(stderr, "Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
 		rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
 #endif
 
@@ -943,21 +943,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 
 	if (reverse)
 		{
-		curr = tail;
+		next = tail;
 		last = head;
 		}
 	else
 		{
-		curr = head;
+		next = head;
 		last = tail;
 		}
 
-	curr2 = curr;
+	curr = NULL;
 	for (;;)
 		{
-		if ((curr == NULL) || (curr == last)) break;
-		curr = curr2;
-		curr2 = reverse ? curr->prev : curr->next;
+		if (curr == last) break;
+
+		curr = next;
+
+		if (curr == NULL) break;
+
+		next = reverse ? curr->prev : curr->next;
 
 		cp = curr->cipher;
 
@@ -973,7 +977,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 		else
 			{
 #ifdef CIPHER_DEBUG
-			printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
+			fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
 #endif
 
 			if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
@@ -993,7 +997,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			}
 
 #ifdef CIPHER_DEBUG
-		printf("Action = %d\n", rule);
+		fprintf(stderr, "Action = %d\n", rule);
 #endif
 
 		/* add the cipher if it has not been added yet. */
@@ -1382,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	num_of_ciphers = ssl_method->num_ciphers();
 #ifdef KSSL_DEBUG
-	printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
+	fprintf(stderr,"ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
 #endif    /* KSSL_DEBUG */
 	co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
 	if (co_list == NULL)
@@ -1509,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 			{
 			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
-			printf("<%s>\n",curr->cipher->name);
+			fprintf(stderr, "<%s>\n",curr->cipher->name);
 #endif
 			}
 		}
@@ -1599,6 +1603,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_kSRP:
 		kx="SRP";
 		break;
+	case SSL_kGOST:
+		kx="GOST";
+		break;
 	default:
 		kx="unknown";
 		}
@@ -1632,6 +1639,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_aSRP:
 		au="SRP";
 		break;
+	case SSL_aGOST94:
+		au="GOST94";
+		break;
+	case SSL_aGOST01:
+		au="GOST01";
+		break;
 	default:
 		au="unknown";
 		break;
@@ -1679,6 +1692,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_SEED:
 		enc="SEED(128)";
 		break;
+	case SSL_eGOST2814789CNT:
+		enc="GOST89(256)";
+		break;
 	default:
 		enc="unknown";
 		break;
@@ -1701,6 +1717,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_AEAD:
 		mac="AEAD";
 		break;
+	case SSL_GOST89MAC:
+		mac="GOST89";
+		break;
+	case SSL_GOST94:
+		mac="GOST94";
+		break;
 	default:
 		mac="unknown";
 		break;
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index d19b129ea86a..1b7eb47e15b9 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -544,7 +544,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
 {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
 {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
-{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbearts"},
+{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbeats"},
 {ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) ,"heartbeat request already pending"},
 {ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),"tls illegal exporter label"},
 {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index e0a97cf7df5d..4a62b4a790db 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -383,13 +383,7 @@ SSL *SSL_new(SSL_CTX *ctx)
 	return(s);
 err:
 	if (s != NULL)
-		{
-		if (s->cert != NULL)
-			ssl_cert_free(s->cert);
-		if (s->ctx != NULL)
-			SSL_CTX_free(s->ctx); /* decrement reference count */
-		OPENSSL_free(s);
-		}
+		SSL_free(s);
 	SSLerr(SSL_F_SSL_NEW,ERR_R_MALLOC_FAILURE);
 	return(NULL);
 	}
@@ -1080,19 +1074,6 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
 		l=s->max_cert_list;
 		s->max_cert_list=larg;
 		return(l);
-	case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
-		if (larg < (long)dtls1_min_mtu())
-			return 0;
-#endif
-
-		if (SSL_version(s) == DTLS1_VERSION ||
-		    SSL_version(s) == DTLS1_BAD_VER)
-			{
-			s->d1->mtu = larg;
-			return larg;
-			}
-		return 0;
 	case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
 		if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
 			return 0;
@@ -1349,6 +1330,10 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 
 	p=buf;
 	sk=s->session->ciphers;
+
+	if (sk_SSL_CIPHER_num(sk) == 0)
+		return NULL;
+
 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 		{
 		int n;
@@ -1503,6 +1488,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 					ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
 				goto err;
 				}
+			p += n;
 			continue;
 			}
 
@@ -1834,7 +1820,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
 
 	ret->extra_certs=NULL;
-	ret->comp_methods=SSL_COMP_get_compression_methods();
+	/* No compression for DTLS */
+	if (meth->version != DTLS1_VERSION)
+		ret->comp_methods=SSL_COMP_get_compression_methods();
 
 	ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
@@ -2106,7 +2094,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	
 
 #ifdef CIPHER_DEBUG
-	printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+	fprintf(stderr,"rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
 	        rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
 		rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
@@ -2829,9 +2817,7 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
 	{
-	if (s->server)
-		return(ssl_get_server_send_cert(s));
-	else if (s->cert != NULL)
+	if (s->cert != NULL)
 		return(s->cert->key->x509);
 	else
 		return(NULL);
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index 741797ea92f1..1b8fa8c4cbf6 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -810,6 +810,16 @@ const SSL_METHOD *func_name(void)  \
 	return &func_name##_data; \
 	}
 
+struct openssl_ssl_test_functions
+	{
+	int (*p_ssl_init_wbio_buffer)(SSL *s, int push);
+	int (*p_ssl3_setup_buffers)(SSL *s);
+	int (*p_tls1_process_heartbeat)(SSL *s);
+	int (*p_dtls1_process_heartbeat)(SSL *s);
+	};
+
+#ifndef OPENSSL_UNIT_TEST
+
 void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
@@ -850,10 +860,11 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
 void ssl_load_ciphers(void);
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
 
 int ssl2_enc_init(SSL *s, int client);
 int ssl2_generate_key_material(SSL *s);
-void ssl2_enc(SSL *s,int send_data);
+int ssl2_enc(SSL *s,int send_data);
 void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
 const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
 int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -986,7 +997,9 @@ void dtls1_stop_timer(SSL *s);
 int dtls1_is_timer_expired(SSL *s);
 void dtls1_double_timeout(SSL *s);
 int dtls1_send_newsession_ticket(SSL *s);
-unsigned int dtls1_min_mtu(void);
+unsigned int dtls1_min_mtu(SSL *s);
+unsigned int dtls1_link_min_mtu(void);
+void dtls1_hm_fragment_free(hm_fragment *frag);
 
 /* some client-only functions */
 int ssl3_client_hello(SSL *s);
@@ -1003,7 +1016,6 @@ int ssl3_get_key_exchange(SSL *s);
 int ssl3_get_server_certificate(SSL *s);
 int ssl3_check_cert_and_algorithm(SSL *s);
 #ifndef OPENSSL_NO_TLSEXT
-int ssl3_check_finished(SSL *s);
 # ifndef OPENSSL_NO_NEXTPROTONEG
 int ssl3_send_next_proto(SSL *s);
 # endif
@@ -1095,8 +1107,8 @@ int tls1_ec_nid2curve_id(int nid);
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); 
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); 
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
 int ssl_prepare_clienthello_tlsext(SSL *s);
@@ -1176,4 +1188,12 @@ void tls_fips_digest_extra(
 
 int srp_verify_server_param(SSL *s, int *al);
 
+#else
+
+#define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
+#define ssl3_setup_buffers SSL_test_functions()->p_ssl3_setup_buffers
+#define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat
+#define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat
+
+#endif
 #endif
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index ad40fadd02cc..235f92d824cd 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -335,7 +335,21 @@ int ssl_get_new_session(SSL *s, int session)
 			return(0);
 			}
 #ifndef OPENSSL_NO_TLSEXT
-		/* If RFC4507 ticket use empty session ID */
+		/*
+		 * If RFC5077 ticket, use empty session ID (as server).
+		 * Note that:
+		 * (a) ssl_get_prev_session() does lookahead into the
+		 *     ClientHello extensions to find the session ticket.
+		 *     When ssl_get_prev_session() fails, s3_srvr.c calls
+		 *     ssl_get_new_session() in ssl3_get_client_hello().
+		 *     At that point, it has not yet parsed the extensions,
+		 *     however, because of the lookahead, it already knows
+		 *     whether a ticket is expected or not.
+		 *
+		 * (b) s3_clnt.c calls ssl_get_new_session() before parsing
+		 *     ServerHello extensions, and before recording the session
+		 *     ID received from the server, so this block is a noop.
+		 */
 		if (s->tlsext_ticket_expected)
 			{
 			ss->session_id_length = 0;
diff --git a/crypto/openssl/ssl/ssl_stat.c b/crypto/openssl/ssl/ssl_stat.c
index 144b81e55fe4..c5a15ce54824 100644
--- a/crypto/openssl/ssl/ssl_stat.c
+++ b/crypto/openssl/ssl/ssl_stat.c
@@ -212,7 +212,6 @@ case SSL3_ST_SR_CERT_VRFY_A:	str="SSLv3 read certificate verify A"; break;
 case SSL3_ST_SR_CERT_VRFY_B:	str="SSLv3 read certificate verify B"; break;
 #endif
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 /* SSLv2/v3 compatibility states */
 /* client */
 case SSL23_ST_CW_CLNT_HELLO_A:	str="SSLv2/v3 write client hello A"; break;
@@ -222,7 +221,6 @@ case SSL23_ST_CR_SRVR_HELLO_B:	str="SSLv2/v3 read server hello B"; break;
 /* server */
 case SSL23_ST_SR_CLNT_HELLO_A:	str="SSLv2/v3 read client hello A"; break;
 case SSL23_ST_SR_CLNT_HELLO_B:	str="SSLv2/v3 read client hello B"; break;
-#endif
 
 /* DTLS */
 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DTLS1 read hello verify request A"; break;
@@ -366,7 +364,6 @@ case SSL3_ST_SR_CERT_VRFY_A:			str="3RCV_A"; break;
 case SSL3_ST_SR_CERT_VRFY_B:			str="3RCV_B"; break;
 #endif
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 /* SSLv2/v3 compatibility states */
 /* client */
 case SSL23_ST_CW_CLNT_HELLO_A:			str="23WCHA"; break;
@@ -376,7 +373,7 @@ case SSL23_ST_CR_SRVR_HELLO_B:			str="23RSHA"; break;
 /* server */
 case SSL23_ST_SR_CLNT_HELLO_A:			str="23RCHA"; break;
 case SSL23_ST_SR_CLNT_HELLO_B:			str="23RCHB"; break;
-#endif
+
 /* DTLS */
 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: str="DRCHVA"; break;
 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: str="DRCHVB"; break;
diff --git a/crypto/openssl/crypto/pkcs7/example.h b/crypto/openssl/ssl/ssl_utst.c
index 96167de188d6..3679bc3c2309 100644
--- a/crypto/openssl/crypto/pkcs7/example.h
+++ b/crypto/openssl/ssl/ssl_utst.c
@@ -1,5 +1,9 @@
+/* ssl_utst.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -46,12 +50,24 @@
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  * ====================================================================
  *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
  */
 
-int add_signed_time(PKCS7_SIGNER_INFO *si);
-ASN1_UTCTIME *get_signed_time(PKCS7_SIGNER_INFO *si);
-int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2);
+#include "ssl_locl.h"
+
+#ifndef OPENSSL_NO_UNIT_TEST
+
+
+static const struct openssl_ssl_test_functions ssl_test_functions =
+	{
+	ssl_init_wbio_buffer,
+	ssl3_setup_buffers,
+	tls1_process_heartbeat,
+	dtls1_process_heartbeat
+	};
+
+const struct openssl_ssl_test_functions *SSL_test_functions(void)
+	{
+	return &ssl_test_functions;
+	}
+
+#endif
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index 316bbb0c9582..08889569f4ef 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -345,7 +345,7 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_SSL2
 	fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
 	fprintf(stderr," -ssl3         - use SSLv3\n");
 #endif
 #ifndef OPENSSL_NO_TLS1
@@ -368,7 +368,9 @@ static void sv_usage(void)
 	               "                 Use \"openssl ecparam -list_curves\" for all names\n"  \
 	               "                 (default is sect163r2).\n");
 #endif
-	fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+	fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
+		       "                    When this option is requested, the cipherlist\n"
+		       "                    tests are run instead of handshake tests.\n");
 	}
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -549,6 +551,7 @@ int main(int argc, char *argv[])
 #ifdef OPENSSL_FIPS
 	int fips_mode=0;
 #endif
+        int no_protocol = 0;
 
 	verbose = 0;
 	debug = 0;
@@ -658,11 +661,26 @@ int main(int argc, char *argv[])
 			}
 #endif
 		else if	(strcmp(*argv,"-ssl2") == 0)
-			ssl2=1;
+			{
+#ifdef OPENSSL_NO_SSL2
+			no_protocol = 1;
+#endif
+			ssl2 = 1;
+			}
 		else if	(strcmp(*argv,"-tls1") == 0)
-			tls1=1;
+			{
+#ifdef OPENSSL_NO_TLS1
+			no_protocol = 1;
+#endif
+			tls1 = 1;
+			}
 		else if	(strcmp(*argv,"-ssl3") == 0)
-			ssl3=1;
+			{
+#ifdef OPENSSL_NO_SSL3_METHOD
+			no_protocol = 1;
+#endif
+			ssl3 = 1;
+			}
 		else if	(strncmp(*argv,"-num",4) == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -781,15 +799,41 @@ bad:
 		goto end;
 		}
 
+	/*
+	 * test_cipherlist prevails over protocol switch: we test the cipherlist
+	 * for all enabled protocols.
+	 */
 	if (test_cipherlist == 1)
 		{
 		/* ensure that the cipher list are correctly sorted and exit */
+		fprintf(stdout, "Testing cipherlist order only. Ignoring all "
+			"other options.\n");
 		if (do_test_cipherlist() == 0)
 			EXIT(1);
 		ret = 0;
 		goto end;
 		}
 
+	if (ssl2 + ssl3 + tls1 > 1)
+		{
+		fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should "
+			"be requested.\n");
+		EXIT(1);
+		}
+
+	/*
+	 * Testing was requested for a compiled-out protocol (e.g. SSLv2).
+         * Ideally, we would error out, but the generic test wrapper can't know
+	 * when to expect failure. So we do nothing and return success.
+	 */
+	if (no_protocol)
+		{
+		fprintf(stderr, "Testing was requested for a disabled protocol. "
+			"Skipping tests.\n");
+		ret = 0;
+		goto end;
+		}
+
 	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
 		{
 		fprintf(stderr, "This case cannot work.  Use -f to perform "
@@ -868,24 +912,25 @@ bad:
 	}
 #endif
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+/* At this point, ssl2/ssl3/tls1 is only set if the protocol is available.
+ * (Otherwise we exit early.)
+ * However the compiler doesn't know this, so we ifdef. */
+#ifndef OPENSSL_NO_SSL2
 	if (ssl2)
 		meth=SSLv2_method();
-	else 
-	if (tls1)
-		meth=TLSv1_method();
 	else
+#endif
+#ifndef OPENSSL_NO_SSL3
 	if (ssl3)
 		meth=SSLv3_method();
 	else
-		meth=SSLv23_method();
-#else
-#ifdef OPENSSL_NO_SSL2
-	meth=SSLv3_method();
-#else
-	meth=SSLv2_method();
 #endif
+#ifndef OPENSSL_NO_TLS1
+	if (tls1)
+		meth=TLSv1_method();
+	else
 #endif
+	meth=SSLv23_method();
 
 	c_ctx=SSL_CTX_new(meth);
 	s_ctx=SSL_CTX_new(meth);
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index f7aa8426f184..1308c0344fea 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -303,15 +303,15 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
 		 s->session->master_key,s->session->master_key_length,
 		 km,tmp,num);
 #ifdef KSSL_DEBUG
-	printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
+	fprintf(stderr,"tls1_generate_key_block() ==> %d byte master_key =\n\t",
                 s->session->master_key_length);
 	{
         int i;
         for (i=0; i < s->session->master_key_length; i++)
                 {
-                printf("%02X", s->session->master_key[i]);
+                fprintf(stderr,"%02X", s->session->master_key[i]);
                 }
-        printf("\n");  }
+        fprintf(stderr,"\n");  }
 #endif    /* KSSL_DEBUG */
 	return ret;
 	}
@@ -349,19 +349,19 @@ int tls1_change_cipher_state(SSL *s, int which)
 #endif
 
 #ifdef KSSL_DEBUG
-	printf("tls1_change_cipher_state(which= %d) w/\n", which);
-	printf("\talg= %ld/%ld, comp= %p\n",
+	fprintf(stderr,"tls1_change_cipher_state(which= %d) w/\n", which);
+	fprintf(stderr,"\talg= %ld/%ld, comp= %p\n",
 	       s->s3->tmp.new_cipher->algorithm_mkey,
 	       s->s3->tmp.new_cipher->algorithm_auth,
 	       comp);
-	printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
-	printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
+	fprintf(stderr,"\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
+	fprintf(stderr,"\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
                 c->nid,c->block_size,c->key_len,c->iv_len);
-	printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
+	fprintf(stderr,"\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
 	{
         int i;
         for (i=0; i<s->s3->tmp.key_block_length; i++)
-		printf("%02x", s->s3->tmp.key_block[i]);  printf("\n");
+		fprintf(stderr,"%02x", s->s3->tmp.key_block[i]);  fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -540,11 +540,11 @@ printf("which = %04X\nmac key=",which);
 #ifdef KSSL_DEBUG
 	{
         int i;
-	printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
-	printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
-	printf("\n");
-	printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
-	printf("\n");
+	fprintf(stderr,"EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
+	fprintf(stderr,"\tkey= "); for (i=0; i<c->key_len; i++) fprintf(stderr,"%02x", key[i]);
+	fprintf(stderr,"\n");
+	fprintf(stderr,"\t iv= "); for (i=0; i<c->iv_len; i++) fprintf(stderr,"%02x", iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -591,7 +591,7 @@ int tls1_setup_key_block(SSL *s)
 	int ret=0;
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_setup_key_block()\n");
+	fprintf(stderr,"tls1_setup_key_block()\n");
 #endif	/* KSSL_DEBUG */
 
 	if (s->s3->tmp.key_block_length != 0)
@@ -740,7 +740,7 @@ int tls1_enc(SSL *s, int send)
 		}
 
 #ifdef KSSL_DEBUG
-	printf("tls1_enc(%d)\n", send);
+	fprintf(stderr,"tls1_enc(%d)\n", send);
 #endif    /* KSSL_DEBUG */
 
 	if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
@@ -812,18 +812,18 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long ui;
-		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
+		fprintf(stderr,"EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
 			ds,rec->data,rec->input,l);
-		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+		fprintf(stderr,"\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
 			ds->buf_len, ds->cipher->key_len,
 			DES_KEY_SZ, DES_SCHEDULE_SZ,
 			ds->cipher->iv_len);
-		printf("\t\tIV: ");
-		for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
-		printf("\n");
-		printf("\trec->input=");
-		for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
-		printf("\n");
+		fprintf(stderr,"\t\tIV: ");
+		for (i=0; i<ds->cipher->iv_len; i++) fprintf(stderr,"%02X", ds->iv[i]);
+		fprintf(stderr,"\n");
+		fprintf(stderr,"\trec->input=");
+		for (ui=0; ui<l; ui++) fprintf(stderr," %02x", rec->input[ui]);
+		fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -848,9 +848,9 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long i;
-		printf("\trec->data=");
+		fprintf(stderr,"\trec->data=");
 		for (i=0; i<l; i++)
-			printf(" %02x", rec->data[i]);  printf("\n");
+			fprintf(stderr," %02x", rec->data[i]);  fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -920,18 +920,19 @@ int tls1_final_finish_mac(SSL *s,
 		if (mask & ssl_get_algorithm2(s))
 			{
 			int hashsize = EVP_MD_size(md);
-			if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
+			EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
+			if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
 				{
 				/* internal error: 'buf' is too small for this cipersuite! */
 				err = 1;
 				}
 			else
 				{
-				EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
-				EVP_DigestFinal_ex(&ctx,q,&i);
-				if (i != (unsigned int)hashsize) /* can't really happen */
+				if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
+					!EVP_DigestFinal_ex(&ctx,q,&i) ||
+					(i != (unsigned int)hashsize))
 					err = 1;
-				q+=i;
+				q+=hashsize;
 				}
 			}
 		}
@@ -985,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 		}
 		else
 		{
-			EVP_MD_CTX_copy(&hmac,hash);
+			if (!EVP_MD_CTX_copy(&hmac,hash))
+				return -1;
 			mac_ctx = &hmac;
 		}
 
@@ -1046,14 +1048,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	if (!stream_mac)
 		EVP_MD_CTX_cleanup(&hmac);
 #ifdef TLS_DEBUG
-printf("sec=");
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
-printf("seq=");
-{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
-printf("buf=");
-{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
-printf("rec=");
-{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
+fprintf(stderr,"seq=");
+{int z; for (z=0; z<8; z++) fprintf(stderr,"%02X ",seq[z]); fprintf(stderr,"\n"); }
+fprintf(stderr,"rec=");
+{unsigned int z; for (z=0; z<rec->length; z++) fprintf(stderr,"%02X ",rec->data[z]); fprintf(stderr,"\n"); }
 #endif
 
 	if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER)
@@ -1066,7 +1064,7 @@ printf("rec=");
 		}
 
 #ifdef TLS_DEBUG
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<md_size; z++) fprintf(stderr,"%02X ",md[z]); fprintf(stderr,"\n"); }
 #endif
 	return(md_size);
 	}
@@ -1080,7 +1078,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
 
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
+	fprintf(stderr,"tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
 #endif	/* KSSL_DEBUG */
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
@@ -1115,7 +1113,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
 #endif
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_generate_master_secret() complete\n");
+	fprintf(stderr,"tls1_generate_master_secret() complete\n");
 #endif	/* KSSL_DEBUG */
 	return(SSL3_MASTER_SECRET_SIZE);
 	}
@@ -1130,7 +1128,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
 	int rv;
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_export_keying_material(%p,%p,%d,%s,%d,%p,%d)\n", s, out, olen, label, llen, p, plen);
+	fprintf(stderr,"tls1_export_keying_material(%p,%p,%lu,%s,%lu,%p,%lu)\n", s, out, olen, label, llen, context, contextlen);
 #endif	/* KSSL_DEBUG */
 
 	buff = OPENSSL_malloc(olen);
@@ -1183,7 +1181,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
 	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
 		 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
 
-	rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+	rv = tls1_PRF(ssl_get_algorithm2(s),
 		      val, vallen,
 		      NULL, 0,
 		      NULL, 0,
@@ -1193,7 +1191,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
 		      out,buff,olen);
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_export_keying_material() complete\n");
+	fprintf(stderr,"tls1_export_keying_material() complete\n");
 #endif	/* KSSL_DEBUG */
 	goto ret;
 err1:
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index 90c1c42286ba..179b467d4508 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -204,28 +204,40 @@ static int nid_list[] =
 
 static int pref_list[] =
 	{
+#ifndef OPENSSL_NO_EC2M
 		NID_sect571r1, /* sect571r1 (14) */ 
 		NID_sect571k1, /* sect571k1 (13) */ 
+#endif
 		NID_secp521r1, /* secp521r1 (25) */	
+#ifndef OPENSSL_NO_EC2M
 		NID_sect409k1, /* sect409k1 (11) */ 
 		NID_sect409r1, /* sect409r1 (12) */
+#endif
 		NID_secp384r1, /* secp384r1 (24) */
+#ifndef OPENSSL_NO_EC2M
 		NID_sect283k1, /* sect283k1 (9) */
 		NID_sect283r1, /* sect283r1 (10) */ 
+#endif
 		NID_secp256k1, /* secp256k1 (22) */ 
 		NID_X9_62_prime256v1, /* secp256r1 (23) */ 
+#ifndef OPENSSL_NO_EC2M
 		NID_sect239k1, /* sect239k1 (8) */ 
 		NID_sect233k1, /* sect233k1 (6) */
 		NID_sect233r1, /* sect233r1 (7) */ 
+#endif
 		NID_secp224k1, /* secp224k1 (20) */ 
 		NID_secp224r1, /* secp224r1 (21) */
+#ifndef OPENSSL_NO_EC2M
 		NID_sect193r1, /* sect193r1 (4) */ 
 		NID_sect193r2, /* sect193r2 (5) */ 
+#endif
 		NID_secp192k1, /* secp192k1 (18) */
 		NID_X9_62_prime192v1, /* secp192r1 (19) */ 
+#ifndef OPENSSL_NO_EC2M
 		NID_sect163k1, /* sect163k1 (1) */
 		NID_sect163r1, /* sect163r1 (2) */
 		NID_sect163r2, /* sect163r2 (3) */
+#endif
 		NID_secp160k1, /* secp160k1 (15) */
 		NID_secp160r1, /* secp160r1 (16) */ 
 		NID_secp160r2, /* secp160r2 (17) */ 
@@ -233,7 +245,7 @@ static int pref_list[] =
 
 int tls1_ec_curve_id2nid(int curve_id)
 	{
-	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
+	/* ECC curves from RFC 4492 */
 	if ((curve_id < 1) || ((unsigned int)curve_id >
 				sizeof(nid_list)/sizeof(nid_list[0])))
 		return 0;
@@ -242,7 +254,7 @@ int tls1_ec_curve_id2nid(int curve_id)
 
 int tls1_ec_nid2curve_id(int nid)
 	{
-	/* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
+	/* ECC curves from RFC 4492 */
 	switch (nid)
 		{
 	case NID_sect163k1: /* sect163k1 (1) */
@@ -342,33 +354,26 @@ static unsigned char tls12_sigalgs[] = {
 #ifndef OPENSSL_NO_SHA
 	tlsext_sigalg(TLSEXT_hash_sha1)
 #endif
-#ifndef OPENSSL_NO_MD5
-	tlsext_sigalg_rsa(TLSEXT_hash_md5)
-#endif
 };
 
 int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
 	{
 	size_t slen = sizeof(tls12_sigalgs);
-#ifdef OPENSSL_FIPS
-	/* If FIPS mode don't include MD5 which is last */
-	if (FIPS_mode())
-		slen -= 2;
-#endif
 	if (p)
 		memcpy(p, tls12_sigalgs, slen);
 	return (int)slen;
 	}
 
-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
 	{
 	int extdatalen=0;
-	unsigned char *ret = p;
+	unsigned char *orig = buf;
+	unsigned char *ret = buf;
 
 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
 	if (s->client_version == SSL3_VERSION
 					&& !s->s3->send_connection_binding)
-		return p;
+		return orig;
 
 	ret+=2;
 
@@ -417,7 +422,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
               return NULL;
               }
 
-          if((limit - p - 4 - el) < 0) return NULL;
+          if((limit - ret - 4 - el) < 0) return NULL;
           
           s2n(TLSEXT_TYPE_renegotiate,ret);
           s2n(el,ret);
@@ -460,8 +465,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 #endif
 
 #ifndef OPENSSL_NO_EC
-	if (s->tlsext_ecpointformatlist != NULL &&
-	    s->version != DTLS1_VERSION)
+	if (s->tlsext_ecpointformatlist != NULL)
 		{
 		/* Add TLS extension ECPointFormats to the ClientHello message */
 		long lenmax; 
@@ -480,8 +484,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 		memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length);
 		ret+=s->tlsext_ecpointformatlist_length;
 		}
-	if (s->tlsext_ellipticcurvelist != NULL &&
-	    s->version != DTLS1_VERSION)
+	if (s->tlsext_ellipticcurvelist != NULL)
 		{
 		/* Add TLS extension EllipticCurves to the ClientHello message */
 		long lenmax; 
@@ -497,11 +500,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 		s2n(TLSEXT_TYPE_elliptic_curves,ret);
 		s2n(s->tlsext_ellipticcurvelist_length + 2, ret);
 
-		/* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for
-		 * elliptic_curve_list, but the examples use two bytes.
-		 * http://www1.ietf.org/mail-archive/web/tls/current/msg00538.html
-		 * resolves this to two bytes.
-		 */
 		s2n(s->tlsext_ellipticcurvelist_length, ret);
 		memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
 		ret+=s->tlsext_ellipticcurvelist_length;
@@ -625,6 +623,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
 #ifndef OPENSSL_NO_HEARTBEATS
 	/* Add Heartbeat extension */
+	if ((limit - ret - 4 - 1) < 0)
+		return NULL;
 	s2n(TLSEXT_TYPE_heartbeat,ret);
 	s2n(1,ret);
 	/* Set mode:
@@ -656,7 +656,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
                 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
                 
-                if((limit - p - 4 - el) < 0) return NULL;
+                if((limit - ret - 4 - el) < 0) return NULL;
 
                 s2n(TLSEXT_TYPE_use_srtp,ret);
                 s2n(el,ret);
@@ -669,25 +669,55 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                 ret += el;
                 }
 #endif
+	/* Add padding to workaround bugs in F5 terminators.
+	 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
+	 *
+	 * NB: because this code works out the length of all existing
+	 * extensions it MUST always appear last.
+	 */
+	if (s->options & SSL_OP_TLSEXT_PADDING)
+		{
+		int hlen = ret - (unsigned char *)s->init_buf->data;
+		/* The code in s23_clnt.c to build ClientHello messages
+		 * includes the 5-byte record header in the buffer, while
+		 * the code in s3_clnt.c does not.
+		 */
+		if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
+			hlen -= 5;
+		if (hlen > 0xff && hlen < 0x200)
+			{
+			hlen = 0x200 - hlen;
+			if (hlen >= 4)
+				hlen -= 4;
+			else
+				hlen = 0;
+
+			s2n(TLSEXT_TYPE_padding, ret);
+			s2n(hlen, ret);
+			memset(ret, 0, hlen);
+			ret += hlen;
+			}
+		}
 
-	if ((extdatalen = ret-p-2)== 0) 
-		return p;
+	if ((extdatalen = ret-orig-2)== 0) 
+		return orig;
 
-	s2n(extdatalen,p);
+	s2n(extdatalen, orig);
 	return ret;
 	}
 
-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
 	{
 	int extdatalen=0;
-	unsigned char *ret = p;
+	unsigned char *orig = buf;
+	unsigned char *ret = buf;
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	int next_proto_neg_seen;
 #endif
 
 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
 	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
-		return p;
+		return orig;
 	
 	ret+=2;
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -710,7 +740,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
               return NULL;
               }
 
-          if((limit - p - 4 - el) < 0) return NULL;
+          if((limit - ret - 4 - el) < 0) return NULL;
           
           s2n(TLSEXT_TYPE_renegotiate,ret);
           s2n(el,ret);
@@ -725,8 +755,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
         }
 
 #ifndef OPENSSL_NO_EC
-	if (s->tlsext_ecpointformatlist != NULL &&
-	    s->version != DTLS1_VERSION)
+	if (s->tlsext_ecpointformatlist != NULL)
 		{
 		/* Add TLS extension ECPointFormats to the ServerHello message */
 		long lenmax; 
@@ -790,7 +819,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
                 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
                 
-                if((limit - p - 4 - el) < 0) return NULL;
+                if((limit - ret - 4 - el) < 0) return NULL;
 
                 s2n(TLSEXT_TYPE_use_srtp,ret);
                 s2n(el,ret);
@@ -823,6 +852,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 	/* Add Heartbeat extension if we've received one */
 	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
 		{
+		if ((limit - ret - 4 - 1) < 0)
+			return NULL;
 		s2n(TLSEXT_TYPE_heartbeat,ret);
 		s2n(1,ret);
 		/* Set mode:
@@ -859,13 +890,96 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 		}
 #endif
 
-	if ((extdatalen = ret-p-2)== 0) 
-		return p;
+	if ((extdatalen = ret-orig-2)== 0) 
+		return orig;
 
-	s2n(extdatalen,p);
+	s2n(extdatalen, orig);
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_EC
+/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+ * SecureTransport using the TLS extension block in |d|, of length |n|.
+ * Safari, since 10.6, sends exactly these extensions, in this order:
+ *   SNI,
+ *   elliptic_curves
+ *   ec_point_formats
+ *
+ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
+ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
+ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
+ * 10.8..10.8.3 (which don't work).
+ */
+static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
+	unsigned short type, size;
+	static const unsigned char kSafariExtensionsBlock[] = {
+		0x00, 0x0a,  /* elliptic_curves extension */
+		0x00, 0x08,  /* 8 bytes */
+		0x00, 0x06,  /* 6 bytes of curve ids */
+		0x00, 0x17,  /* P-256 */
+		0x00, 0x18,  /* P-384 */
+		0x00, 0x19,  /* P-521 */
+
+		0x00, 0x0b,  /* ec_point_formats */
+		0x00, 0x02,  /* 2 bytes */
+		0x01,        /* 1 point format */
+		0x00,        /* uncompressed */
+	};
+
+	/* The following is only present in TLS 1.2 */
+	static const unsigned char kSafariTLS12ExtensionsBlock[] = {
+		0x00, 0x0d,  /* signature_algorithms */
+		0x00, 0x0c,  /* 12 bytes */
+		0x00, 0x0a,  /* 10 bytes */
+		0x05, 0x01,  /* SHA-384/RSA */
+		0x04, 0x01,  /* SHA-256/RSA */
+		0x02, 0x01,  /* SHA-1/RSA */
+		0x04, 0x03,  /* SHA-256/ECDSA */
+		0x02, 0x03,  /* SHA-1/ECDSA */
+	};
+
+	if (data >= (d+n-2))
+		return;
+	data += 2;
+
+	if (data > (d+n-4))
+		return;
+	n2s(data,type);
+	n2s(data,size);
+
+	if (type != TLSEXT_TYPE_server_name)
+		return;
+
+	if (data+size > d+n)
+		return;
+	data += size;
+
+	if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
+		{
+		const size_t len1 = sizeof(kSafariExtensionsBlock);
+		const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+
+		if (data + len1 + len2 != d+n)
+			return;
+		if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+			return;
+		if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+			return;
+		}
+	else
+		{
+		const size_t len = sizeof(kSafariExtensionsBlock);
+
+		if (data + len != d+n)
+			return;
+		if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+			return;
+		}
+
+	s->s3->is_probably_safari = 1;
+}
+#endif /* !OPENSSL_NO_EC */
+
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
 	{
 	unsigned short type;
@@ -886,6 +1000,21 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
 #endif
 
+#ifndef OPENSSL_NO_EC
+	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+		ssl_check_for_safari(s, data, d, n);
+#endif /* !OPENSSL_NO_EC */
+
+#ifndef OPENSSL_NO_SRP
+	if (s->srp_ctx.login != NULL)
+		{
+		OPENSSL_free(s->srp_ctx.login);
+		s->srp_ctx.login = NULL;
+		}
+#endif
+
+	s->srtp_profile = NULL;
+
 	if (data >= (d+n-2))
 		goto ri_check;
 	n2s(data,len);
@@ -1039,8 +1168,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 #endif
 
 #ifndef OPENSSL_NO_EC
-		else if (type == TLSEXT_TYPE_ec_point_formats &&
-	             s->version != DTLS1_VERSION)
+		else if (type == TLSEXT_TYPE_ec_point_formats)
 			{
 			unsigned char *sdata = data;
 			int ecpointformatlist_length = *(sdata++);
@@ -1074,15 +1202,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 			fprintf(stderr,"\n");
 #endif
 			}
-		else if (type == TLSEXT_TYPE_elliptic_curves &&
-	             s->version != DTLS1_VERSION)
+		else if (type == TLSEXT_TYPE_elliptic_curves)
 			{
 			unsigned char *sdata = data;
 			int ellipticcurvelist_length = (*(sdata++) << 8);
 			ellipticcurvelist_length += (*(sdata++));
 
 			if (ellipticcurvelist_length != size - 2 ||
-				ellipticcurvelist_length < 1)
+				ellipticcurvelist_length < 1 ||
+				/* Each NamedCurve is 2 bytes. */
+				ellipticcurvelist_length & 1)
 				{
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
@@ -1181,7 +1310,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 				}
 			}
 		else if (type == TLSEXT_TYPE_status_request &&
-		         s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
+		         s->version != DTLS1_VERSION)
 			{
 		
 			if (size < 5) 
@@ -1396,6 +1525,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	s->s3->next_proto_neg_seen = 0;
 #endif
+	s->tlsext_ticket_expected = 0;
 
 #ifndef OPENSSL_NO_HEARTBEATS
 	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
@@ -1435,8 +1565,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 			}
 
 #ifndef OPENSSL_NO_EC
-		else if (type == TLSEXT_TYPE_ec_point_formats &&
-	             s->version != DTLS1_VERSION)
+		else if (type == TLSEXT_TYPE_ec_point_formats)
 			{
 			unsigned char *sdata = data;
 			int ecpointformatlist_length = *(sdata++);
@@ -1691,7 +1820,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
 		s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
 		s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
 
-		/* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
+		/* we support all named elliptic curves in RFC 4492 */
 		if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
 		s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
 		if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
@@ -2255,7 +2384,11 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 		}
 	EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
 	if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
+		{
+		EVP_CIPHER_CTX_cleanup(&ctx);
+		OPENSSL_free(sdec);
 		return 2;
+		}
 	slen += mlen;
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	p = sdec;
@@ -2371,14 +2504,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
 	{
 	switch(hash_alg)
 		{
-#ifndef OPENSSL_NO_MD5
-		case TLSEXT_hash_md5:
-#ifdef OPENSSL_FIPS
-		if (FIPS_mode())
-			return NULL;
-#endif
-		return EVP_md5();
-#endif
 #ifndef OPENSSL_NO_SHA
 		case TLSEXT_hash_sha1:
 		return EVP_sha1();
diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h
index 1b104795f40e..6ae887646253 100644
--- a/crypto/openssl/ssl/tls1.h
+++ b/crypto/openssl/ssl/tls1.h
@@ -233,6 +233,12 @@ extern "C" {
 /* ExtensionType value from RFC5620 */
 #define TLSEXT_TYPE_heartbeat	15
 
+/* ExtensionType value for TLS padding extension.
+ * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
+ * http://tools.ietf.org/html/draft-agl-tls-padding-03
+ */
+#define TLSEXT_TYPE_padding	21
+
 /* ExtensionType value from RFC4507 */
 #define TLSEXT_TYPE_session_ticket		35
 
diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num
index c1a0df4f7fb1..3821c9c99e89 100644
--- a/crypto/openssl/util/libeay.num
+++ b/crypto/openssl/util/libeay.num
@@ -3512,6 +3512,7 @@ BIO_set_callback                        3903	EXIST::FUNCTION:
 d2i_ASIdOrRange                         3904	EXIST::FUNCTION:RFC3779
 i2d_ASIdentifiers                       3905	EXIST::FUNCTION:RFC3779
 CRYPTO_memcmp                           3906	EXIST::FUNCTION:
+BN_consttime_swap                       3907	EXIST::FUNCTION:
 SEED_decrypt                            3908	EXIST::FUNCTION:SEED
 SEED_encrypt                            3909	EXIST::FUNCTION:SEED
 SEED_cbc_encrypt                        3910	EXIST::FUNCTION:SEED
diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl
index 72fa089f6b92..550ef9f68534 100755
--- a/crypto/openssl/util/mk1mf.pl
+++ b/crypto/openssl/util/mk1mf.pl
@@ -625,7 +625,7 @@ open (OUT,">>crypto/buildinf.h") || die "Can't open buildinf.h";
 printf OUT <<EOF;
 #ifdef $platform_cpp_symbol
   /* auto-generated/updated by util/mk1mf.pl for crypto/cversion.c */
-  #define CFLAGS "$cc $cflags"
+  #define CFLAGS "compiler: $cc $cflags"
   #define PLATFORM "$platform"
 EOF
 printf OUT "  #define DATE \"%s\"\n", scalar gmtime();
@@ -671,12 +671,6 @@ foreach (values %lib_nam)
 	$lib_obj=$lib_obj{$_};
 	local($slib)=$shlib;
 
-	if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
-		{
-		$rules.="\$(O_SSL):\n\n"; 
-		next;
-		}
-
 	$defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
 	$lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)";
 	$rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
@@ -1077,12 +1071,17 @@ sub do_copy_rule
 	return($ret);
 	}
 
+# Options picked up from the OPTIONS line in the top level Makefile
+# generated by Configure.
+
 sub read_options
 	{
 	# Many options are handled in a similar way. In particular
 	# no-xxx sets zero or more scalars to 1.
-	# Process these using a hash containing the option name and
-	# reference to the scalars to set.
+	# Process these using the %valid_options hash containing the option
+	# name and reference to the scalars to set. In some cases the option
+	# needs no special handling and can be ignored: this is done by
+	# setting the value to 0.
 
 	my %valid_options = (
 		"no-rc2" => \$no_rc2,
@@ -1116,6 +1115,7 @@ sub read_options
 		"gaswin" => \$gaswin,
 		"no-ssl2" => \$no_ssl2,
 		"no-ssl3" => \$no_ssl3,
+		"no-ssl3-method" => 0,
 		"no-tlsext" => \$no_tlsext,
 		"no-srp" => \$no_srp,
 		"no-cms" => \$no_cms,
@@ -1145,11 +1145,13 @@ sub read_options
 		"dll" => \$shlib,
 		"shared" => 0,
 		"no-sctp" => 0,
+		"no-srtp" => 0,
 		"no-gmp" => 0,
 		"no-rfc3779" => 0,
 		"no-montasm" => 0,
 		"no-shared" => 0,
 		"no-store" => 0,
+		"no-unit-test" => 0,
 		"no-zlib" => 0,
 		"no-zlib-dynamic" => 0,
 		"fips" => \$fips
diff --git a/crypto/openssl/util/mkbuildinf.pl b/crypto/openssl/util/mkbuildinf.pl
new file mode 100755
index 000000000000..ffa8a39933f1
--- /dev/null
+++ b/crypto/openssl/util/mkbuildinf.pl
@@ -0,0 +1,35 @@
+#!/usr/local/bin/perl
+
+my ($cflags, $platform) = @ARGV;
+
+$cflags = "compiler: $cflags";
+$date = localtime();
+print <<"END_OUTPUT";
+#ifndef MK1MF_BUILD
+    /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */
+    #define CFLAGS cflags
+    /*
+     * Generate CFLAGS as an array of individual characters. This is a
+     * workaround for the situation where CFLAGS gets too long for a C90 string
+     * literal
+     */
+    static const char cflags[] = {
+END_OUTPUT
+my $ctr = 0;
+foreach my $c (split //, $cflags) {
+    # Max 18 characters per line
+    if  (($ctr++ % 18) == 0) {
+        if ($ctr != 1) {
+            print "\n";
+        }
+        print "        ";
+    }
+    print "'$c',";
+}
+print <<"END_OUTPUT";
+'\\0'
+    };
+    #define PLATFORM "platform: $platform"
+    #define DATE "built on: $date"
+#endif
+END_OUTPUT
diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl
index 9a8c7b87d1af..894f0529fc47 100755
--- a/crypto/openssl/util/mkdef.pl
+++ b/crypto/openssl/util/mkdef.pl
@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 "CAPIENG",
 			 # SSL v2
 			 "SSL2",
+			 # SSL v3 method
+			 "SSL3_METHOD",
 			 # JPAKE
 			 "JPAKE",
 			 # NEXTPROTONEG
@@ -116,7 +118,11 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 # Hide SSL internals
 			 "SSL_INTERN",
 			 # SCTP
-			 "SCTP");
+		 	 "SCTP",
+			 # SRTP
+			 "SRTP",
+			 # Unit testing
+		 	 "UNIT_TEST");
 
 my $options="";
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
@@ -136,7 +142,8 @@ my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
 my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
 my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
-my $no_nextprotoneg; my $no_sctp;
+my $no_nextprotoneg; my $no_sctp; my $no_srtp;
+my $no_unit_test; my $no_ssl3_method;
 
 my $fips;
 
@@ -231,10 +238,13 @@ foreach (@ARGV, split(/ /, $options))
 	elsif (/^no-ec_nistp_64_gcc_128$/)	{ $no_nistp_gcc=1; }
 	elsif (/^no-nextprotoneg$/)	{ $no_nextprotoneg=1; }
 	elsif (/^no-ssl2$/)	{ $no_ssl2=1; }
+	elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
 	elsif (/^no-capieng$/)	{ $no_capieng=1; }
 	elsif (/^no-jpake$/)	{ $no_jpake=1; }
 	elsif (/^no-srp$/)	{ $no_srp=1; }
 	elsif (/^no-sctp$/)	{ $no_sctp=1; }
+	elsif (/^no-srtp$/)	{ $no_srtp=1; }
+	elsif (/^no-unit-test$/){ $no_unit_test=1; }
 	}
 
 
@@ -1201,10 +1211,13 @@ sub is_valid
 			if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
 					{ return 0; }
 			if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
+			if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
 			if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
 			if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
 			if ($keyword eq "SRP" && $no_srp) { return 0; }
 			if ($keyword eq "SCTP" && $no_sctp) { return 0; }
+			if ($keyword eq "SRTP" && $no_srtp) { return 0; }
+			if ($keyword eq "UNIT_TEST" && $no_unit_test) { return 0; }
 			if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
 
 			# Nothing recognise as true
diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl
index aec401c77318..ee23a8291242 100644
--- a/crypto/openssl/util/mkerr.pl
+++ b/crypto/openssl/util/mkerr.pl
@@ -787,7 +787,7 @@ foreach (keys %rcodes) {
 	push (@runref, $_) unless exists $urcodes{$_};
 }
 
-if($debug && defined(@funref) ) {
+if($debug && @funref) {
 	print STDERR "The following function codes were not referenced:\n";
 	foreach(sort @funref)
 	{
@@ -795,7 +795,7 @@ if($debug && defined(@funref) ) {
 	}
 }
 
-if($debug && defined(@runref) ) {
+if($debug && @runref) {
 	print STDERR "The following reason codes were not referenced:\n";
 	foreach(sort @runref)
 	{
diff --git a/crypto/openssl/util/pl/BC-32.pl b/crypto/openssl/util/pl/BC-32.pl
index 1f1e13fb4068..b41bb45e8204 100644
--- a/crypto/openssl/util/pl/BC-32.pl
+++ b/crypto/openssl/util/pl/BC-32.pl
@@ -18,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp -D_timeb=timeb -D_ftime=ftime ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
@@ -38,7 +38,7 @@ $efile="";
 $exep='.exe';
 if ($no_sock)
 	{ $ex_libs=""; }
-else	{ $ex_libs="cw32mt.lib import32.lib"; }
+else	{ $ex_libs="cw32mt.lib import32.lib crypt32.lib ws2_32.lib"; }
 
 # static library stuff
 $mklib='tlib /P64';
@@ -51,8 +51,8 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw -f obj -d__omf__';
-$asm.=" /Zi" if $debug;
+$asm=(`nasm -v 2>NUL` ge `nasmw -v 2>NUL`?"nasm":"nasmw")." -f obj -d__omf__";
+$asm.=" -g" if $debug;
 $afile='-o';
 
 $bn_mulw_obj='';
diff --git a/crypto/openssl/util/pl/VC-32.pl b/crypto/openssl/util/pl/VC-32.pl
index 6c550f54aedf..3705fc73b70c 100644
--- a/crypto/openssl/util/pl/VC-32.pl
+++ b/crypto/openssl/util/pl/VC-32.pl
@@ -27,6 +27,8 @@ $zlib_lib="zlib1.lib";
 $l_flags =~ s/-L("\[^"]+")/\/libpath:$1/g;
 $l_flags =~ s/-L(\S+)/\/libpath:$1/g;
 
+my $ff = "";
+
 # C compiler stuff
 $cc='cl';
 if ($FLAVOR =~ /WIN64/)
@@ -126,6 +128,7 @@ else	# Win32
     $base_cflags= " $mf_cflag";
     my $f = $shlib || $fips ?' /MD':' /MT';
     $lib_cflag='/Zl' if (!$shlib);	# remove /DEFAULTLIBs from static lib
+    $ff = "/fixed";
     $opt_cflags=$f.' /Ox /O2 /Ob2';
     $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
     $lflags="/nologo /subsystem:console /opt:ref";
@@ -318,7 +321,7 @@ sub do_lib_rule
 			$ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
 			$ret.="\tSET FIPS_TARGET=$target\n";
 			$ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
-			$ret.="\t\$(FIPSLINK) \$(MLFLAGS) /map $base_arg $efile$target ";
+			$ret.="\t\$(FIPSLINK) \$(MLFLAGS) $ff /map $base_arg $efile$target ";
 			$ret.="$name @<<\n  \$(SHLIB_EX_OBJ) $objs \$(EX_LIBS) ";
 			$ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
 			}
@@ -355,7 +358,7 @@ sub do_link_rule
 		$ret.="\tSET FIPS_TARGET=$target\n";
 		$ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
 		$ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
-		$ret.="\t\$(FIPSLINK) \$(LFLAGS) /map $efile$target @<<\n";
+		$ret.="\t\$(FIPSLINK) \$(LFLAGS) $ff /map $efile$target @<<\n";
 		$ret.="\t\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
 		}
 	else
diff --git a/crypto/openssl/util/pl/netware.pl b/crypto/openssl/util/pl/netware.pl
index c78bcfc87422..fe80a9bb8990 100644
--- a/crypto/openssl/util/pl/netware.pl
+++ b/crypto/openssl/util/pl/netware.pl
@@ -212,7 +212,7 @@ else
    #        Turned off the "possible" warnings ( -w nopossible ).  Metrowerks
    #        complained a lot about various stuff.  May want to turn back
    #        on for further development.
-   $cflags.=" -nostdinc -ir crypto -ir engines -ir apps -I$include_path \\
+   $cflags.=" -nostdinc -ir crypto -ir ssl -ir engines -ir apps -I$include_path \\
          -msgstyle gcc -align 4 -processor pentium -char unsigned \\
          -w on -w nolargeargs -w nopossible -w nounusedarg -w nounusedexpr \\
          -w noimplicitconv -relax_pointers -nosyspath -maxerrors 20";
diff --git a/crypto/openssl/util/shlib_wrap.sh b/crypto/openssl/util/shlib_wrap.sh
index 9416d593d2b8..8775cb5411e1 100755
--- a/crypto/openssl/util/shlib_wrap.sh
+++ b/crypto/openssl/util/shlib_wrap.sh
@@ -90,4 +90,8 @@ fi
 
 cmd="$1${EXE_EXT}"
 shift
-exec "$cmd" "$@"
+if [ $# -eq 0 ]; then
+	exec "$cmd"	# old sh, such as Tru64 4.x, fails to expand empty "$@"
+else
+	exec "$cmd" "$@"
+fi
diff --git a/crypto/openssl/util/ssleay.num b/crypto/openssl/util/ssleay.num
index 37655bc40a83..dd1c5e88239e 100644
--- a/crypto/openssl/util/ssleay.num
+++ b/crypto/openssl/util/ssleay.num
@@ -101,9 +101,9 @@ SSLv23_server_method                    112	EXIST::FUNCTION:RSA
 SSLv2_client_method                     113	EXIST::FUNCTION:RSA,SSL2
 SSLv2_method                            114	EXIST::FUNCTION:RSA,SSL2
 SSLv2_server_method                     115	EXIST::FUNCTION:RSA,SSL2
-SSLv3_client_method                     116	EXIST::FUNCTION:
-SSLv3_method                            117	EXIST::FUNCTION:
-SSLv3_server_method                     118	EXIST::FUNCTION:
+SSLv3_client_method                     116	EXIST::FUNCTION:SSL3_METHOD
+SSLv3_method                            117	EXIST::FUNCTION:SSL3_METHOD
+SSLv3_server_method                     118	EXIST::FUNCTION:SSL3_METHOD
 d2i_SSL_SESSION                         119	EXIST::FUNCTION:
 i2d_SSL_SESSION                         120	EXIST::FUNCTION:
 BIO_f_ssl                               121	EXIST::FUNCTION:BIO
@@ -181,6 +181,7 @@ SSL_get_verify_depth                    229	EXIST::FUNCTION:
 SSL_CTX_set_session_id_context          231	EXIST::FUNCTION:
 SSL_CTX_set_cert_verify_callback        232	EXIST:!VMS:FUNCTION:
 SSL_CTX_set_cert_verify_cb              232	EXIST:VMS:FUNCTION:
+SSL_test_functions                      233	EXIST::FUNCTION:UNIT_TEST
 SSL_CTX_set_default_passwd_cb_userdata  235	EXIST:!VMS:FUNCTION:
 SSL_CTX_set_def_passwd_cb_ud            235	EXIST:VMS:FUNCTION:
 SSL_set_purpose                         236	EXIST::FUNCTION:
@@ -309,14 +310,14 @@ TLSv1_2_method                          350	EXIST::FUNCTION:
 SSL_SESSION_get_id_len                  351	NOEXIST::FUNCTION:
 kssl_ctx_get0_client_princ              352	EXIST::FUNCTION:KRB5
 SSL_export_keying_material              353	EXIST::FUNCTION:TLSEXT
-SSL_set_tlsext_use_srtp                 354	EXIST::FUNCTION:
+SSL_set_tlsext_use_srtp                 354	EXIST::FUNCTION:SRTP
 SSL_CTX_set_next_protos_advertised_cb   355	EXIST:!VMS:FUNCTION:NEXTPROTONEG
 SSL_CTX_set_next_protos_adv_cb          355	EXIST:VMS:FUNCTION:NEXTPROTONEG
 SSL_get0_next_proto_negotiated          356	EXIST::FUNCTION:NEXTPROTONEG
-SSL_get_selected_srtp_profile           357	EXIST::FUNCTION:
-SSL_CTX_set_tlsext_use_srtp             358	EXIST::FUNCTION:
+SSL_get_selected_srtp_profile           357	EXIST::FUNCTION:SRTP
+SSL_CTX_set_tlsext_use_srtp             358	EXIST::FUNCTION:SRTP
 SSL_select_next_proto                   359	EXIST::FUNCTION:NEXTPROTONEG
-SSL_get_srtp_profiles                   360	EXIST::FUNCTION:
+SSL_get_srtp_profiles                   360	EXIST::FUNCTION:SRTP
 SSL_CTX_set_next_proto_select_cb        361	EXIST:!VMS:FUNCTION:NEXTPROTONEG
 SSL_CTX_set_next_proto_sel_cb           361	EXIST:VMS:FUNCTION:NEXTPROTONEG
 SSL_SESSION_get_compress_id             362	EXIST::FUNCTION:
diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile
index c28c5102d3b1..330b08fcf2a3 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -390,9 +390,9 @@ CLEANFILES=	buildinf.h opensslconf.h
 
 buildinf.h: ${.CURDIR}/Makefile
 	( echo "#ifndef MK1MF_BUILD"; \
-	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
-	echo "  #define CFLAGS \"$(CC)\""; \
-	echo "  #define PLATFORM \"FreeBSD-${MACHINE_ARCH}\""; \
+	echo "    /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */"; \
+	echo "    #define CFLAGS \"compiler: ${COMPILER_TYPE}\""; \
+	echo "    #define PLATFORM \"platform: FreeBSD-${MACHINE_ARCH}\""; \
 	echo "#endif" ) > ${.TARGET}
 
 .if ${MACHINE_CPUARCH} == "amd64" || ${MACHINE_CPUARCH} == "i386"
diff --git a/secure/lib/libcrypto/Makefile.inc b/secure/lib/libcrypto/Makefile.inc
index b28bc8dfecce..6a0ad9a0766e 100644
--- a/secure/lib/libcrypto/Makefile.inc
+++ b/secure/lib/libcrypto/Makefile.inc
@@ -3,8 +3,8 @@
 .include <bsd.own.mk>
 
 # OpenSSL version used for manual page generation
-OPENSSL_VER=	1.0.1e
-OPENSSL_DATE=	2013-02-11
+OPENSSL_VER=	1.0.1l
+OPENSSL_DATE=	2015-01-15
 
 LCRYPTO_SRC=	${.CURDIR}/../../../crypto/openssl
 LCRYPTO_DOC=	${.CURDIR}/../../../crypto/openssl/doc
diff --git a/secure/lib/libcrypto/Makefile.man b/secure/lib/libcrypto/Makefile.man
index 2b88bd3ad2dd..095356e405bf 100644
--- a/secure/lib/libcrypto/Makefile.man
+++ b/secure/lib/libcrypto/Makefile.man
@@ -47,6 +47,7 @@ MAN+= BN_swap.3
 MAN+= BN_zero.3
 MAN+= CMS_add0_cert.3
 MAN+= CMS_add1_recipient_cert.3
+MAN+= CMS_add1_signer.3
 MAN+= CMS_compress.3
 MAN+= CMS_decrypt.3
 MAN+= CMS_encrypt.3
@@ -56,7 +57,6 @@ MAN+= CMS_get0_SignerInfos.3
 MAN+= CMS_get0_type.3
 MAN+= CMS_get1_ReceiptRequest.3
 MAN+= CMS_sign.3
-MAN+= CMS_sign_add1_signer.3
 MAN+= CMS_sign_receipt.3
 MAN+= CMS_uncompress.3
 MAN+= CMS_verify.3
@@ -397,6 +397,7 @@ MLINKS+= CMS_add0_cert.3 CMS_get1_certs.3
 MLINKS+= CMS_add0_cert.3 CMS_add0_crl.3
 MLINKS+= CMS_add0_cert.3 CMS_get1_crls.3
 MLINKS+= CMS_add1_recipient_cert.3 CMS_add0_recipient_key.3
+MLINKS+= CMS_add1_signer.3 CMS_SignerInfo_sign.3
 MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_type.3
 MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_ktri_get0_signer_id.3
 MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_ktri_cert_cmp.3
@@ -413,7 +414,6 @@ MLINKS+= CMS_get0_type.3 CMS_get0_eContentType.3
 MLINKS+= CMS_get1_ReceiptRequest.3 CMS_ReceiptRequest_create0.3
 MLINKS+= CMS_get1_ReceiptRequest.3 CMS_add1_ReceiptRequest.3
 MLINKS+= CMS_get1_ReceiptRequest.3 CMS_ReceiptRequest_get0_values.3
-MLINKS+= CMS_sign_add1_signer.3 CMS_SignerInfo_sign.3
 MLINKS+= CONF_modules_free.3 CONF_modules_finish.3
 MLINKS+= CONF_modules_free.3 CONF_modules_unload.3
 MLINKS+= CONF_modules_load_file.3 CONF_modules_load.3
diff --git a/secure/lib/libcrypto/amd64/bsaes-x86_64.S b/secure/lib/libcrypto/amd64/bsaes-x86_64.S
index 671925b1e205..5588ef52054b 100644
--- a/secure/lib/libcrypto/amd64/bsaes-x86_64.S
+++ b/secure/lib/libcrypto/amd64/bsaes-x86_64.S
@@ -365,7 +365,6 @@ _bsaes_encrypt8_bitslice:
 	pxor	%xmm11,%xmm7
 	pshufd	$78,%xmm3,%xmm1
 	pxor	%xmm12,%xmm8
-
 	pxor	%xmm10,%xmm2
 	pxor	%xmm14,%xmm6
 	pxor	%xmm13,%xmm5
@@ -798,148 +797,86 @@ _bsaes_decrypt8:
 	decl	%r10d
 	jl	.Ldec_done
 
-	pshufd	$147,%xmm4,%xmm14
-	movdqa	%xmm5,%xmm9
-	pxor	%xmm6,%xmm4
-	pxor	%xmm6,%xmm5
-	pshufd	$147,%xmm15,%xmm7
-	movdqa	%xmm6,%xmm12
-	pxor	%xmm15,%xmm6
-	pxor	%xmm0,%xmm15
-	pshufd	$147,%xmm0,%xmm8
-	pxor	%xmm5,%xmm0
-	pxor	%xmm2,%xmm15
-	pxor	%xmm3,%xmm0
-	pshufd	$147,%xmm3,%xmm10
-	pxor	%xmm15,%xmm5
-	pxor	%xmm4,%xmm3
-	pxor	%xmm2,%xmm4
-	pshufd	$147,%xmm2,%xmm13
-	movdqa	%xmm1,%xmm11
-	pxor	%xmm1,%xmm2
-	pxor	%xmm3,%xmm1
-	pxor	%xmm4,%xmm3
-	pxor	%xmm12,%xmm2
-	pxor	%xmm9,%xmm3
-	pxor	%xmm11,%xmm3
-	pshufd	$147,%xmm12,%xmm12
-
-	pxor	%xmm4,%xmm6
-	pxor	%xmm7,%xmm4
-	pxor	%xmm8,%xmm6
-	pshufd	$147,%xmm9,%xmm9
-	pxor	%xmm12,%xmm4
-	pxor	%xmm13,%xmm6
-	pxor	%xmm14,%xmm4
-	pshufd	$147,%xmm11,%xmm11
-	pxor	%xmm13,%xmm14
-	pxor	%xmm4,%xmm6
-
+	pshufd	$78,%xmm15,%xmm7
+	pshufd	$78,%xmm2,%xmm13
+	pxor	%xmm15,%xmm7
+	pshufd	$78,%xmm4,%xmm14
+	pxor	%xmm2,%xmm13
+	pshufd	$78,%xmm0,%xmm8
+	pxor	%xmm4,%xmm14
+	pshufd	$78,%xmm5,%xmm9
+	pxor	%xmm0,%xmm8
+	pshufd	$78,%xmm3,%xmm10
+	pxor	%xmm5,%xmm9
+	pxor	%xmm13,%xmm15
+	pxor	%xmm13,%xmm0
+	pshufd	$78,%xmm1,%xmm11
+	pxor	%xmm3,%xmm10
 	pxor	%xmm7,%xmm5
-	pshufd	$147,%xmm7,%xmm7
-	pxor	%xmm8,%xmm15
-	pxor	%xmm8,%xmm0
-	pxor	%xmm9,%xmm15
-	pshufd	$147,%xmm8,%xmm8
-	pxor	%xmm9,%xmm5
-	pxor	%xmm9,%xmm3
-	pxor	%xmm14,%xmm15
-	pshufd	$147,%xmm9,%xmm9
-	pxor	%xmm10,%xmm5
-	pxor	%xmm10,%xmm1
-	pxor	%xmm10,%xmm0
-	pshufd	$147,%xmm10,%xmm10
-	pxor	%xmm11,%xmm2
-	pxor	%xmm11,%xmm3
-	pxor	%xmm14,%xmm2
-	pxor	%xmm12,%xmm5
-	pxor	%xmm11,%xmm0
-	pxor	%xmm12,%xmm14
-
-	pxor	%xmm14,%xmm3
-	pshufd	$147,%xmm11,%xmm11
-	pxor	%xmm14,%xmm1
+	pxor	%xmm8,%xmm3
+	pshufd	$78,%xmm6,%xmm12
+	pxor	%xmm1,%xmm11
 	pxor	%xmm14,%xmm0
+	pxor	%xmm9,%xmm1
+	pxor	%xmm6,%xmm12
 
-	pxor	%xmm12,%xmm14
-	pshufd	$147,%xmm12,%xmm12
-	pxor	%xmm13,%xmm14
-
-
-	pxor	%xmm2,%xmm0
+	pxor	%xmm14,%xmm5
+	pxor	%xmm13,%xmm3
+	pxor	%xmm13,%xmm1
+	pxor	%xmm10,%xmm6
 	pxor	%xmm11,%xmm2
-	pshufd	$147,%xmm13,%xmm13
-	pxor	%xmm7,%xmm15
-	pxor	%xmm12,%xmm2
-	pxor	%xmm9,%xmm15
-	pshufd	$147,%xmm14,%xmm14
-
-	pxor	%xmm6,%xmm5
-	pxor	%xmm8,%xmm6
-	pxor	%xmm7,%xmm4
-	pxor	%xmm7,%xmm5
-	pxor	%xmm12,%xmm6
-	pxor	%xmm12,%xmm4
+	pxor	%xmm14,%xmm1
 	pxor	%xmm14,%xmm6
-	pshufd	$147,%xmm7,%xmm7
-	pxor	%xmm13,%xmm4
-	pxor	%xmm6,%xmm5
+	pxor	%xmm12,%xmm4
+	pshufd	$147,%xmm15,%xmm7
+	pshufd	$147,%xmm0,%xmm8
+	pxor	%xmm7,%xmm15
+	pshufd	$147,%xmm5,%xmm9
 	pxor	%xmm8,%xmm0
-	pshufd	$147,%xmm8,%xmm8
-
-	pxor	%xmm14,%xmm2
-	pxor	%xmm9,%xmm0
-	pxor	%xmm9,%xmm3
-	pshufd	$147,%xmm9,%xmm9
-	pxor	%xmm13,%xmm15
-	pxor	%xmm10,%xmm13
-	pxor	%xmm2,%xmm0
-	pxor	%xmm13,%xmm5
-
-	pxor	%xmm13,%xmm1
-	pxor	%xmm12,%xmm3
+	pshufd	$147,%xmm3,%xmm10
+	pxor	%xmm9,%xmm5
+	pshufd	$147,%xmm1,%xmm11
+	pxor	%xmm10,%xmm3
+	pshufd	$147,%xmm6,%xmm12
 	pxor	%xmm11,%xmm1
-	pshufd	$147,%xmm11,%xmm11
-	pxor	%xmm13,%xmm3
-	pxor	%xmm14,%xmm1
-	pxor	%xmm10,%xmm13
-
-	pshufd	$147,%xmm12,%xmm12
-	pshufd	$147,%xmm13,%xmm13
-	pshufd	$147,%xmm14,%xmm14
-	pshufd	$147,%xmm10,%xmm10
-
+	pshufd	$147,%xmm2,%xmm13
+	pxor	%xmm12,%xmm6
+	pshufd	$147,%xmm4,%xmm14
+	pxor	%xmm13,%xmm2
+	pxor	%xmm14,%xmm4
 
-	pxor	%xmm6,%xmm0
-	pxor	%xmm6,%xmm8
-	pxor	%xmm12,%xmm7
-	pxor	%xmm12,%xmm8
-	pxor	%xmm7,%xmm5
+	pxor	%xmm15,%xmm8
 	pxor	%xmm4,%xmm7
-	pxor	%xmm13,%xmm8
-	pxor	%xmm14,%xmm13
+	pxor	%xmm4,%xmm8
+	pshufd	$78,%xmm15,%xmm15
+	pxor	%xmm0,%xmm9
+	pshufd	$78,%xmm0,%xmm0
+	pxor	%xmm1,%xmm12
+	pxor	%xmm7,%xmm15
+	pxor	%xmm6,%xmm13
 	pxor	%xmm8,%xmm0
-	pxor	%xmm11,%xmm2
-	pxor	%xmm0,%xmm11
-	pxor	%xmm10,%xmm1
-	pxor	%xmm5,%xmm10
-	pxor	%xmm9,%xmm3
-	pxor	%xmm15,%xmm9
-	pxor	%xmm14,%xmm10
-	pxor	%xmm3,%xmm12
-	pxor	%xmm13,%xmm9
-	pxor	%xmm13,%xmm12
-	pxor	%xmm1,%xmm13
+	pxor	%xmm3,%xmm11
+	pshufd	$78,%xmm1,%xmm7
 	pxor	%xmm2,%xmm14
-
-	movdqa	%xmm7,%xmm15
-	movdqa	%xmm8,%xmm0
-	movdqa	%xmm9,%xmm1
-	movdqa	%xmm10,%xmm2
-	movdqa	%xmm11,%xmm3
-	movdqa	%xmm12,%xmm4
+	pshufd	$78,%xmm6,%xmm8
+	pxor	%xmm5,%xmm10
+	pshufd	$78,%xmm3,%xmm1
+	pxor	%xmm4,%xmm10
+	pshufd	$78,%xmm4,%xmm6
+	pxor	%xmm4,%xmm11
+	pshufd	$78,%xmm2,%xmm3
+	pxor	%xmm11,%xmm7
+	pshufd	$78,%xmm5,%xmm2
+	pxor	%xmm12,%xmm8
+	pxor	%xmm1,%xmm10
+	pxor	%xmm14,%xmm6
+	pxor	%xmm3,%xmm13
+	movdqa	%xmm7,%xmm3
+	pxor	%xmm9,%xmm2
 	movdqa	%xmm13,%xmm5
-	movdqa	%xmm14,%xmm6
+	movdqa	%xmm8,%xmm4
+	movdqa	%xmm2,%xmm1
+	movdqa	%xmm10,%xmm2
 	movdqa	-16(%r11),%xmm7
 	jnz	.Ldec_loop
 	movdqa	-32(%r11),%xmm7
diff --git a/secure/lib/libcrypto/amd64/vpaes-x86_64.S b/secure/lib/libcrypto/amd64/vpaes-x86_64.S
index c82bf7848b61..8cb9644ce3fd 100644
--- a/secure/lib/libcrypto/amd64/vpaes-x86_64.S
+++ b/secure/lib/libcrypto/amd64/vpaes-x86_64.S
@@ -824,6 +824,6 @@ _vpaes_consts:
 .Lk_dsbo:
 .quad	0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
 .quad	0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.byte	86,101,99,116,111,114,32,80,101,114,109,117,116,97,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0
+.byte	86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0
 .align	64
 .size	_vpaes_consts,.-_vpaes_consts
diff --git a/secure/lib/libcrypto/i386/x86cpuid.s b/secure/lib/libcrypto/i386/x86cpuid.s
index 5db31f84187c..815ff6989ce3 100644
--- a/secure/lib/libcrypto/i386/x86cpuid.s
+++ b/secure/lib/libcrypto/i386/x86cpuid.s
@@ -62,6 +62,7 @@ OPENSSL_ia32_cpuid:
 	movzbl	%cl,%esi
 	incl	%esi
 	movl	$1,%eax
+	xorl	%ecx,%ecx
 	.byte	0x0f,0xa2
 	btl	$28,%edx
 	jnc	.L002generic
@@ -83,6 +84,7 @@ OPENSSL_ia32_cpuid:
 	andl	$4095,%edi
 .L003nocacheinfo:
 	movl	$1,%eax
+	xorl	%ecx,%ecx
 	.byte	0x0f,0xa2
 	andl	$3220176895,%edx
 	cmpl	$0,%ebp
diff --git a/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 b/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
index 5701092b9ef3..b9e340bc735c 100644
--- a/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
+++ b/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_OBJECT_new 3"
-.TH ASN1_OBJECT_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ASN1_OBJECT_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -142,7 +151,7 @@ ASN1_OBJECT_new, ASN1_OBJECT_free, \- object allocation functions
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \s-1ASN1_OBJECT\s0 allocation routines, allocate and free an
-\&\s-1ASN1_OBJECT\s0 structure, which represents an \s-1ASN1\s0 \s-1OBJECT\s0 \s-1IDENTIFIER\s0.
+\&\s-1ASN1_OBJECT\s0 structure, which represents an \s-1ASN1 OBJECT IDENTIFIER.\s0
 .PP
 \&\fIASN1_OBJECT_new()\fR allocates and initializes a \s-1ASN1_OBJECT\s0 structure.
 .PP
diff --git a/secure/lib/libcrypto/man/ASN1_STRING_length.3 b/secure/lib/libcrypto/man/ASN1_STRING_length.3
index d6ca2cd2115f..476aecb3d7f7 100644
--- a/secure/lib/libcrypto/man/ASN1_STRING_length.3
+++ b/secure/lib/libcrypto/man/ASN1_STRING_length.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_length 3"
-.TH ASN1_STRING_length 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ASN1_STRING_length 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -193,7 +202,7 @@ utility functions should be used instead.
 In general it cannot be assumed that the data returned by \fIASN1_STRING_data()\fR
 is null terminated or does not contain embedded nulls. The actual format
 of the data will depend on the actual string type itself: for example
-for and IA5String the data will be \s-1ASCII\s0, for a BMPString two bytes per
+for and IA5String the data will be \s-1ASCII,\s0 for a BMPString two bytes per
 character in big endian format, UTF8String will be in \s-1UTF8\s0 format.
 .PP
 Similar care should be take to ensure the data is in the correct format
diff --git a/secure/lib/libcrypto/man/ASN1_STRING_new.3 b/secure/lib/libcrypto/man/ASN1_STRING_new.3
index 4e5fcc0e3466..801753c58d54 100644
--- a/secure/lib/libcrypto/man/ASN1_STRING_new.3
+++ b/secure/lib/libcrypto/man/ASN1_STRING_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_new 3"
-.TH ASN1_STRING_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ASN1_STRING_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 b/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
index 96c52cee3952..04b037f0a176 100644
--- a/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
+++ b/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_print_ex 3"
-.TH ASN1_STRING_print_ex 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ASN1_STRING_print_ex 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,14 +159,14 @@ the options \fBflags\fR. \fIASN1_STRING_print_ex_fp()\fR is identical except it
 to \fBfp\fR instead.
 .PP
 \&\fIASN1_STRING_print()\fR prints \fBstr\fR to \fBout\fR but using a different format to
-\&\fIASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than \s-1CR\s0, \s-1LF\s0)
+\&\fIASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than \s-1CR, LF\s0)
 with '.'.
 .SH "NOTES"
 .IX Header "NOTES"
 \&\fIASN1_STRING_print()\fR is a legacy function which should be avoided in new applications.
 .PP
 Although there are a large number of options frequently \fB\s-1ASN1_STRFLGS_RFC2253\s0\fR is 
-suitable, or on \s-1UTF8\s0 terminals \fB\s-1ASN1_STRFLGS_RFC2253\s0 & ~ASN1_STRFLGS_ESC_MSB\fR.
+suitable, or on \s-1UTF8\s0 terminals \fB\s-1ASN1_STRFLGS_RFC2253 &\s0 ~ASN1_STRFLGS_ESC_MSB\fR.
 .PP
 The complete set of supported options for \fBflags\fR is listed below.
 .PP
@@ -189,7 +198,7 @@ all: everything is assumed to be one byte per character. This is primarily for
 debugging purposes and can result in confusing output in multi character strings.
 .PP
 If \fB\s-1ASN1_STRFLGS_SHOW_TYPE\s0\fR is set then the string type itself is printed out
-before its value (for example \*(L"\s-1BMPSTRING\s0\*(R"), this actually uses \fIASN1_tag2str()\fR.
+before its value (for example \*(L"\s-1BMPSTRING\*(R"\s0), this actually uses \fIASN1_tag2str()\fR.
 .PP
 The content of a string instead of being interpreted can be \*(L"dumped\*(R": this just
 outputs the value of the string using the form #XXXX using hex format for each
@@ -197,7 +206,7 @@ octet.
 .PP
 If \fB\s-1ASN1_STRFLGS_DUMP_ALL\s0\fR is set then any type is dumped.
 .PP
-Normally non character string types (such as \s-1OCTET\s0 \s-1STRING\s0) are assumed to be
+Normally non character string types (such as \s-1OCTET STRING\s0) are assumed to be
 one byte per character, if \fB\s-1ASN1_STRFLGS_DUMP_UNKNOWN\s0\fR is set then they will
 be dumped instead.
 .PP
@@ -205,10 +214,10 @@ When a type is dumped normally just the content octets are printed, if
 \&\fB\s-1ASN1_STRFLGS_DUMP_DER\s0\fR is set then the complete encoding is dumped
 instead (including tag and length octets).
 .PP
-\&\fB\s-1ASN1_STRFLGS_RFC2253\s0\fR includes all the flags required by \s-1RFC2253\s0. It is
+\&\fB\s-1ASN1_STRFLGS_RFC2253\s0\fR includes all the flags required by \s-1RFC2253.\s0 It is
 equivalent to:
  \s-1ASN1_STRFLGS_ESC_2253\s0 | \s-1ASN1_STRFLGS_ESC_CTRL\s0 | \s-1ASN1_STRFLGS_ESC_MSB\s0 |
- \s-1ASN1_STRFLGS_UTF8_CONVERT\s0 | \s-1ASN1_STRFLGS_DUMP_UNKNOWN\s0 \s-1ASN1_STRFLGS_DUMP_DER\s0
+ \s-1ASN1_STRFLGS_UTF8_CONVERT\s0 | \s-1ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIX509_NAME_print_ex\fR\|(3),
diff --git a/secure/lib/libcrypto/man/ASN1_generate_nconf.3 b/secure/lib/libcrypto/man/ASN1_generate_nconf.3
index 9ee33e766e90..cbd87df61899 100644
--- a/secure/lib/libcrypto/man/ASN1_generate_nconf.3
+++ b/secure/lib/libcrypto/man/ASN1_generate_nconf.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1_generate_nconf 3"
-.TH ASN1_generate_nconf 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ASN1_generate_nconf 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -162,7 +171,7 @@ is:
 That is zero or more comma separated modifiers followed by a type
 followed by an optional colon and a value. The formats of \fBtype\fR,
 \&\fBvalue\fR and \fBmodifier\fR are explained below.
-.SS "\s-1SUPPORTED\s0 \s-1TYPES\s0"
+.SS "\s-1SUPPORTED TYPES\s0"
 .IX Subsection "SUPPORTED TYPES"
 The supported types are listed below. Unless otherwise specified
 only the \fB\s-1ASCII\s0\fR format is permissible.
@@ -177,34 +186,34 @@ are acceptable.
 Encode the \fB\s-1NULL\s0\fR type, the \fBvalue\fR string must not be present.
 .IP "\fB\s-1INTEGER\s0\fR, \fB\s-1INT\s0\fR" 2
 .IX Item "INTEGER, INT"
-Encodes an \s-1ASN1\s0 \fB\s-1INTEGER\s0\fR type. The \fBvalue\fR string represents
-the value of the integer, it can be preceeded by a minus sign and
+Encodes an \s-1ASN1 \s0\fB\s-1INTEGER\s0\fR type. The \fBvalue\fR string represents
+the value of the integer, it can be prefaced by a minus sign and
 is normally interpreted as a decimal value unless the prefix \fB0x\fR
 is included.
 .IP "\fB\s-1ENUMERATED\s0\fR, \fB\s-1ENUM\s0\fR" 2
 .IX Item "ENUMERATED, ENUM"
-Encodes the \s-1ASN1\s0 \fB\s-1ENUMERATED\s0\fR type, it is otherwise identical to
+Encodes the \s-1ASN1 \s0\fB\s-1ENUMERATED\s0\fR type, it is otherwise identical to
 \&\fB\s-1INTEGER\s0\fR.
 .IP "\fB\s-1OBJECT\s0\fR, \fB\s-1OID\s0\fR" 2
 .IX Item "OBJECT, OID"
-Encodes an \s-1ASN1\s0 \fB\s-1OBJECT\s0 \s-1IDENTIFIER\s0\fR, the \fBvalue\fR string can be
+Encodes an \s-1ASN1 \s0\fB\s-1OBJECT IDENTIFIER\s0\fR, the \fBvalue\fR string can be
 a short name, a long name or numerical format.
 .IP "\fB\s-1UTCTIME\s0\fR, \fB\s-1UTC\s0\fR" 2
 .IX Item "UTCTIME, UTC"
-Encodes an \s-1ASN1\s0 \fBUTCTime\fR structure, the value should be in
+Encodes an \s-1ASN1 \s0\fBUTCTime\fR structure, the value should be in
 the format \fB\s-1YYMMDDHHMMSSZ\s0\fR.
 .IP "\fB\s-1GENERALIZEDTIME\s0\fR, \fB\s-1GENTIME\s0\fR" 2
 .IX Item "GENERALIZEDTIME, GENTIME"
-Encodes an \s-1ASN1\s0 \fBGeneralizedTime\fR structure, the value should be in
+Encodes an \s-1ASN1 \s0\fBGeneralizedTime\fR structure, the value should be in
 the format \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
 .IP "\fB\s-1OCTETSTRING\s0\fR, \fB\s-1OCT\s0\fR" 2
 .IX Item "OCTETSTRING, OCT"
-Encodes an \s-1ASN1\s0 \fB\s-1OCTET\s0 \s-1STRING\s0\fR. \fBvalue\fR represents the contents
+Encodes an \s-1ASN1 \s0\fB\s-1OCTET STRING\s0\fR. \fBvalue\fR represents the contents
 of this structure, the format strings \fB\s-1ASCII\s0\fR and \fB\s-1HEX\s0\fR can be
 used to specify the format of \fBvalue\fR.
 .IP "\fB\s-1BITSTRING\s0\fR, \fB\s-1BITSTR\s0\fR" 2
 .IX Item "BITSTRING, BITSTR"
-Encodes an \s-1ASN1\s0 \fB\s-1BIT\s0 \s-1STRING\s0\fR. \fBvalue\fR represents the contents
+Encodes an \s-1ASN1 \s0\fB\s-1BIT STRING\s0\fR. \fBvalue\fR represents the contents
 of this structure, the format strings \fB\s-1ASCII\s0\fR, \fB\s-1HEX\s0\fR and \fB\s-1BITLIST\s0\fR
 can be used to specify the format of \fBvalue\fR.
 .Sp
@@ -216,7 +225,7 @@ These encode the corresponding string types. \fBvalue\fR represents the
 contents of this structure. The format can be \fB\s-1ASCII\s0\fR or \fB\s-1UTF8\s0\fR.
 .IP "\fB\s-1SEQUENCE\s0\fR, \fB\s-1SEQ\s0\fR, \fB\s-1SET\s0\fR" 2
 .IX Item "SEQUENCE, SEQ, SET"
-Formats the result as an \s-1ASN1\s0 \fB\s-1SEQUENCE\s0\fR or \fB\s-1SET\s0\fR type. \fBvalue\fR
+Formats the result as an \s-1ASN1 \s0\fB\s-1SEQUENCE\s0\fR or \fB\s-1SET\s0\fR type. \fBvalue\fR
 should be a section name which will contain the contents. The
 field names in the section are ignored and the values are in the
 generated string format. If \fBvalue\fR is absent then an empty \s-1SEQUENCE\s0
@@ -233,17 +242,17 @@ Add an explicit tag to the following structure. This string
 should be followed by a colon and the tag value to use as a
 decimal value.
 .Sp
-By following the number with \fBU\fR, \fBA\fR, \fBP\fR or \fBC\fR \s-1UNIVERSAL\s0,
-\&\s-1APPLICATION\s0, \s-1PRIVATE\s0 or \s-1CONTEXT\s0 \s-1SPECIFIC\s0 tagging can be used,
-the default is \s-1CONTEXT\s0 \s-1SPECIFIC\s0.
+By following the number with \fBU\fR, \fBA\fR, \fBP\fR or \fBC\fR \s-1UNIVERSAL,
+APPLICATION, PRIVATE\s0 or \s-1CONTEXT SPECIFIC\s0 tagging can be used,
+the default is \s-1CONTEXT SPECIFIC.\s0
 .IP "\fB\s-1IMPLICIT\s0\fR, \fB\s-1IMP\s0\fR" 2
 .IX Item "IMPLICIT, IMP"
 This is the same as \fB\s-1EXPLICIT\s0\fR except \s-1IMPLICIT\s0 tagging is used
 instead.
 .IP "\fB\s-1OCTWRAP\s0\fR, \fB\s-1SEQWRAP\s0\fR, \fB\s-1SETWRAP\s0\fR, \fB\s-1BITWRAP\s0\fR" 2
 .IX Item "OCTWRAP, SEQWRAP, SETWRAP, BITWRAP"
-The following structure is surrounded by an \s-1OCTET\s0 \s-1STRING\s0, a \s-1SEQUENCE\s0,
-a \s-1SET\s0 or a \s-1BIT\s0 \s-1STRING\s0 respectively. For a \s-1BIT\s0 \s-1STRING\s0 the number of unused
+The following structure is surrounded by an \s-1OCTET STRING,\s0 a \s-1SEQUENCE,\s0
+a \s-1SET\s0 or a \s-1BIT STRING\s0 respectively. For a \s-1BIT STRING\s0 the number of unused
 bits is set to zero.
 .IP "\fB\s-1FORMAT\s0\fR" 2
 .IX Item "FORMAT"
@@ -252,8 +261,8 @@ by a colon and one of the strings \fB\s-1ASCII\s0\fR, \fB\s-1UTF8\s0\fR, \fB\s-1
 .Sp
 If no format specifier is included then \fB\s-1ASCII\s0\fR is used. If \fB\s-1UTF8\s0\fR is
 specified then the value string must be a valid \fB\s-1UTF8\s0\fR string. For \fB\s-1HEX\s0\fR the
-output must be a set of hex digits. \fB\s-1BITLIST\s0\fR (which is only valid for a \s-1BIT\s0
-\&\s-1STRING\s0) is a comma separated list of the indices of the set bits, all other
+output must be a set of hex digits. \fB\s-1BITLIST\s0\fR (which is only valid for a \s-1BIT
+STRING\s0) is a comma separated list of the indices of the set bits, all other
 bits are zero.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
diff --git a/secure/lib/libcrypto/man/BIO_ctrl.3 b/secure/lib/libcrypto/man/BIO_ctrl.3
index 6b84afdf04c5..293144ccc525 100644
--- a/secure/lib/libcrypto/man/BIO_ctrl.3
+++ b/secure/lib/libcrypto/man/BIO_ctrl.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_ctrl 3"
-.TH BIO_ctrl 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_ctrl 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -164,7 +173,7 @@ BIO_get_info_callback, BIO_set_info_callback \- BIO control operations
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fIBIO_ctrl()\fR, \fIBIO_callback_ctrl()\fR, \fIBIO_ptr_ctrl()\fR and \fIBIO_int_ctrl()\fR
-are \s-1BIO\s0 \*(L"control\*(R" operations taking arguments of various types.
+are \s-1BIO \s0\*(L"control\*(R" operations taking arguments of various types.
 These functions are not normally called directly, various macros
 are used instead. The standard macros are described below, macros
 specific to a particular type of \s-1BIO\s0 are described in the specific
@@ -178,16 +187,16 @@ start of the file.
 \&\fIBIO_seek()\fR resets a file related \s-1BIO\s0's (that is file descriptor and
 \&\s-1FILE\s0 BIOs) file position pointer to \fBofs\fR bytes from start of file.
 .PP
-\&\fIBIO_tell()\fR returns the current file position of a file related \s-1BIO\s0.
+\&\fIBIO_tell()\fR returns the current file position of a file related \s-1BIO.\s0
 .PP
 \&\fIBIO_flush()\fR normally writes out any internally buffered data, in some
 cases it is used to signal \s-1EOF\s0 and that no more data will be written.
 .PP
-\&\fIBIO_eof()\fR returns 1 if the \s-1BIO\s0 has read \s-1EOF\s0, the precise meaning of
-\&\*(L"\s-1EOF\s0\*(R" varies according to the \s-1BIO\s0 type.
+\&\fIBIO_eof()\fR returns 1 if the \s-1BIO\s0 has read \s-1EOF,\s0 the precise meaning of
+\&\*(L"\s-1EOF\*(R"\s0 varies according to the \s-1BIO\s0 type.
 .PP
-\&\fIBIO_set_close()\fR sets the \s-1BIO\s0 \fBb\fR close flag to \fBflag\fR. \fBflag\fR can
-take the value \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE\s0. Typically \s-1BIO_CLOSE\s0 is used
+\&\fIBIO_set_close()\fR sets the \s-1BIO \s0\fBb\fR close flag to \fBflag\fR. \fBflag\fR can
+take the value \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0 Typically \s-1BIO_CLOSE\s0 is used
 in a source/sink \s-1BIO\s0 to indicate that the underlying I/O stream should
 be closed when the \s-1BIO\s0 is freed.
 .PP
@@ -213,7 +222,7 @@ for success and \-1 for failure.
 .PP
 \&\fIBIO_set_close()\fR always returns 1.
 .PP
-\&\fIBIO_get_close()\fR returns the close flag value: \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE\s0.
+\&\fIBIO_get_close()\fR returns the close flag value: \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0
 .PP
 \&\fIBIO_pending()\fR, \fIBIO_ctrl_pending()\fR, \fIBIO_wpending()\fR and \fIBIO_ctrl_wpending()\fR
 return the amount of pending data.
@@ -234,10 +243,10 @@ Filter BIOs if they do not internally handle a particular \fIBIO_ctrl()\fR
 operation usually pass the operation to the next \s-1BIO\s0 in the chain.
 This often means there is no need to locate the required \s-1BIO\s0 for
 a particular operation, it can be called on a chain and it will
-be automatically passed to the relevant \s-1BIO\s0. However this can cause
+be automatically passed to the relevant \s-1BIO.\s0 However this can cause
 unexpected results: for example no current filter BIOs implement
 \&\fIBIO_seek()\fR, but this may still succeed if the chain ends in a \s-1FILE\s0
-or file descriptor \s-1BIO\s0.
+or file descriptor \s-1BIO.\s0
 .PP
 Source/sink BIOs return an 0 if they do not recognize the \fIBIO_ctrl()\fR
 operation.
diff --git a/secure/lib/libcrypto/man/BIO_f_base64.3 b/secure/lib/libcrypto/man/BIO_f_base64.3
index b9788a672504..3747492cc228 100644
--- a/secure/lib/libcrypto/man/BIO_f_base64.3
+++ b/secure/lib/libcrypto/man/BIO_f_base64.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_base64 3"
-.TH BIO_f_base64 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_f_base64 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,7 +158,7 @@ Base64 BIOs do not support \fIBIO_gets()\fR or \fIBIO_puts()\fR.
 .PP
 \&\fIBIO_flush()\fR on a base64 \s-1BIO\s0 that is being written through is
 used to signal that no more data is to be encoded: this is used
-to flush the final block through the \s-1BIO\s0.
+to flush the final block through the \s-1BIO.\s0
 .PP
 The flag \s-1BIO_FLAGS_BASE64_NO_NL\s0 can be set with \fIBIO_set_flags()\fR
 to encode the data all on one line or expect the data to be all
@@ -172,11 +181,11 @@ to standard output:
 \&
 \& b64 = BIO_new(BIO_f_base64());
 \& bio = BIO_new_fp(stdout, BIO_NOCLOSE);
-\& bio = BIO_push(b64, bio);
-\& BIO_write(bio, message, strlen(message));
-\& BIO_flush(bio);
+\& BIO_push(b64, bio);
+\& BIO_write(b64, message, strlen(message));
+\& BIO_flush(b64);
 \&
-\& BIO_free_all(bio);
+\& BIO_free_all(b64);
 .Ve
 .PP
 Read Base64 encoded data from standard input and write the decoded
@@ -190,11 +199,12 @@ data to standard output:
 \& b64 = BIO_new(BIO_f_base64());
 \& bio = BIO_new_fp(stdin, BIO_NOCLOSE);
 \& bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-\& bio = BIO_push(b64, bio);
-\& while((inlen = BIO_read(bio, inbuf, 512)) > 0) 
+\& BIO_push(b64, bio);
+\& while((inlen = BIO_read(b64, inbuf, 512)) > 0) 
 \&        BIO_write(bio_out, inbuf, inlen);
 \&
-\& BIO_free_all(bio);
+\& BIO_flush(bio_out);
+\& BIO_free_all(b64);
 .Ve
 .SH "BUGS"
 .IX Header "BUGS"
@@ -202,7 +212,7 @@ The ambiguity of \s-1EOF\s0 in base64 encoded data can cause additional
 data following the base64 encoded block to be misinterpreted.
 .PP
 There should be some way of specifying a test that the \s-1BIO\s0 can perform
-to reliably determine \s-1EOF\s0 (for example a \s-1MIME\s0 boundary).
+to reliably determine \s-1EOF \s0(for example a \s-1MIME\s0 boundary).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\s-1TBA\s0
diff --git a/secure/lib/libcrypto/man/BIO_f_buffer.3 b/secure/lib/libcrypto/man/BIO_f_buffer.3
index 946effd22800..464c99c5db68 100644
--- a/secure/lib/libcrypto/man/BIO_f_buffer.3
+++ b/secure/lib/libcrypto/man/BIO_f_buffer.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_buffer 3"
-.TH BIO_f_buffer 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_f_buffer 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -159,7 +168,7 @@ Calling \fIBIO_reset()\fR on a buffering \s-1BIO\s0 clears any buffered data.
 .PP
 \&\fIBIO_set_read_buffer_size()\fR, \fIBIO_set_write_buffer_size()\fR and \fIBIO_set_buffer_size()\fR
 set the read, write or both read and write buffer sizes to \fBsize\fR. The initial
-buffer size is \s-1DEFAULT_BUFFER_SIZE\s0, currently 4096. Any attempt to reduce the
+buffer size is \s-1DEFAULT_BUFFER_SIZE,\s0 currently 4096. Any attempt to reduce the
 buffer size below \s-1DEFAULT_BUFFER_SIZE\s0 is ignored. Any buffered data is cleared
 when the buffer is resized.
 .PP
diff --git a/secure/lib/libcrypto/man/BIO_f_cipher.3 b/secure/lib/libcrypto/man/BIO_f_cipher.3
index 6382c4f27902..9af1683203fc 100644
--- a/secure/lib/libcrypto/man/BIO_f_cipher.3
+++ b/secure/lib/libcrypto/man/BIO_f_cipher.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_cipher 3"
-.TH BIO_f_cipher 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_f_cipher 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -154,10 +163,10 @@ Cipher BIOs do not support \fIBIO_gets()\fR or \fIBIO_puts()\fR.
 .PP
 \&\fIBIO_flush()\fR on an encryption \s-1BIO\s0 that is being written through is
 used to signal that no more data is to be encrypted: this is used
-to flush and possibly pad the final block through the \s-1BIO\s0.
+to flush and possibly pad the final block through the \s-1BIO.\s0
 .PP
-\&\fIBIO_set_cipher()\fR sets the cipher of \s-1BIO\s0 \fBb\fR to \fBcipher\fR using key \fBkey\fR
-and \s-1IV\s0 \fBiv\fR. \fBenc\fR should be set to 1 for encryption and zero for
+\&\fIBIO_set_cipher()\fR sets the cipher of \s-1BIO \s0\fBb\fR to \fBcipher\fR using key \fBkey\fR
+and \s-1IV \s0\fBiv\fR. \fBenc\fR should be set to 1 for encryption and zero for
 decryption.
 .PP
 When reading from an encryption \s-1BIO\s0 the final block is automatically
@@ -172,7 +181,7 @@ with the standard cipher routines to set it up. This is useful when
 .SH "NOTES"
 .IX Header "NOTES"
 When encrypting \fIBIO_flush()\fR \fBmust\fR be called to flush the final block
-through the \s-1BIO\s0. If it is not then the final block will fail a subsequent
+through the \s-1BIO.\s0 If it is not then the final block will fail a subsequent
 decrypt.
 .PP
 When decrypting an error on the final block is signalled by a zero
@@ -181,7 +190,7 @@ by \s-1EOF\s0 will also return zero for the final read. \fIBIO_get_cipher_status
 should be called to determine if the decrypt was successful.
 .PP
 As always, if \fIBIO_gets()\fR or \fIBIO_puts()\fR support is needed then it can
-be achieved by preceding the cipher \s-1BIO\s0 with a buffering \s-1BIO\s0.
+be achieved by preceding the cipher \s-1BIO\s0 with a buffering \s-1BIO.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fIBIO_f_cipher()\fR returns the cipher \s-1BIO\s0 method.
diff --git a/secure/lib/libcrypto/man/BIO_f_md.3 b/secure/lib/libcrypto/man/BIO_f_md.3
index d2997f4b1302..df63c31861e5 100644
--- a/secure/lib/libcrypto/man/BIO_f_md.3
+++ b/secure/lib/libcrypto/man/BIO_f_md.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_md 3"
-.TH BIO_f_md 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_f_md 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -156,9 +165,9 @@ Any data written or read through a digest \s-1BIO\s0 using \fIBIO_read()\fR and
 digest calculation and returns the digest value. \fIBIO_puts()\fR is
 not supported.
 .PP
-\&\fIBIO_reset()\fR reinitialises a digest \s-1BIO\s0.
+\&\fIBIO_reset()\fR reinitialises a digest \s-1BIO.\s0
 .PP
-\&\fIBIO_set_md()\fR sets the message digest of \s-1BIO\s0 \fBb\fR to \fBmd\fR: this
+\&\fIBIO_set_md()\fR sets the message digest of \s-1BIO \s0\fBb\fR to \fBmd\fR: this
 must be called to initialize a digest \s-1BIO\s0 before any data is
 passed through it. It is a \fIBIO_ctrl()\fR macro.
 .PP
@@ -183,7 +192,7 @@ data is passed through it.
 .PP
 If an application needs to call \fIBIO_gets()\fR or \fIBIO_puts()\fR through
 a chain containing digest BIOs then this can be done by prepending
-a buffering \s-1BIO\s0.
+a buffering \s-1BIO.\s0
 .PP
 Before OpenSSL 1.0.0 the call to \fIBIO_get_md_ctx()\fR would only work if the \s-1BIO\s0
 had been initialized for example by calling \fIBIO_set_md()\fR ). In OpenSSL
diff --git a/secure/lib/libcrypto/man/BIO_f_null.3 b/secure/lib/libcrypto/man/BIO_f_null.3
index fb8ce06a1d71..393f40b2e9fa 100644
--- a/secure/lib/libcrypto/man/BIO_f_null.3
+++ b/secure/lib/libcrypto/man/BIO_f_null.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_null 3"
-.TH BIO_f_null 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_f_null 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BIO_f_ssl.3 b/secure/lib/libcrypto/man/BIO_f_ssl.3
index a61959e52b37..e5698ef4ac14 100644
--- a/secure/lib/libcrypto/man/BIO_f_ssl.3
+++ b/secure/lib/libcrypto/man/BIO_f_ssl.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_f_ssl 3"
-.TH BIO_f_ssl 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_f_ssl 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -162,32 +171,32 @@ BIO_ssl_shutdown \- SSL BIO
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fIBIO_f_ssl()\fR returns the \s-1SSL\s0 \s-1BIO\s0 method. This is a filter \s-1BIO\s0 which
-is a wrapper round the OpenSSL \s-1SSL\s0 routines adding a \s-1BIO\s0 \*(L"flavour\*(R" to
-\&\s-1SSL\s0 I/O.
+\&\fIBIO_f_ssl()\fR returns the \s-1SSL BIO\s0 method. This is a filter \s-1BIO\s0 which
+is a wrapper round the OpenSSL \s-1SSL\s0 routines adding a \s-1BIO \s0\*(L"flavour\*(R" to
+\&\s-1SSL I/O. \s0
 .PP
-I/O performed on an \s-1SSL\s0 \s-1BIO\s0 communicates using the \s-1SSL\s0 protocol with
+I/O performed on an \s-1SSL BIO\s0 communicates using the \s-1SSL\s0 protocol with
 the SSLs read and write BIOs. If an \s-1SSL\s0 connection is not established
 then an attempt is made to establish one on the first I/O call.
 .PP
-If a \s-1BIO\s0 is appended to an \s-1SSL\s0 \s-1BIO\s0 using \fIBIO_push()\fR it is automatically
+If a \s-1BIO\s0 is appended to an \s-1SSL BIO\s0 using \fIBIO_push()\fR it is automatically
 used as the \s-1SSL\s0 BIOs read and write BIOs.
 .PP
-Calling \fIBIO_reset()\fR on an \s-1SSL\s0 \s-1BIO\s0 closes down any current \s-1SSL\s0 connection
+Calling \fIBIO_reset()\fR on an \s-1SSL BIO\s0 closes down any current \s-1SSL\s0 connection
 by calling \fISSL_shutdown()\fR. \fIBIO_reset()\fR is then sent to the next \s-1BIO\s0 in
 the chain: this will typically disconnect the underlying transport.
-The \s-1SSL\s0 \s-1BIO\s0 is then reset to the initial accept or connect state.
+The \s-1SSL BIO\s0 is then reset to the initial accept or connect state.
 .PP
-If the close flag is set when an \s-1SSL\s0 \s-1BIO\s0 is freed then the internal
+If the close flag is set when an \s-1SSL BIO\s0 is freed then the internal
 \&\s-1SSL\s0 structure is also freed using \fISSL_free()\fR.
 .PP
-\&\fIBIO_set_ssl()\fR sets the internal \s-1SSL\s0 pointer of \s-1BIO\s0 \fBb\fR to \fBssl\fR using
+\&\fIBIO_set_ssl()\fR sets the internal \s-1SSL\s0 pointer of \s-1BIO \s0\fBb\fR to \fBssl\fR using
 the close flag \fBc\fR.
 .PP
-\&\fIBIO_get_ssl()\fR retrieves the \s-1SSL\s0 pointer of \s-1BIO\s0 \fBb\fR, it can then be
+\&\fIBIO_get_ssl()\fR retrieves the \s-1SSL\s0 pointer of \s-1BIO \s0\fBb\fR, it can then be
 manipulated using the standard \s-1SSL\s0 library functions.
 .PP
-\&\fIBIO_set_ssl_mode()\fR sets the \s-1SSL\s0 \s-1BIO\s0 mode to \fBclient\fR. If \fBclient\fR
+\&\fIBIO_set_ssl_mode()\fR sets the \s-1SSL BIO\s0 mode to \fBclient\fR. If \fBclient\fR
 is 1 client mode is set. If \fBclient\fR is 0 server mode is set.
 .PP
 \&\fIBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count
@@ -202,15 +211,15 @@ automatically renegotiated.
 \&\fIBIO_get_num_renegotiates()\fR returns the total number of session
 renegotiations due to I/O or timeout.
 .PP
-\&\fIBIO_new_ssl()\fR allocates an \s-1SSL\s0 \s-1BIO\s0 using \s-1SSL_CTX\s0 \fBctx\fR and using
+\&\fIBIO_new_ssl()\fR allocates an \s-1SSL BIO\s0 using \s-1SSL_CTX \s0\fBctx\fR and using
 client mode if \fBclient\fR is non zero.
 .PP
 \&\fIBIO_new_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting of an
-\&\s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) followed by a connect \s-1BIO\s0.
+\&\s-1SSL BIO \s0(using \fBctx\fR) followed by a connect \s-1BIO.\s0
 .PP
 \&\fIBIO_new_buffer_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting
-of a buffering \s-1BIO\s0, an \s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) and a connect
-\&\s-1BIO\s0.
+of a buffering \s-1BIO,\s0 an \s-1SSL BIO \s0(using \fBctx\fR) and a connect
+\&\s-1BIO.\s0
 .PP
 \&\fIBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between 
 \&\s-1BIO\s0 chains \fBfrom\fR and \fBto\fR. It does this by locating the
@@ -218,7 +227,7 @@ of a buffering \s-1BIO\s0, an \s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) and a conn
 the internal \s-1SSL\s0 pointer.
 .PP
 \&\fIBIO_ssl_shutdown()\fR closes down an \s-1SSL\s0 connection on \s-1BIO\s0
-chain \fBbio\fR. It does this by locating the \s-1SSL\s0 \s-1BIO\s0 in the
+chain \fBbio\fR. It does this by locating the \s-1SSL BIO\s0 in the
 chain and calling \fISSL_shutdown()\fR on its internal \s-1SSL\s0
 pointer.
 .PP
@@ -239,7 +248,7 @@ case where this happens is when \s-1SGC\s0 or step up occurs.
 .PP
 In OpenSSL 0.9.6 and later the \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be
 set to disable this behaviour. That is when this flag is set
-an \s-1SSL\s0 \s-1BIO\s0 using a blocking transport will never request a
+an \s-1SSL BIO\s0 using a blocking transport will never request a
 retry.
 .PP
 Since unknown \fIBIO_ctrl()\fR operations are sent through filter
@@ -323,7 +332,7 @@ unencrypted example in \fIBIO_s_connect\fR\|(3).
 .Ve
 .PP
 Here is a simple server example. It makes use of a buffering
-\&\s-1BIO\s0 to allow lines to be read from the \s-1SSL\s0 \s-1BIO\s0 using BIO_gets.
+\&\s-1BIO\s0 to allow lines to be read from the \s-1SSL BIO\s0 using BIO_gets.
 It creates a pseudo web page containing the actual request from
 a client and also echoes the request to standard output.
 .PP
@@ -440,10 +449,10 @@ a client and also echoes the request to standard output.
 .IX Header "BUGS"
 In OpenSSL versions before 1.0.0 the \fIBIO_pop()\fR call was handled incorrectly,
 the I/O \s-1BIO\s0 reference count was incorrectly incremented (instead of
-decremented) and dissociated with the \s-1SSL\s0 \s-1BIO\s0 even if the \s-1SSL\s0 \s-1BIO\s0 was not
+decremented) and dissociated with the \s-1SSL BIO\s0 even if the \s-1SSL BIO\s0 was not
 explicitly being popped (e.g. a pop higher up the chain). Applications which
 included workarounds for this bug (e.g. freeing BIOs more than once) should
-be modified to handle this fix or they may free up an already freed \s-1BIO\s0.
+be modified to handle this fix or they may free up an already freed \s-1BIO.\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\s-1TBA\s0
diff --git a/secure/lib/libcrypto/man/BIO_find_type.3 b/secure/lib/libcrypto/man/BIO_find_type.3
index d4eb7aa334c8..68f364d9d2c7 100644
--- a/secure/lib/libcrypto/man/BIO_find_type.3
+++ b/secure/lib/libcrypto/man/BIO_find_type.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_find_type 3"
-.TH BIO_find_type 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_find_type 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -169,7 +178,7 @@ BIO_find_type, BIO_next \- BIO chain traversal
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fIBIO_find_type()\fR searches for a \s-1BIO\s0 of a given type in a chain, starting
-at \s-1BIO\s0 \fBb\fR. If \fBtype\fR is a specific type (such as \s-1BIO_TYPE_MEM\s0) then a search
+at \s-1BIO \s0\fBb\fR. If \fBtype\fR is a specific type (such as \s-1BIO_TYPE_MEM\s0) then a search
 is made for a \s-1BIO\s0 of that type. If \fBtype\fR is a general type (such as
 \&\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR) then the next matching \s-1BIO\s0 of the given general type is
 searched for. \fIBIO_find_type()\fR returns the next matching \s-1BIO\s0 or \s-1NULL\s0 if none is
@@ -181,14 +190,14 @@ Note: not all the \fBBIO_TYPE_*\fR types above have corresponding \s-1BIO\s0 imp
 in a chain or used in conjunction with \fIBIO_find_type()\fR to find all BIOs of a
 certain type.
 .PP
-\&\fIBIO_method_type()\fR returns the type of a \s-1BIO\s0.
+\&\fIBIO_method_type()\fR returns the type of a \s-1BIO.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fIBIO_find_type()\fR returns a matching \s-1BIO\s0 or \s-1NULL\s0 for no match.
 .PP
 \&\fIBIO_next()\fR returns the next \s-1BIO\s0 in a chain.
 .PP
-\&\fIBIO_method_type()\fR returns the type of the \s-1BIO\s0 \fBb\fR.
+\&\fIBIO_method_type()\fR returns the type of the \s-1BIO \s0\fBb\fR.
 .SH "NOTES"
 .IX Header "NOTES"
 \&\fIBIO_next()\fR was added to OpenSSL 0.9.6 to provide a 'clean' way to traverse a \s-1BIO\s0
diff --git a/secure/lib/libcrypto/man/BIO_new.3 b/secure/lib/libcrypto/man/BIO_new.3
index e5c77c77ac75..7e3853a3b2ed 100644
--- a/secure/lib/libcrypto/man/BIO_new.3
+++ b/secure/lib/libcrypto/man/BIO_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_new 3"
-.TH BIO_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,9 +155,9 @@ BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all \- BIO allocation and freein
 .IX Header "DESCRIPTION"
 The \fIBIO_new()\fR function returns a new \s-1BIO\s0 using method \fBtype\fR.
 .PP
-\&\fIBIO_set()\fR sets the method of an already existing \s-1BIO\s0.
+\&\fIBIO_set()\fR sets the method of an already existing \s-1BIO.\s0
 .PP
-\&\fIBIO_free()\fR frees up a single \s-1BIO\s0, \fIBIO_vfree()\fR also frees up a single \s-1BIO\s0
+\&\fIBIO_free()\fR frees up a single \s-1BIO,\s0 \fIBIO_vfree()\fR also frees up a single \s-1BIO\s0
 but it does not return a value. Calling \fIBIO_free()\fR may also have some effect
 on the underlying I/O structure, for example it may close the file being
 referred to under certain circumstances. For more details see the individual
@@ -176,7 +185,7 @@ Calling \fIBIO_free_all()\fR a single \s-1BIO\s0 has the same effect as calling
 on it other than the discarded return value.
 .PP
 Normally the \fBtype\fR argument is supplied by a function which returns a
-pointer to a \s-1BIO_METHOD\s0. There is a naming convention for such functions:
+pointer to a \s-1BIO_METHOD.\s0 There is a naming convention for such functions:
 a source/sink \s-1BIO\s0 is normally called BIO_s_*() and a filter \s-1BIO\s0
 BIO_f_*();
 .SH "EXAMPLE"
diff --git a/secure/lib/libcrypto/man/BIO_new_CMS.3 b/secure/lib/libcrypto/man/BIO_new_CMS.3
index 5a4c08990c15..1b8e5ea18eb9 100644
--- a/secure/lib/libcrypto/man/BIO_new_CMS.3
+++ b/secure/lib/libcrypto/man/BIO_new_CMS.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_new_CMS 3"
-.TH BIO_new_CMS 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_new_CMS 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ of the filter is written to \fBout\fR. Any data written to the chain is
 automatically translated to a \s-1BER\s0 format \s-1CMS\s0 structure of the appropriate type.
 .SH "NOTES"
 .IX Header "NOTES"
-The chain returned by this function behaves like a standard filter \s-1BIO\s0. It
+The chain returned by this function behaves like a standard filter \s-1BIO.\s0 It
 supports non blocking I/O. Content is processed and streamed on the fly and not
 all held in memory at once: so it is possible to encode very large structures.
 After all content has been written through the chain \fIBIO_flush()\fR must be called
@@ -170,7 +179,7 @@ responsibility to set the inner content type of any outer CMS_ContentInfo
 structures.
 .PP
 Large numbers of small writes through the chain should be avoided as this will
-produce an output consisting of lots of \s-1OCTET\s0 \s-1STRING\s0 structures. Prepending
+produce an output consisting of lots of \s-1OCTET STRING\s0 structures. Prepending
 a \fIBIO_f_buffer()\fR buffering \s-1BIO\s0 will prevent this.
 .SH "BUGS"
 .IX Header "BUGS"
diff --git a/secure/lib/libcrypto/man/BIO_push.3 b/secure/lib/libcrypto/man/BIO_push.3
index 922bbdb309c7..29d5eb10ccb4 100644
--- a/secure/lib/libcrypto/man/BIO_push.3
+++ b/secure/lib/libcrypto/man/BIO_push.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_push 3"
-.TH BIO_push 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_push 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -141,11 +150,11 @@ BIO_push, BIO_pop \- add and remove BIOs from a chain.
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fIBIO_push()\fR function appends the \s-1BIO\s0 \fBappend\fR to \fBb\fR, it returns
+The \fIBIO_push()\fR function appends the \s-1BIO \s0\fBappend\fR to \fBb\fR, it returns
 \&\fBb\fR.
 .PP
-\&\fIBIO_pop()\fR removes the \s-1BIO\s0 \fBb\fR from a chain and returns the next \s-1BIO\s0
-in the chain, or \s-1NULL\s0 if there is no next \s-1BIO\s0. The removed \s-1BIO\s0 then
+\&\fIBIO_pop()\fR removes the \s-1BIO \s0\fBb\fR from a chain and returns the next \s-1BIO\s0
+in the chain, or \s-1NULL\s0 if there is no next \s-1BIO.\s0 The removed \s-1BIO\s0 then
 becomes a single \s-1BIO\s0 with no association with the original chain,
 it can thus be freed or attached to a different chain.
 .SH "NOTES"
@@ -160,7 +169,7 @@ be noted in the descriptions of individual BIOs.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 For these examples suppose \fBmd1\fR and \fBmd2\fR are digest BIOs, \fBb64\fR is
-a base64 \s-1BIO\s0 and \fBf\fR is a file \s-1BIO\s0.
+a base64 \s-1BIO\s0 and \fBf\fR is a file \s-1BIO.\s0
 .PP
 If the call:
 .PP
@@ -168,7 +177,7 @@ If the call:
 \& BIO_push(b64, f);
 .Ve
 .PP
-is made then the new chain will be \fBb64\-chain\fR. After making the calls
+is made then the new chain will be \fBb64\-f\fR. After making the calls
 .PP
 .Vb 2
 \& BIO_push(md2, b64);
@@ -193,7 +202,7 @@ be written to \fBmd1\fR as before.
 \&\fIBIO_push()\fR returns the end of the chain, \fBb\fR.
 .PP
 \&\fIBIO_pop()\fR returns the next \s-1BIO\s0 in the chain, or \s-1NULL\s0 if there is no next
-\&\s-1BIO\s0.
+\&\s-1BIO.\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\s-1TBA\s0
diff --git a/secure/lib/libcrypto/man/BIO_read.3 b/secure/lib/libcrypto/man/BIO_read.3
index 2a670056add2..51f751babcfe 100644
--- a/secure/lib/libcrypto/man/BIO_read.3
+++ b/secure/lib/libcrypto/man/BIO_read.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_read 3"
-.TH BIO_read 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_read 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,7 +152,7 @@ BIO_read, BIO_write, BIO_gets, BIO_puts \- BIO I/O functions
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fIBIO_read()\fR attempts to read \fBlen\fR bytes from \s-1BIO\s0 \fBb\fR and places
+\&\fIBIO_read()\fR attempts to read \fBlen\fR bytes from \s-1BIO \s0\fBb\fR and places
 the data in \fBbuf\fR.
 .PP
 \&\fIBIO_gets()\fR performs the BIOs \*(L"gets\*(R" operation and places the data
@@ -152,9 +161,9 @@ from the \s-1BIO\s0 of maximum length \fBlen\fR. There are exceptions to this
 however, for example \fIBIO_gets()\fR on a digest \s-1BIO\s0 will calculate and
 return the digest and other BIOs may not support \fIBIO_gets()\fR at all.
 .PP
-\&\fIBIO_write()\fR attempts to write \fBlen\fR bytes from \fBbuf\fR to \s-1BIO\s0 \fBb\fR.
+\&\fIBIO_write()\fR attempts to write \fBlen\fR bytes from \fBbuf\fR to \s-1BIO \s0\fBb\fR.
 .PP
-\&\fIBIO_puts()\fR attempts to write a null terminated string \fBbuf\fR to \s-1BIO\s0 \fBb\fR
+\&\fIBIO_puts()\fR attempts to write a null terminated string \fBbuf\fR to \s-1BIO \s0\fBb\fR
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All these functions return either the amount of data successfully read or
@@ -182,7 +191,7 @@ See \fIBIO_should_retry\fR\|(3) for details of how to
 determine the cause of a retry and other I/O issues.
 .PP
 If the \fIBIO_gets()\fR function is not supported by a \s-1BIO\s0 then it possible to
-work around this by adding a buffering \s-1BIO\s0 \fIBIO_f_buffer\fR\|(3)
+work around this by adding a buffering \s-1BIO \s0\fIBIO_f_buffer\fR\|(3)
 to the chain.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
diff --git a/secure/lib/libcrypto/man/BIO_s_accept.3 b/secure/lib/libcrypto/man/BIO_s_accept.3
index 1d3981b1764e..b22cd95d9c14 100644
--- a/secure/lib/libcrypto/man/BIO_s_accept.3
+++ b/secure/lib/libcrypto/man/BIO_s_accept.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_accept 3"
-.TH BIO_s_accept 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_accept 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -187,8 +196,8 @@ the accept socket. See \fIBIO_s_fd\fR\|(3)
 \&\fIBIO_set_accept_port()\fR uses the string \fBname\fR to set the accept
 port. The port is represented as a string of the form \*(L"host:port\*(R",
 where \*(L"host\*(R" is the interface to use and \*(L"port\*(R" is the port.
-Either or both values can be \*(L"*\*(R" which is interpreted as meaning
-any interface or port respectively. \*(L"port\*(R" has the same syntax
+The host can be can be \*(L"*\*(R" which is interpreted as meaning
+any interface; \*(L"port\*(R" has the same syntax
 as the port specified in \fIBIO_set_conn_port()\fR for connect BIOs,
 that is it can be a numerical port string or a string to lookup
 using \fIgetservbyname()\fR and a string table.
@@ -203,18 +212,18 @@ a single call: that is it creates a new accept \s-1BIO\s0 with port
 \&\fIBIO_set_accept_bios()\fR can be used to set a chain of BIOs which
 will be duplicated and prepended to the chain when an incoming
 connection is received. This is useful if, for example, a 
-buffering or \s-1SSL\s0 \s-1BIO\s0 is required for each connection. The
+buffering or \s-1SSL BIO\s0 is required for each connection. The
 chain of BIOs must not be freed after this call, they will
 be automatically freed when the accept \s-1BIO\s0 is freed.
 .PP
 \&\fIBIO_set_bind_mode()\fR and \fIBIO_get_bind_mode()\fR set and retrieve
-the current bind mode. If \s-1BIO_BIND_NORMAL\s0 (the default) is set
+the current bind mode. If \s-1BIO_BIND_NORMAL \s0(the default) is set
 then another socket cannot be bound to the same port. If
 \&\s-1BIO_BIND_REUSEADDR\s0 is set then other sockets can bind to the
 same port. If \s-1BIO_BIND_REUSEADDR_IF_UNUSED\s0 is set then and
-attempt is first made to use \s-1BIO_BIN_NORMAL\s0, if this fails
+attempt is first made to use \s-1BIO_BIN_NORMAL,\s0 if this fails
 and the port is not in use then a second attempt is made
-using \s-1BIO_BIND_REUSEADDR\s0.
+using \s-1BIO_BIND_REUSEADDR.\s0
 .PP
 \&\fIBIO_do_accept()\fR serves two functions. When it is first
 called, after the accept \s-1BIO\s0 has been setup, it will attempt
@@ -235,7 +244,7 @@ an initial accept socket will await an incoming connection then
 perform I/O on it.
 .PP
 If any additional BIOs have been set using \fIBIO_set_accept_bios()\fR
-then they are placed between the socket and the accept \s-1BIO\s0,
+then they are placed between the socket and the accept \s-1BIO,\s0
 that is the chain will be accept\->otherbios\->socket.
 .PP
 If a server wishes to process multiple connections (as is normally
@@ -261,7 +270,7 @@ and freeing up the accept \s-1BIO\s0 after the initial connection.
 .PP
 If the underlying accept socket is non-blocking and \fIBIO_do_accept()\fR is
 called to await an incoming connection it is possible for
-\&\fIBIO_should_io_special()\fR with the reason \s-1BIO_RR_ACCEPT\s0. If this happens
+\&\fIBIO_should_io_special()\fR with the reason \s-1BIO_RR_ACCEPT.\s0 If this happens
 then it is an indication that an accept attempt would block: the application
 should take appropriate action to wait until the underlying socket has
 accepted a connection and retry the call.
diff --git a/secure/lib/libcrypto/man/BIO_s_bio.3 b/secure/lib/libcrypto/man/BIO_s_bio.3
index 30c4c92668b4..cb06b7b14432 100644
--- a/secure/lib/libcrypto/man/BIO_s_bio.3
+++ b/secure/lib/libcrypto/man/BIO_s_bio.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_bio 3"
-.TH BIO_s_bio 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_bio 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -170,7 +179,7 @@ Since \s-1BIO\s0 chains typically end in a source/sink \s-1BIO\s0 it is possible
 one half of a \s-1BIO\s0 pair and have all the data processed by the chain under application
 control.
 .PP
-One typical use of \s-1BIO\s0 pairs is to place \s-1TLS/SSL\s0 I/O under application control, this
+One typical use of \s-1BIO\s0 pairs is to place \s-1TLS/SSL I/O\s0 under application control, this
 can be used when the application wishes to use a non standard transport for
 \&\s-1TLS/SSL\s0 or the normal socket routines are inappropriate.
 .PP
@@ -190,12 +199,12 @@ determine the amount of pending data in the read or write buffer.
 \&\fIBIO_destroy_pair()\fR destroys the association between two connected BIOs. Freeing
 up any half of the pair will automatically destroy the association.
 .PP
-\&\fIBIO_shutdown_wr()\fR is used to close down a \s-1BIO\s0 \fBb\fR. After this call no further
-writes on \s-1BIO\s0 \fBb\fR are allowed (they will return an error). Reads on the other
+\&\fIBIO_shutdown_wr()\fR is used to close down a \s-1BIO \s0\fBb\fR. After this call no further
+writes on \s-1BIO \s0\fBb\fR are allowed (they will return an error). Reads on the other
 half of the pair will return any pending data or \s-1EOF\s0 when all pending data has
 been read.
 .PP
-\&\fIBIO_set_write_buf_size()\fR sets the write buffer size of \s-1BIO\s0 \fBb\fR to \fBsize\fR.
+\&\fIBIO_set_write_buf_size()\fR sets the write buffer size of \s-1BIO \s0\fBb\fR to \fBsize\fR.
 If the size is not initialized a default value is used. This is currently
 17K, sufficient for a maximum size \s-1TLS\s0 record.
 .PP
@@ -205,11 +214,11 @@ If the size is not initialized a default value is used. This is currently
 \&\fIBIO_set_write_buf_size()\fR to create a connected pair of BIOs \fBbio1\fR, \fBbio2\fR
 with write buffer sizes \fBwritebuf1\fR and \fBwritebuf2\fR. If either size is
 zero then the default size is used.  \fIBIO_new_bio_pair()\fR does not check whether
-\&\fBbio1\fR or \fBbio2\fR do point to some other \s-1BIO\s0, the values are overwritten,
+\&\fBbio1\fR or \fBbio2\fR do point to some other \s-1BIO,\s0 the values are overwritten,
 \&\fIBIO_free()\fR is not called.
 .PP
 \&\fIBIO_get_write_guarantee()\fR and \fIBIO_ctrl_get_write_guarantee()\fR return the maximum
-length of data that can be currently written to the \s-1BIO\s0. Writes larger than this
+length of data that can be currently written to the \s-1BIO.\s0 Writes larger than this
 value will return a value from \fIBIO_write()\fR less than the amount requested or if the
 buffer is full request a retry. \fIBIO_ctrl_get_write_guarantee()\fR is a function
 whereas \fIBIO_get_write_guarantee()\fR is a macro.
diff --git a/secure/lib/libcrypto/man/BIO_s_connect.3 b/secure/lib/libcrypto/man/BIO_s_connect.3
index 8691da8dee15..25cc4f9f91db 100644
--- a/secure/lib/libcrypto/man/BIO_s_connect.3
+++ b/secure/lib/libcrypto/man/BIO_s_connect.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_connect 3"
-.TH BIO_s_connect 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_connect 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -180,7 +189,7 @@ Calling \fIBIO_reset()\fR on a connect \s-1BIO\s0 will close any active
 connection and reset the \s-1BIO\s0 into a state where it can connect
 to the same host again.
 .PP
-\&\fIBIO_get_fd()\fR places the underlying socket in \fBc\fR if it is not \s-1NULL\s0,
+\&\fIBIO_get_fd()\fR places the underlying socket in \fBc\fR if it is not \s-1NULL,\s0
 it also returns the socket . If \fBc\fR is not \s-1NULL\s0 it should be of
 type (int *).
 .PP
@@ -220,7 +229,7 @@ non blocking I/O is set during the connect process.
 \&\fIBIO_new_connect()\fR combines \fIBIO_new()\fR and \fIBIO_set_conn_hostname()\fR into
 a single call: that is it creates a new connect \s-1BIO\s0 with \fBname\fR.
 .PP
-\&\fIBIO_do_connect()\fR attempts to connect the supplied \s-1BIO\s0. It returns 1
+\&\fIBIO_do_connect()\fR attempts to connect the supplied \s-1BIO.\s0 It returns 1
 if the connection was established successfully. A zero or negative
 value is returned if the connection could not be established, the
 call \fIBIO_should_retry()\fR should be used for non blocking connect BIOs
@@ -250,7 +259,7 @@ If non blocking I/O is set then retries will be requested as appropriate.
 .PP
 It addition to \fIBIO_should_read()\fR and \fIBIO_should_write()\fR it is also
 possible for \fIBIO_should_io_special()\fR to be true during the initial
-connection process with the reason \s-1BIO_RR_CONNECT\s0. If this is returned
+connection process with the reason \s-1BIO_RR_CONNECT.\s0 If this is returned
 then this is an indication that a connection attempt would block,
 the application should then take appropriate action to wait until
 the underlying socket has connected and retry the call.
diff --git a/secure/lib/libcrypto/man/BIO_s_fd.3 b/secure/lib/libcrypto/man/BIO_s_fd.3
index 02a2d7b3135e..3cbebb0382d5 100644
--- a/secure/lib/libcrypto/man/BIO_s_fd.3
+++ b/secure/lib/libcrypto/man/BIO_s_fd.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_fd 3"
-.TH BIO_s_fd 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_fd 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -162,10 +171,10 @@ using lseek(fd, ofs, 0).
 .PP
 \&\fIBIO_tell()\fR returns the current file position by calling lseek(fd, 0, 1).
 .PP
-\&\fIBIO_set_fd()\fR sets the file descriptor of \s-1BIO\s0 \fBb\fR to \fBfd\fR and the close
+\&\fIBIO_set_fd()\fR sets the file descriptor of \s-1BIO \s0\fBb\fR to \fBfd\fR and the close
 flag to \fBc\fR.
 .PP
-\&\fIBIO_get_fd()\fR places the file descriptor in \fBc\fR if it is not \s-1NULL\s0, it also
+\&\fIBIO_get_fd()\fR places the file descriptor in \fBc\fR if it is not \s-1NULL,\s0 it also
 returns the file descriptor. If \fBc\fR is not \s-1NULL\s0 it should be of type
 (int *).
 .PP
diff --git a/secure/lib/libcrypto/man/BIO_s_file.3 b/secure/lib/libcrypto/man/BIO_s_file.3
index 5fbf16157c73..7c112863a503 100644
--- a/secure/lib/libcrypto/man/BIO_s_file.3
+++ b/secure/lib/libcrypto/man/BIO_s_file.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_file 3"
-.TH BIO_s_file 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_file 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -154,7 +163,7 @@ BIO_rw_filename \- FILE bio
 .IX Header "DESCRIPTION"
 \&\fIBIO_s_file()\fR returns the \s-1BIO\s0 file method. As its name implies it
 is a wrapper round the stdio \s-1FILE\s0 structure and it is a
-source/sink \s-1BIO\s0.
+source/sink \s-1BIO.\s0
 .PP
 Calls to \fIBIO_read()\fR and \fIBIO_write()\fR read and write data to the
 underlying stream. \fIBIO_gets()\fR and \fIBIO_puts()\fR are supported on file BIOs.
@@ -175,17 +184,17 @@ is freed.
 .PP
 \&\fIBIO_new_file()\fR creates a new file \s-1BIO\s0 with mode \fBmode\fR the meaning
 of \fBmode\fR is the same as the stdio function \fIfopen()\fR. The \s-1BIO_CLOSE\s0
-flag is set on the returned \s-1BIO\s0.
+flag is set on the returned \s-1BIO.\s0
 .PP
 \&\fIBIO_new_fp()\fR creates a file \s-1BIO\s0 wrapping \fBstream\fR. Flags can be:
-\&\s-1BIO_CLOSE\s0, \s-1BIO_NOCLOSE\s0 (the close flag) \s-1BIO_FP_TEXT\s0 (sets the underlying
+\&\s-1BIO_CLOSE, BIO_NOCLOSE \s0(the close flag) \s-1BIO_FP_TEXT \s0(sets the underlying
 stream to text mode, default is binary: this only has any effect under
 Win32).
 .PP
 \&\fIBIO_set_fp()\fR set the fp of a file \s-1BIO\s0 to \fBfp\fR. \fBflags\fR has the same
 meaning as in \fIBIO_new_fp()\fR, it is a macro.
 .PP
-\&\fIBIO_get_fp()\fR retrieves the fp of a file \s-1BIO\s0, it is a macro.
+\&\fIBIO_get_fp()\fR retrieves the fp of a file \s-1BIO,\s0 it is a macro.
 .PP
 \&\fIBIO_seek()\fR is a macro that sets the position pointer to \fBoffset\fR bytes
 from the start of file.
@@ -193,7 +202,7 @@ from the start of file.
 \&\fIBIO_tell()\fR returns the value of the position pointer.
 .PP
 \&\fIBIO_read_filename()\fR, \fIBIO_write_filename()\fR, \fIBIO_append_filename()\fR and
-\&\fIBIO_rw_filename()\fR set the file \s-1BIO\s0 \fBb\fR to use file \fBname\fR for
+\&\fIBIO_rw_filename()\fR set the file \s-1BIO \s0\fBb\fR to use file \fBname\fR for
 reading, writing, append or read write respectively.
 .SH "NOTES"
 .IX Header "NOTES"
@@ -201,14 +210,14 @@ When wrapping stdout, stdin or stderr the underlying stream should not
 normally be closed so the \s-1BIO_NOCLOSE\s0 flag should be set.
 .PP
 Because the file \s-1BIO\s0 calls the underlying stdio functions any quirks
-in stdio behaviour will be mirrored by the corresponding \s-1BIO\s0.
+in stdio behaviour will be mirrored by the corresponding \s-1BIO.\s0
 .PP
 On Windows BIO_new_files reserves for the filename argument to be
 \&\s-1UTF\-8\s0 encoded. In other words if you have to make it work in multi\-
-lingual environment, encode file names in \s-1UTF\-8\s0.
+lingual environment, encode file names in \s-1UTF\-8.\s0
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
-File \s-1BIO\s0 \*(L"hello world\*(R":
+File \s-1BIO \s0\*(L"hello world\*(R":
 .PP
 .Vb 3
 \& BIO *bio_out;
diff --git a/secure/lib/libcrypto/man/BIO_s_mem.3 b/secure/lib/libcrypto/man/BIO_s_mem.3
index 3c1c6205ec00..a9f88cd144cd 100644
--- a/secure/lib/libcrypto/man/BIO_s_mem.3
+++ b/secure/lib/libcrypto/man/BIO_s_mem.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_mem 3"
-.TH BIO_s_mem 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_mem 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -156,7 +165,7 @@ as appropriate to accommodate the stored data.
 .PP
 Any data written to a memory \s-1BIO\s0 can be recalled by reading from it.
 Unless the memory \s-1BIO\s0 is read only any data read from it is deleted from
-the \s-1BIO\s0.
+the \s-1BIO.\s0
 .PP
 Memory BIOs support \fIBIO_gets()\fR and \fIBIO_puts()\fR.
 .PP
@@ -167,12 +176,12 @@ Calling \fIBIO_reset()\fR on a read write memory \s-1BIO\s0 clears any data in i
 read only \s-1BIO\s0 it restores the \s-1BIO\s0 to its original state and the read only
 data can be read again.
 .PP
-\&\fIBIO_eof()\fR is true if no data is in the \s-1BIO\s0.
+\&\fIBIO_eof()\fR is true if no data is in the \s-1BIO.\s0
 .PP
 \&\fIBIO_ctrl_pending()\fR returns the number of bytes currently stored.
 .PP
-\&\fIBIO_set_mem_eof_return()\fR sets the behaviour of memory \s-1BIO\s0 \fBb\fR when it is
-empty. If the \fBv\fR is zero then an empty memory \s-1BIO\s0 will return \s-1EOF\s0 (that is
+\&\fIBIO_set_mem_eof_return()\fR sets the behaviour of memory \s-1BIO \s0\fBb\fR when it is
+empty. If the \fBv\fR is zero then an empty memory \s-1BIO\s0 will return \s-1EOF \s0(that is
 it will return zero and BIO_should_retry(b) will be false. If \fBv\fR is non
 zero then it will return \fBv\fR when it is empty and it will set the read retry
 flag (that is BIO_read_retry(b) is true). To avoid ambiguity with a normal
@@ -182,7 +191,7 @@ positive return value \fBv\fR should be set to a negative value, typically \-1.
 and returns the total amount of data available. It is implemented as a macro.
 .PP
 \&\fIBIO_set_mem_buf()\fR sets the internal \s-1BUF_MEM\s0 structure to \fBbm\fR and sets the
-close flag to \fBc\fR, that is \fBc\fR should be either \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE\s0.
+close flag to \fBc\fR, that is \fBc\fR should be either \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0
 It is a macro.
 .PP
 \&\fIBIO_get_mem_ptr()\fR places the underlying \s-1BUF_MEM\s0 structure in \fBpp\fR. It is
@@ -192,7 +201,7 @@ a macro.
 if \fBlen\fR is \-1 then the \fBbuf\fR is assumed to be null terminated and its
 length is determined by \fBstrlen\fR. The \s-1BIO\s0 is set to a read only state and
 as a result cannot be written to. This is useful when some data needs to be
-made available from a static area of memory in the form of a \s-1BIO\s0. The
+made available from a static area of memory in the form of a \s-1BIO.\s0 The
 supplied data is read directly from the supplied buffer: it is \fBnot\fR copied
 first, so the supplied area of memory must be unchanged until the \s-1BIO\s0 is freed.
 .SH "NOTES"
@@ -207,7 +216,7 @@ memory \s-1BIO\s0 avoids this problem. If the \s-1BIO\s0 must be read write then
 a buffering \s-1BIO\s0 to the chain will speed up the process.
 .SH "BUGS"
 .IX Header "BUGS"
-There should be an option to set the maximum size of a memory \s-1BIO\s0.
+There should be an option to set the maximum size of a memory \s-1BIO.\s0
 .PP
 There should be a way to \*(L"rewind\*(R" a read write \s-1BIO\s0 without destroying
 its contents.
diff --git a/secure/lib/libcrypto/man/BIO_s_null.3 b/secure/lib/libcrypto/man/BIO_s_null.3
index 21e017259f41..f901b30b060c 100644
--- a/secure/lib/libcrypto/man/BIO_s_null.3
+++ b/secure/lib/libcrypto/man/BIO_s_null.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_null 3"
-.TH BIO_s_null 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_null 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -141,7 +150,7 @@ BIO_s_null \- null data sink
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fIBIO_s_null()\fR returns the null sink \s-1BIO\s0 method. Data written to
-the null sink is discarded, reads return \s-1EOF\s0.
+the null sink is discarded, reads return \s-1EOF.\s0
 .SH "NOTES"
 .IX Header "NOTES"
 A null sink \s-1BIO\s0 behaves in a similar manner to the Unix /dev/null
diff --git a/secure/lib/libcrypto/man/BIO_s_socket.3 b/secure/lib/libcrypto/man/BIO_s_socket.3
index 62f133c03f8f..1a5e6c756a5b 100644
--- a/secure/lib/libcrypto/man/BIO_s_socket.3
+++ b/secure/lib/libcrypto/man/BIO_s_socket.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_s_socket 3"
-.TH BIO_s_socket 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_s_socket 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -154,10 +163,10 @@ round the platform's socket routines.
 If the close flag is set then the socket is shut down and closed
 when the \s-1BIO\s0 is freed.
 .PP
-\&\fIBIO_set_fd()\fR sets the socket of \s-1BIO\s0 \fBb\fR to \fBfd\fR and the close
+\&\fIBIO_set_fd()\fR sets the socket of \s-1BIO \s0\fBb\fR to \fBfd\fR and the close
 flag to \fBclose_flag\fR.
 .PP
-\&\fIBIO_get_fd()\fR places the socket in \fBc\fR if it is not \s-1NULL\s0, it also
+\&\fIBIO_get_fd()\fR places the socket in \fBc\fR if it is not \s-1NULL,\s0 it also
 returns the socket. If \fBc\fR is not \s-1NULL\s0 it should be of type (int *).
 .PP
 \&\fIBIO_new_socket()\fR returns a socket \s-1BIO\s0 using \fBsock\fR and \fBclose_flag\fR.
diff --git a/secure/lib/libcrypto/man/BIO_set_callback.3 b/secure/lib/libcrypto/man/BIO_set_callback.3
index 5e9004c8cb7e..9a5c192507da 100644
--- a/secure/lib/libcrypto/man/BIO_set_callback.3
+++ b/secure/lib/libcrypto/man/BIO_set_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_set_callback 3"
-.TH BIO_set_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_set_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -170,7 +179,7 @@ The \s-1BIO\s0 the callback is attached to is passed in \fBb\fR.
 .PP
 \&\fBoper\fR is set to the operation being performed. For some operations
 the callback is called twice, once before and once after the actual
-operation, the latter case has \fBoper\fR or'ed with \s-1BIO_CB_RETURN\s0.
+operation, the latter case has \fBoper\fR or'ed with \s-1BIO_CB_RETURN.\s0
 .PP
 The meaning of the arguments \fBargp\fR, \fBargi\fR and \fBargl\fR depends on
 the value of \fBoper\fR, that is the operation being performed.
@@ -189,26 +198,26 @@ value returned to the application.
 .IX Header "CALLBACK OPERATIONS"
 .IP "\fBBIO_free(b)\fR" 4
 .IX Item "BIO_free(b)"
-callback(b, \s-1BIO_CB_FREE\s0, \s-1NULL\s0, 0L, 0L, 1L) is called before the
+callback(b, \s-1BIO_CB_FREE, NULL, 0L, 0L, 1L\s0) is called before the
 free operation.
 .IP "\fBBIO_read(b, out, outl)\fR" 4
 .IX Item "BIO_read(b, out, outl)"
-callback(b, \s-1BIO_CB_READ\s0, out, outl, 0L, 1L) is called before
+callback(b, \s-1BIO_CB_READ,\s0 out, outl, 0L, 1L) is called before
 the read and callback(b, BIO_CB_READ|BIO_CB_RETURN, out, outl, 0L, retvalue)
 after.
 .IP "\fBBIO_write(b, in, inl)\fR" 4
 .IX Item "BIO_write(b, in, inl)"
-callback(b, \s-1BIO_CB_WRITE\s0, in, inl, 0L, 1L) is called before
+callback(b, \s-1BIO_CB_WRITE,\s0 in, inl, 0L, 1L) is called before
 the write and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, inl, 0L, retvalue)
 after.
 .IP "\fBBIO_gets(b, out, outl)\fR" 4
 .IX Item "BIO_gets(b, out, outl)"
-callback(b, \s-1BIO_CB_GETS\s0, out, outl, 0L, 1L) is called before
+callback(b, \s-1BIO_CB_GETS,\s0 out, outl, 0L, 1L) is called before
 the operation and callback(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0L, retvalue)
 after.
 .IP "\fBBIO_puts(b, in)\fR" 4
 .IX Item "BIO_puts(b, in)"
-callback(b, \s-1BIO_CB_WRITE\s0, in, 0, 0L, 1L) is called before
+callback(b, \s-1BIO_CB_WRITE,\s0 in, 0, 0L, 1L) is called before
 the operation and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, 0, 0L, retvalue)
 after.
 .IP "\fBBIO_ctrl(\s-1BIO\s0 *b, int cmd, long larg, void *parg)\fR" 4
diff --git a/secure/lib/libcrypto/man/BIO_should_retry.3 b/secure/lib/libcrypto/man/BIO_should_retry.3
index 610c4613c315..51dda3763b36 100644
--- a/secure/lib/libcrypto/man/BIO_should_retry.3
+++ b/secure/lib/libcrypto/man/BIO_should_retry.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BIO_should_retry 3"
-.TH BIO_should_retry 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BIO_should_retry 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -185,7 +194,7 @@ the reason code and the action that should be taken depends on
 the type of \s-1BIO\s0 that resulted in this condition.
 .PP
 \&\fIBIO_get_retry_reason()\fR returns the reason for a special condition if
-passed the relevant \s-1BIO\s0, for example as returned by \fIBIO_get_retry_BIO()\fR.
+passed the relevant \s-1BIO,\s0 for example as returned by \fIBIO_get_retry_BIO()\fR.
 .SH "NOTES"
 .IX Header "NOTES"
 If \fIBIO_should_retry()\fR returns false then the precise \*(L"error condition\*(R"
@@ -193,7 +202,7 @@ depends on the \s-1BIO\s0 type that caused it and the return code of the \s-1BIO
 operation. For example if a call to \fIBIO_read()\fR on a socket \s-1BIO\s0 returns
 0 and \fIBIO_should_retry()\fR is false then the cause will be that the
 connection closed. A similar condition on a file \s-1BIO\s0 will mean that it
-has reached \s-1EOF\s0. Some \s-1BIO\s0 types may place additional information on
+has reached \s-1EOF.\s0 Some \s-1BIO\s0 types may place additional information on
 the error queue. For more details see the individual \s-1BIO\s0 type manual
 pages.
 .PP
@@ -201,7 +210,7 @@ If the underlying I/O structure is in a blocking mode almost all current
 \&\s-1BIO\s0 types will not request a retry, because the underlying I/O
 calls will not. If the application knows that the \s-1BIO\s0 type will never
 signal a retry then it need not call \fIBIO_should_retry()\fR after a failed
-\&\s-1BIO\s0 I/O call. This is typically done with file BIOs.
+\&\s-1BIO I/O\s0 call. This is typically done with file BIOs.
 .PP
 \&\s-1SSL\s0 BIOs are the only current exception to this rule: they can request a
 retry even if the underlying I/O structure is blocking, if a handshake
diff --git a/secure/lib/libcrypto/man/BN_BLINDING_new.3 b/secure/lib/libcrypto/man/BN_BLINDING_new.3
index 0c7826276737..2f7f6b5fadc7 100644
--- a/secure/lib/libcrypto/man/BN_BLINDING_new.3
+++ b/secure/lib/libcrypto/man/BN_BLINDING_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_BLINDING_new 3"
-.TH BN_BLINDING_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_BLINDING_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -176,14 +185,14 @@ necessary parameters are set, by re-creating the blinding parameters.
 .PP
 \&\fIBN_BLINDING_convert_ex()\fR multiplies \fBn\fR with the blinding factor \fBA\fR.
 If \fBr\fR is not \s-1NULL\s0 a copy the inverse blinding factor \fBAi\fR will be
-returned in \fBr\fR (this is useful if a \fB\s-1RSA\s0\fR object is shared amoung
+returned in \fBr\fR (this is useful if a \fB\s-1RSA\s0\fR object is shared among
 several threads). \fIBN_BLINDING_invert_ex()\fR multiplies \fBn\fR with the
 inverse blinding factor \fBAi\fR. If \fBr\fR is not \s-1NULL\s0 it will be used as
 the inverse blinding.
 .PP
 \&\fIBN_BLINDING_convert()\fR and \fIBN_BLINDING_invert()\fR are wrapper
 functions for \fIBN_BLINDING_convert_ex()\fR and \fIBN_BLINDING_invert_ex()\fR
-with \fBr\fR set to \s-1NULL\s0.
+with \fBr\fR set to \s-1NULL.\s0
 .PP
 \&\fIBN_BLINDING_thread_id()\fR provides access to the \fB\s-1CRYPTO_THREADID\s0\fR
 object within the \fB\s-1BN_BLINDING\s0\fR structure. This is to help users
diff --git a/secure/lib/libcrypto/man/BN_CTX_new.3 b/secure/lib/libcrypto/man/BN_CTX_new.3
index 1509f140086d..9af33f09c098 100644
--- a/secure/lib/libcrypto/man/BN_CTX_new.3
+++ b/secure/lib/libcrypto/man/BN_CTX_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_new 3"
-.TH BN_CTX_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_CTX_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_CTX_start.3 b/secure/lib/libcrypto/man/BN_CTX_start.3
index 05c128e39969..1abf036235b5 100644
--- a/secure/lib/libcrypto/man/BN_CTX_start.3
+++ b/secure/lib/libcrypto/man/BN_CTX_start.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_start 3"
-.TH BN_CTX_start 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_CTX_start 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_add.3 b/secure/lib/libcrypto/man/BN_add.3
index 677a2ea0e3d6..b594ac0053b8 100644
--- a/secure/lib/libcrypto/man/BN_add.3
+++ b/secure/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add 3"
-.TH BN_add 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_add 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_add_word.3 b/secure/lib/libcrypto/man/BN_add_word.3
index 82bcdcdc866f..7ce104e856b6 100644
--- a/secure/lib/libcrypto/man/BN_add_word.3
+++ b/secure/lib/libcrypto/man/BN_add_word.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_add_word 3"
-.TH BN_add_word 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_add_word 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_bn2bin.3 b/secure/lib/libcrypto/man/BN_bn2bin.3
index d498ea15ccd6..a7a4b4861b9e 100644
--- a/secure/lib/libcrypto/man/BN_bn2bin.3
+++ b/secure/lib/libcrypto/man/BN_bn2bin.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_bn2bin 3"
-.TH BN_bn2bin 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_bn2bin 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -159,7 +168,7 @@ memory.
 .PP
 \&\fIBN_bin2bn()\fR converts the positive integer in big-endian form of length
 \&\fBlen\fR at \fBs\fR into a \fB\s-1BIGNUM\s0\fR and places it in \fBret\fR. If \fBret\fR is
-\&\s-1NULL\s0, a new \fB\s-1BIGNUM\s0\fR is created.
+\&\s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created.
 .PP
 \&\fIBN_bn2hex()\fR and \fIBN_bn2dec()\fR return printable strings containing the
 hexadecimal and decimal encoding of \fBa\fR respectively. For negative
@@ -167,8 +176,8 @@ numbers, the string is prefaced with a leading '\-'. The string must be
 freed later using \fIOPENSSL_free()\fR.
 .PP
 \&\fIBN_hex2bn()\fR converts the string \fBstr\fR containing a hexadecimal number
-to a \fB\s-1BIGNUM\s0\fR and stores it in **\fBbn\fR. If *\fBbn\fR is \s-1NULL\s0, a new
-\&\fB\s-1BIGNUM\s0\fR is created. If \fBbn\fR is \s-1NULL\s0, it only computes the number's
+to a \fB\s-1BIGNUM\s0\fR and stores it in **\fBbn\fR. If *\fBbn\fR is \s-1NULL,\s0 a new
+\&\fB\s-1BIGNUM\s0\fR is created. If \fBbn\fR is \s-1NULL,\s0 it only computes the number's
 length in hexadecimal digits. If the string starts with '\-', the
 number is negative. \fIBN_dec2bn()\fR is the same using the decimal system.
 .PP
@@ -188,7 +197,7 @@ calling BN_bn2mpi(\fBa\fR, \s-1NULL\s0).
 .PP
 \&\fIBN_mpi2bn()\fR converts the \fBlen\fR bytes long representation at \fBs\fR to
 a \fB\s-1BIGNUM\s0\fR and stores it at \fBret\fR, or in a newly allocated \fB\s-1BIGNUM\s0\fR
-if \fBret\fR is \s-1NULL\s0.
+if \fBret\fR is \s-1NULL.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fIBN_bn2bin()\fR returns the length of the big-endian number placed at \fBto\fR.
diff --git a/secure/lib/libcrypto/man/BN_cmp.3 b/secure/lib/libcrypto/man/BN_cmp.3
index 1d28a8c62cbd..bb39c1e1270f 100644
--- a/secure/lib/libcrypto/man/BN_cmp.3
+++ b/secure/lib/libcrypto/man/BN_cmp.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_cmp 3"
-.TH BN_cmp 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_cmp 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_copy.3 b/secure/lib/libcrypto/man/BN_copy.3
index 2bea319bd6d9..4ae8762949f0 100644
--- a/secure/lib/libcrypto/man/BN_copy.3
+++ b/secure/lib/libcrypto/man/BN_copy.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_copy 3"
-.TH BN_copy 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_copy 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_generate_prime.3 b/secure/lib/libcrypto/man/BN_generate_prime.3
index 898ce6a26791..45b329dca5f6 100644
--- a/secure/lib/libcrypto/man/BN_generate_prime.3
+++ b/secure/lib/libcrypto/man/BN_generate_prime.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_generate_prime 3"
-.TH BN_generate_prime 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_generate_prime 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_mod_inverse.3 b/secure/lib/libcrypto/man/BN_mod_inverse.3
index 063e91c5612e..146cc4d53d26 100644
--- a/secure/lib/libcrypto/man/BN_mod_inverse.3
+++ b/secure/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_inverse 3"
-.TH BN_mod_inverse 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_mod_inverse 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -142,7 +151,7 @@ BN_mod_inverse \- compute inverse modulo n
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fIBN_mod_inverse()\fR computes the inverse of \fBa\fR modulo \fBn\fR
-places the result in \fBr\fR (\f(CW\*(C`(a*r)%n==1\*(C'\fR). If \fBr\fR is \s-1NULL\s0,
+places the result in \fBr\fR (\f(CW\*(C`(a*r)%n==1\*(C'\fR). If \fBr\fR is \s-1NULL,\s0
 a new \fB\s-1BIGNUM\s0\fR is created.
 .PP
 \&\fBctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for temporary
diff --git a/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 b/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
index 5e120d83fd21..076596012f64 100644
--- a/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
+++ b/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_montgomery 3"
-.TH BN_mod_mul_montgomery 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_mod_mul_montgomery 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 b/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
index 9f858bdba5b5..3c83751f4cb9 100644
--- a/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
+++ b/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_mod_mul_reciprocal 3"
-.TH BN_mod_mul_reciprocal 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_mod_mul_reciprocal 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_new.3 b/secure/lib/libcrypto/man/BN_new.3
index a0ac320c9cc6..fc86236c0a26 100644
--- a/secure/lib/libcrypto/man/BN_new.3
+++ b/secure/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_new 3"
-.TH BN_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_num_bytes.3 b/secure/lib/libcrypto/man/BN_num_bytes.3
index adfc301b4532..56de76d428a8 100644
--- a/secure/lib/libcrypto/man/BN_num_bytes.3
+++ b/secure/lib/libcrypto/man/BN_num_bytes.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_num_bytes 3"
-.TH BN_num_bytes 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_num_bytes 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_rand.3 b/secure/lib/libcrypto/man/BN_rand.3
index cbaae64a2359..64161bb36a30 100644
--- a/secure/lib/libcrypto/man/BN_rand.3
+++ b/secure/lib/libcrypto/man/BN_rand.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_rand 3"
-.TH BN_rand 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_rand 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_set_bit.3 b/secure/lib/libcrypto/man/BN_set_bit.3
index 872d99c0ac39..0f5eab6177b6 100644
--- a/secure/lib/libcrypto/man/BN_set_bit.3
+++ b/secure/lib/libcrypto/man/BN_set_bit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_set_bit 3"
-.TH BN_set_bit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_set_bit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_swap.3 b/secure/lib/libcrypto/man/BN_swap.3
index 5891509b391a..a08c1305e11a 100644
--- a/secure/lib/libcrypto/man/BN_swap.3
+++ b/secure/lib/libcrypto/man/BN_swap.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_swap 3"
-.TH BN_swap 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_swap 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/BN_zero.3 b/secure/lib/libcrypto/man/BN_zero.3
index 389d294ff8b2..14de9ace9647 100644
--- a/secure/lib/libcrypto/man/BN_zero.3
+++ b/secure/lib/libcrypto/man/BN_zero.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BN_zero 3"
-.TH BN_zero 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH BN_zero 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/CMS_add0_cert.3 b/secure/lib/libcrypto/man/CMS_add0_cert.3
index 0bd607fe7eff..be4d095cedec 100644
--- a/secure/lib/libcrypto/man/CMS_add0_cert.3
+++ b/secure/lib/libcrypto/man/CMS_add0_cert.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_add0_cert 3"
-.TH CMS_add0_cert 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_add0_cert 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -153,7 +162,7 @@ must be of type signed data or enveloped data.
 .PP
 \&\fICMS_get1_certs()\fR returns all certificates in \fBcms\fR.
 .PP
-\&\fICMS_add0_crl()\fR and \fICMS_add1_crl()\fR add \s-1CRL\s0 \fBcrl\fR to \fBcms\fR. \fICMS_get1_crls()\fR
+\&\fICMS_add0_crl()\fR and \fICMS_add1_crl()\fR add \s-1CRL \s0\fBcrl\fR to \fBcms\fR. \fICMS_get1_crls()\fR
 returns any CRLs in \fBcms\fR.
 .SH "NOTES"
 .IX Header "NOTES"
diff --git a/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
index 3d7a1f336c71..f10f6994035b 100644
--- a/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
+++ b/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_add1_recipient_cert 3"
-.TH CMS_add1_recipient_cert 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_add1_recipient_cert 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/CMS_add1_signer.3 b/secure/lib/libcrypto/man/CMS_add1_signer.3
new file mode 100644
index 000000000000..71cb2695638d
--- /dev/null
+++ b/secure/lib/libcrypto/man/CMS_add1_signer.3
@@ -0,0 +1,233 @@
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "CMS_add1_signer 3"
+.TH CMS_add1_signer 3 "2015-01-15" "1.0.1l" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+.Vb 1
+\& CMS_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed data structure.
+.Ve
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/cms.h>
+\&
+\& CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, unsigned int flags);
+\&
+\& int CMS_SignerInfo_sign(CMS_SignerInfo *si);
+.Ve
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fICMS_add1_signer()\fR adds a signer with certificate \fBsigncert\fR and private
+key \fBpkey\fR using message digest \fBmd\fR to CMS_ContentInfo SignedData
+structure \fBcms\fR.
+.PP
+The CMS_ContentInfo structure should be obtained from an initial call to
+\&\fICMS_sign()\fR with the flag \fB\s-1CMS_PARTIAL\s0\fR set or in the case or re-signing a
+valid CMS_ContentInfo SignedData structure.
+.PP
+If the \fBmd\fR parameter is \fB\s-1NULL\s0\fR then the default digest for the public
+key algorithm will be used.
+.PP
+Unless the \fB\s-1CMS_REUSE_DIGEST\s0\fR flag is set the returned CMS_ContentInfo
+structure is not complete and must be finalized either by streaming (if
+applicable) or a call to \fICMS_final()\fR.
+.PP
+The \fICMS_SignerInfo_sign()\fR function will explicitly sign a CMS_SignerInfo
+structure, its main use is when \fB\s-1CMS_REUSE_DIGEST\s0\fR and \fB\s-1CMS_PARTIAL\s0\fR flags
+are both set.
+.SH "NOTES"
+.IX Header "NOTES"
+The main purpose of \fICMS_add1_signer()\fR is to provide finer control
+over a \s-1CMS\s0 signed data structure where the simpler \fICMS_sign()\fR function defaults
+are not appropriate. For example if multiple signers or non default digest
+algorithms are needed. New attributes can also be added using the returned
+CMS_SignerInfo structure and the \s-1CMS\s0 attribute utility functions or the
+\&\s-1CMS\s0 signed receipt request functions.
+.PP
+Any of the following flags (ored together) can be passed in the \fBflags\fR
+parameter.
+.PP
+If \fB\s-1CMS_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content
+digest value from the CMS_ContentInfo structure: to add a signer to an existing
+structure.  An error occurs if a matching digest value cannot be found to copy.
+The returned CMS_ContentInfo structure will be valid and finalized when this
+flag is set.
+.PP
+If \fB\s-1CMS_PARTIAL\s0\fR is set in addition to \fB\s-1CMS_REUSE_DIGEST\s0\fR then the 
+CMS_SignerInfo structure will not be finalized so additional attributes
+can be added. In this case an explicit call to \fICMS_SignerInfo_sign()\fR is
+needed to finalize it.
+.PP
+If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
+CMS_ContentInfo structure, the signer's certificate must still be supplied in
+the \fBsigncert\fR parameter though. This can reduce the size of the signature if
+the signers certificate can be obtained by other means: for example a
+previously signed message.
+.PP
+The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
+signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
+SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
+will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
+omitted.
+.PP
+OpenSSL will by default identify signing certificates using issuer name
+and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
+identifier value instead. An error occurs if the signing certificate does not
+have a subject key identifier extension.
+.PP
+If present the SMIMECapabilities attribute indicates support for the following
+algorithms in preference order: 256 bit \s-1AES,\s0 Gost R3411\-94, Gost 28147\-89, 192
+bit \s-1AES, 128\s0 bit \s-1AES,\s0 triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0
+If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST ENGINE\s0 is
+not loaded.
+.PP
+\&\fICMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
+structure just added, this can be used to set additional attributes 
+before it is finalized.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fICMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
+structure just added or \s-1NULL\s0 if an error occurs.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3),
+\&\fICMS_final\fR\|(3),
+.SH "HISTORY"
+.IX Header "HISTORY"
+\&\fICMS_add1_signer()\fR was added to OpenSSL 0.9.8
diff --git a/secure/lib/libcrypto/man/CMS_compress.3 b/secure/lib/libcrypto/man/CMS_compress.3
index a942ffa3d88f..57aba1fac456 100644
--- a/secure/lib/libcrypto/man/CMS_compress.3
+++ b/secure/lib/libcrypto/man/CMS_compress.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_compress 3"
-.TH CMS_compress 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_compress 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -162,7 +171,7 @@ otherwise the translation will corrupt it. If \fB\s-1CMS_BINARY\s0\fR is set the
 \&\fB\s-1CMS_TEXT\s0\fR is ignored.
 .PP
 If the \fB\s-1CMS_STREAM\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
-returned suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
+returned suitable for streaming I/O: no data is read from the \s-1BIO \s0\fBin\fR.
 .PP
 The compressed data is included in the CMS_ContentInfo structure, unless
 \&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is rarely used in
@@ -176,7 +185,7 @@ results.
 .PP
 Several functions including \fISMIME_write_CMS()\fR, \fIi2d_CMS_bio_stream()\fR,
 \&\fIPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming \s-1ASN1 \s0\fB\s-1BIO\s0\fR directly using
 \&\fIBIO_new_CMS()\fR.
 .PP
 Additional compression parameters such as the zlib compression level cannot
diff --git a/secure/lib/libcrypto/man/CMS_decrypt.3 b/secure/lib/libcrypto/man/CMS_decrypt.3
index 0ee1091cf2aa..e62c765e7a0f 100644
--- a/secure/lib/libcrypto/man/CMS_decrypt.3
+++ b/secure/lib/libcrypto/man/CMS_decrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_decrypt 3"
-.TH CMS_decrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_decrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,7 +157,7 @@ recipient's certificate, \fBout\fR is a \s-1BIO\s0 to write the content to and
 \&\fBflags\fR is an optional set of flags.
 .PP
 The \fBdcont\fR parameter is used in the rare case where the encrypted content
-is detached. It will normally be set to \s-1NULL\s0.
+is detached. It will normally be set to \s-1NULL.\s0
 .SH "NOTES"
 .IX Header "NOTES"
 \&\fIOpenSSL_add_all_algorithms()\fR (or equivalent) should be called before using this
@@ -156,16 +165,30 @@ function or errors about unknown algorithms will occur.
 .PP
 Although the recipients certificate is not needed to decrypt the data it is
 needed to locate the appropriate (of possible several) recipients in the \s-1CMS\s0
-structure. If \fBcert\fR is set to \s-1NULL\s0 all possible recipients are tried.
+structure.
+.PP
+If \fBcert\fR is set to \s-1NULL\s0 all possible recipients are tried. This case however
+is problematic. To thwart the \s-1MMA\s0 attack (Bleichenbacher's attack on
+\&\s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are tried whether they succeed or
+not. If no recipient succeeds then a random symmetric key is used to decrypt
+the content: this will typically output garbage and may (but is not guaranteed
+to) ultimately return a padding error only. If \fICMS_decrypt()\fR just returned an
+error when all recipient encrypted keys failed to decrypt an attacker could
+use this in a timing attack. If the special flag \fB\s-1CMS_DEBUG_DECRYPT\s0\fR is set
+then the above behaviour is modified and an error \fBis\fR returned if no
+recipient encrypted key can be decrypted \fBwithout\fR generating a random
+content encryption key. Applications should use this flag with
+\&\fBextreme caution\fR especially in automated gateways as it can leave them
+open to attack.
 .PP
 It is possible to determine the correct recipient key by other means (for
 example looking them up in a database) and setting them in the \s-1CMS\s0 structure
 in advance using the \s-1CMS\s0 utility functions such as \fICMS_set1_pkey()\fR. In this
-case both \fBcert\fR and \fBpkey\fR should be set to \s-1NULL\s0.
+case both \fBcert\fR and \fBpkey\fR should be set to \s-1NULL.\s0
 .PP
 To process KEKRecipientInfo types \fICMS_set1_key()\fR or \fICMS_RecipientInfo_set0_key()\fR
 and \fICMS_ReceipientInfo_decrypt()\fR should be called before \fICMS_decrypt()\fR and
-\&\fBcert\fR and \fBpkey\fR set to \s-1NULL\s0.
+\&\fBcert\fR and \fBpkey\fR set to \s-1NULL.\s0
 .PP
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
diff --git a/secure/lib/libcrypto/man/CMS_encrypt.3 b/secure/lib/libcrypto/man/CMS_encrypt.3
index 416fbaec5fe0..0fc8cae518cd 100644
--- a/secure/lib/libcrypto/man/CMS_encrypt.3
+++ b/secure/lib/libcrypto/man/CMS_encrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_encrypt 3"
-.TH CMS_encrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_encrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -179,7 +188,7 @@ identifier value instead. An error occurs if all recipient certificates do not
 have a subject key identifier extension.
 .PP
 If the \fB\s-1CMS_STREAM\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
-returned suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
+returned suitable for streaming I/O: no data is read from the \s-1BIO \s0\fBin\fR.
 .PP
 If the \fB\s-1CMS_PARTIAL\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
 returned to which additional recipients and attributes can be added before
@@ -197,7 +206,7 @@ results.
 .PP
 Several functions including \fISMIME_write_CMS()\fR, \fIi2d_CMS_bio_stream()\fR,
 \&\fIPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming \s-1ASN1 \s0\fB\s-1BIO\s0\fR directly using
 \&\fIBIO_new_CMS()\fR.
 .PP
 The recipients specified in \fBcerts\fR use a \s-1CMS\s0 KeyTransRecipientInfo info
diff --git a/secure/lib/libcrypto/man/CMS_final.3 b/secure/lib/libcrypto/man/CMS_final.3
index cd8ffcc81be8..e55f62412c9e 100644
--- a/secure/lib/libcrypto/man/CMS_final.3
+++ b/secure/lib/libcrypto/man/CMS_final.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_final 3"
-.TH CMS_final 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_final 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ operations necessary on \fBcms\fR (digest computation for example) and set the
 appropriate fields. The parameter \fBdata\fR contains the content to be 
 processed. The \fBdcont\fR parameter contains a \s-1BIO\s0 to write content to after
 processing: this is only used with detached data and will usually be set to
-\&\s-1NULL\s0.
+\&\s-1NULL.\s0
 .SH "NOTES"
 .IX Header "NOTES"
 This function will normally be called when the \fB\s-1CMS_PARTIAL\s0\fR flag is used. It
diff --git a/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
index 4d9d1a2bf364..7bca00a6493b 100644
--- a/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
+++ b/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get0_RecipientInfos 3"
-.TH CMS_get0_RecipientInfos 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_get0_RecipientInfos 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -157,24 +166,24 @@ The function \fICMS_get0_RecipientInfos()\fR returns all the CMS_RecipientInfo
 structures associated with a \s-1CMS\s0 EnvelopedData structure.
 .PP
 \&\fICMS_RecipientInfo_type()\fR returns the type of CMS_RecipientInfo structure \fBri\fR.
-It will currently return \s-1CMS_RECIPINFO_TRANS\s0, \s-1CMS_RECIPINFO_AGREE\s0,
-\&\s-1CMS_RECIPINFO_KEK\s0, \s-1CMS_RECIPINFO_PASS\s0, or \s-1CMS_RECIPINFO_OTHER\s0.
+It will currently return \s-1CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
+CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS,\s0 or \s-1CMS_RECIPINFO_OTHER.\s0
 .PP
 \&\fICMS_RecipientInfo_ktri_get0_signer_id()\fR retrieves the certificate recipient
 identifier associated with a specific CMS_RecipientInfo structure \fBri\fR, which
-must be of type \s-1CMS_RECIPINFO_TRANS\s0. Either the keyidentifier will be set in
+must be of type \s-1CMS_RECIPINFO_TRANS.\s0 Either the keyidentifier will be set in
 \&\fBkeyid\fR or \fBboth\fR issuer name and serial number in \fBissuer\fR and \fBsno\fR.
 .PP
 \&\fICMS_RecipientInfo_ktri_cert_cmp()\fR compares the certificate \fBcert\fR against the
-CMS_RecipientInfo structure \fBri\fR, which must be of type \s-1CMS_RECIPINFO_TRANS\s0.
+CMS_RecipientInfo structure \fBri\fR, which must be of type \s-1CMS_RECIPINFO_TRANS.\s0
 It returns zero if the comparison is successful and non zero if not.
 .PP
 \&\fICMS_RecipientInfo_set0_pkey()\fR associates the private key \fBpkey\fR with
 the CMS_RecipientInfo structure \fBri\fR, which must be of type
-\&\s-1CMS_RECIPINFO_TRANS\s0.
+\&\s-1CMS_RECIPINFO_TRANS.\s0
 .PP
 \&\fICMS_RecipientInfo_kekri_get0_id()\fR retrieves the key information from the
-CMS_RecipientInfo structure \fBri\fR which must be of type \s-1CMS_RECIPINFO_KEK\s0.  Any
+CMS_RecipientInfo structure \fBri\fR which must be of type \s-1CMS_RECIPINFO_KEK. \s0 Any
 of the remaining parameters can be \s-1NULL\s0 if the application is not interested in
 the value of a field. Where a field is optional and absent \s-1NULL\s0 will be written
 to the corresponding parameter. The keyEncryptionAlgorithm field is written to
@@ -185,12 +194,12 @@ present is written to \fBpdate\fR, if the \fBother\fR field is present the compo
 .PP
 \&\fICMS_RecipientInfo_kekri_id_cmp()\fR compares the \s-1ID\s0 in the \fBid\fR and \fBidlen\fR
 parameters against the \fBkeyIdentifier\fR CMS_RecipientInfo structure \fBri\fR,
-which must be of type \s-1CMS_RECIPINFO_KEK\s0.  It returns zero if the comparison is
+which must be of type \s-1CMS_RECIPINFO_KEK. \s0 It returns zero if the comparison is
 successful and non zero if not.
 .PP
 \&\fICMS_RecipientInfo_set0_key()\fR associates the symmetric key \fBkey\fR of length
 \&\fBkeylen\fR with the CMS_RecipientInfo structure \fBri\fR, which must be of type
-\&\s-1CMS_RECIPINFO_KEK\s0.
+\&\s-1CMS_RECIPINFO_KEK.\s0
 .PP
 \&\fICMS_RecipientInfo_decrypt()\fR attempts to decrypt CMS_RecipientInfo structure
 \&\fBri\fR in structure \fBcms\fR. A key must have been associated with the structure
diff --git a/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
index 469c40b9ea19..9e1ed7788df0 100644
--- a/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
+++ b/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get0_SignerInfos 3"
-.TH CMS_get0_SignerInfos 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_get0_SignerInfos 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -168,7 +177,7 @@ of \fICMS_verify()\fR is not appropriate.
 .PP
 In typical usage and application will retrieve all CMS_SignerInfo structures
 using \fICMS_get0_SignerInfo()\fR and retrieve the identifier information using
-\&\s-1CMS\s0. It will then obtain the signer certificate by some unspecified means
+\&\s-1CMS.\s0 It will then obtain the signer certificate by some unspecified means
 (or return and error if it cannot be found) and set it using
 \&\fICMS_SignerInfo_set1_signer_cert()\fR.
 .PP
diff --git a/secure/lib/libcrypto/man/CMS_get0_type.3 b/secure/lib/libcrypto/man/CMS_get0_type.3
index e682adfc6495..f9c270440951 100644
--- a/secure/lib/libcrypto/man/CMS_get0_type.3
+++ b/secure/lib/libcrypto/man/CMS_get0_type.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get0_type 3"
-.TH CMS_get0_type 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_get0_type 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
index 9ace85fb6ba2..407374206eca 100644
--- a/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
+++ b/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_get1_ReceiptRequest 3"
-.TH CMS_get1_ReceiptRequest 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_get1_ReceiptRequest 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@
 .IX Header "DESCRIPTION"
 \&\fICMS_ReceiptRequest_create0()\fR creates a signed receipt request structure. The
 \&\fBsignedContentIdentifier\fR field is set using \fBid\fR and \fBidlen\fR, or it is set
-to 32 bytes of pseudo random data if \fBid\fR is \s-1NULL\s0. If \fBreceiptList\fR is \s-1NULL\s0
+to 32 bytes of pseudo random data if \fBid\fR is \s-1NULL.\s0 If \fBreceiptList\fR is \s-1NULL\s0
 the allOrFirstTier option in \fBreceiptsFrom\fR is used and set to the value of
 the \fBallorfirst\fR parameter. If \fBreceiptList\fR is not \s-1NULL\s0 the \fBreceiptList\fR
 option in \fBreceiptsFrom\fR is used. The \fBreceiptsTo\fR parameter specifies the
@@ -166,7 +175,7 @@ otherwise the \fBreceiptList\fR field is copied to \fBplist\fR. The \fBreceiptsT
 parameter is copied to \fBprto\fR.
 .SH "NOTES"
 .IX Header "NOTES"
-For more details of the meaning of the fields see \s-1RFC2634\s0.
+For more details of the meaning of the fields see \s-1RFC2634.\s0
 .PP
 The contents of a signed receipt should only be considered meaningful if the
 corresponding CMS_ContentInfo structure can be successfully verified using
diff --git a/secure/lib/libcrypto/man/CMS_sign.3 b/secure/lib/libcrypto/man/CMS_sign.3
index c211731d059b..4d5ef8d7d89c 100644
--- a/secure/lib/libcrypto/man/CMS_sign.3
+++ b/secure/lib/libcrypto/man/CMS_sign.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_sign 3"
-.TH CMS_sign 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_sign 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,7 +157,7 @@ the certificate to sign with, \fBpkey\fR is the corresponding private key.
 structure (for example any intermediate CAs in the chain). Any or all of
 these parameters can be \fB\s-1NULL\s0\fR, see \fB\s-1NOTES\s0\fR below.
 .PP
-The data to be signed is read from \s-1BIO\s0 \fBdata\fR.
+The data to be signed is read from \s-1BIO \s0\fBdata\fR.
 .PP
 \&\fBflags\fR is an optional set of flags.
 .SH "NOTES"
@@ -183,9 +192,9 @@ will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilit
 omitted.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms in preference order: 256 bit \s-1AES\s0, Gost R3411\-94, Gost 28147\-89, 192
-bit \s-1AES\s0, 128 bit \s-1AES\s0, triple \s-1DES\s0, 128 bit \s-1RC2\s0, 64 bit \s-1RC2\s0, \s-1DES\s0 and 40 bit \s-1RC2\s0.
-If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST\s0 \s-1ENGINE\s0 is
+algorithms in preference order: 256 bit \s-1AES,\s0 Gost R3411\-94, Gost 28147\-89, 192
+bit \s-1AES, 128\s0 bit \s-1AES,\s0 triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0
+If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST ENGINE\s0 is
 not loaded.
 .PP
 OpenSSL will by default identify signing certificates using issuer name
@@ -210,7 +219,7 @@ results.
 .PP
 Several functions including \fISMIME_write_CMS()\fR, \fIi2d_CMS_bio_stream()\fR,
 \&\fIPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming \s-1ASN1 \s0\fB\s-1BIO\s0\fR directly using
 \&\fIBIO_new_CMS()\fR.
 .PP
 If a signer is specified it will use the default digest for the signing
diff --git a/secure/lib/libcrypto/man/CMS_sign_add1_signer.3 b/secure/lib/libcrypto/man/CMS_sign_add1_signer.3
index 98504a980767..e69de29bb2d1 100644
--- a/secure/lib/libcrypto/man/CMS_sign_add1_signer.3
+++ b/secure/lib/libcrypto/man/CMS_sign_add1_signer.3
@@ -1,224 +0,0 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
-..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "CMS_sign_add1_signer 3"
-.TH CMS_sign_add1_signer 3 "2013-02-11" "1.0.1e" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-.Vb 1
-\& CMS_sign_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed data structure.
-.Ve
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-.Vb 1
-\& #include <openssl/cms.h>
-\&
-\& CMS_SignerInfo *CMS_sign_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, unsigned int flags);
-\&
-\& int CMS_SignerInfo_sign(CMS_SignerInfo *si);
-.Ve
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fICMS_sign_add1_signer()\fR adds a signer with certificate \fBsigncert\fR and private
-key \fBpkey\fR using message digest \fBmd\fR to CMS_ContentInfo SignedData
-structure \fBcms\fR.
-.PP
-The CMS_ContentInfo structure should be obtained from an initial call to
-\&\fICMS_sign()\fR with the flag \fB\s-1CMS_PARTIAL\s0\fR set or in the case or re-signing a
-valid CMS_ContentInfo SignedData structure.
-.PP
-If the \fBmd\fR parameter is \fB\s-1NULL\s0\fR then the default digest for the public
-key algorithm will be used.
-.PP
-Unless the \fB\s-1CMS_REUSE_DIGEST\s0\fR flag is set the returned CMS_ContentInfo
-structure is not complete and must be finalized either by streaming (if
-applicable) or a call to \fICMS_final()\fR.
-.PP
-The \fICMS_SignerInfo_sign()\fR function will explicitly sign a CMS_SignerInfo
-structure, its main use is when \fB\s-1CMS_REUSE_DIGEST\s0\fR and \fB\s-1CMS_PARTIAL\s0\fR flags
-are both set.
-.SH "NOTES"
-.IX Header "NOTES"
-The main purpose of \fICMS_sign_add1_signer()\fR is to provide finer control
-over a \s-1CMS\s0 signed data structure where the simpler \fICMS_sign()\fR function defaults
-are not appropriate. For example if multiple signers or non default digest
-algorithms are needed. New attributes can also be added using the returned
-CMS_SignerInfo structure and the \s-1CMS\s0 attribute utility functions or the
-\&\s-1CMS\s0 signed receipt request functions.
-.PP
-Any of the following flags (ored together) can be passed in the \fBflags\fR
-parameter.
-.PP
-If \fB\s-1CMS_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content
-digest value from the CMS_ContentInfo structure: to add a signer to an existing
-structure.  An error occurs if a matching digest value cannot be found to copy.
-The returned CMS_ContentInfo structure will be valid and finalized when this
-flag is set.
-.PP
-If \fB\s-1CMS_PARTIAL\s0\fR is set in addition to \fB\s-1CMS_REUSE_DIGEST\s0\fR then the 
-CMS_SignerInfo structure will not be finalized so additional attributes
-can be added. In this case an explicit call to \fICMS_SignerInfo_sign()\fR is
-needed to finalize it.
-.PP
-If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
-CMS_ContentInfo structure, the signer's certificate must still be supplied in
-the \fBsigncert\fR parameter though. This can reduce the size of the signature if
-the signers certificate can be obtained by other means: for example a
-previously signed message.
-.PP
-The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
-signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
-SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
-will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
-omitted.
-.PP
-OpenSSL will by default identify signing certificates using issuer name
-and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
-identifier value instead. An error occurs if the signing certificate does not
-have a subject key identifier extension.
-.PP
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms in preference order: 256 bit \s-1AES\s0, Gost R3411\-94, Gost 28147\-89, 192
-bit \s-1AES\s0, 128 bit \s-1AES\s0, triple \s-1DES\s0, 128 bit \s-1RC2\s0, 64 bit \s-1RC2\s0, \s-1DES\s0 and 40 bit \s-1RC2\s0.
-If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST\s0 \s-1ENGINE\s0 is
-not loaded.
-.PP
-\&\fICMS_sign_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
-structure just added, this can be used to set additional attributes 
-before it is finalized.
-.SH "RETURN VALUES"
-.IX Header "RETURN VALUES"
-\&\fICMS_sign1_add_signers()\fR returns an internal pointer to the CMS_SignerInfo
-structure just added or \s-1NULL\s0 if an error occurs.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3),
-\&\fICMS_final\fR\|(3),
-.SH "HISTORY"
-.IX Header "HISTORY"
-\&\fICMS_sign_add1_signer()\fR was added to OpenSSL 0.9.8
diff --git a/secure/lib/libcrypto/man/CMS_sign_receipt.3 b/secure/lib/libcrypto/man/CMS_sign_receipt.3
index 2ff1e2af4498..ed554dbe3e5b 100644
--- a/secure/lib/libcrypto/man/CMS_sign_receipt.3
+++ b/secure/lib/libcrypto/man/CMS_sign_receipt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_sign_receipt 3"
-.TH CMS_sign_receipt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_sign_receipt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/CMS_uncompress.3 b/secure/lib/libcrypto/man/CMS_uncompress.3
index e3f46c717089..9276f0d05ab2 100644
--- a/secure/lib/libcrypto/man/CMS_uncompress.3
+++ b/secure/lib/libcrypto/man/CMS_uncompress.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_uncompress 3"
-.TH CMS_uncompress 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_uncompress 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ CompressedData structure \fBcms\fR. \fBdata\fR is a \s-1BIO\s0 to write the cont
 \&\fBflags\fR is an optional set of flags.
 .PP
 The \fBdcont\fR parameter is used in the rare case where the compressed content
-is detached. It will normally be set to \s-1NULL\s0.
+is detached. It will normally be set to \s-1NULL.\s0
 .SH "NOTES"
 .IX Header "NOTES"
 The only currently supported compression algorithm is zlib: if the structure
diff --git a/secure/lib/libcrypto/man/CMS_verify.3 b/secure/lib/libcrypto/man/CMS_verify.3
index 48071b4b3e63..f66b1fda7d51 100644
--- a/secure/lib/libcrypto/man/CMS_verify.3
+++ b/secure/lib/libcrypto/man/CMS_verify.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_verify 3"
-.TH CMS_verify 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_verify 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,7 +157,7 @@
 structure to verify. \fBcerts\fR is a set of certificates in which to search for
 the signing certificate(s). \fBstore\fR is a trusted certificate store used for
 chain verification. \fBindata\fR is the detached content if the content is not
-present in \fBcms\fR. The content is written to \fBout\fR if it is not \s-1NULL\s0.
+present in \fBcms\fR. The content is written to \fBout\fR if it is not \s-1NULL.\s0
 .PP
 \&\fBflags\fR is an optional set of flags, which can be used to modify the verify
 operation.
diff --git a/secure/lib/libcrypto/man/CMS_verify_receipt.3 b/secure/lib/libcrypto/man/CMS_verify_receipt.3
index a2d4f8d35031..10a5c819f50d 100644
--- a/secure/lib/libcrypto/man/CMS_verify_receipt.3
+++ b/secure/lib/libcrypto/man/CMS_verify_receipt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS_verify_receipt 3"
-.TH CMS_verify_receipt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS_verify_receipt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/CONF_modules_free.3 b/secure/lib/libcrypto/man/CONF_modules_free.3
index 47c8445d8cb9..576863b74f2b 100644
--- a/secure/lib/libcrypto/man/CONF_modules_free.3
+++ b/secure/lib/libcrypto/man/CONF_modules_free.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_free 3"
-.TH CONF_modules_free 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CONF_modules_free 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -164,7 +173,7 @@ None of the functions return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIconf\fR\|(5), \fIOPENSSL_config\fR\|(3),
-\&\*(L"\fICONF_modules_load_file\fR\|(3), \fICONF_modules_load_file\fR\|(3)\*(R"
+\&\fICONF_modules_load_file\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 \&\fICONF_modules_free()\fR, \fICONF_modules_unload()\fR, and \fICONF_modules_finish()\fR
diff --git a/secure/lib/libcrypto/man/CONF_modules_load_file.3 b/secure/lib/libcrypto/man/CONF_modules_load_file.3
index 760a9aa9c0c1..e99a68cb5889 100644
--- a/secure/lib/libcrypto/man/CONF_modules_load_file.3
+++ b/secure/lib/libcrypto/man/CONF_modules_load_file.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CONF_modules_load_file 3"
-.TH CONF_modules_load_file 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CONF_modules_load_file 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -178,7 +187,7 @@ return value of the failing module (this will always be zero or negative).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIconf\fR\|(5), \fIOPENSSL_config\fR\|(3),
-\&\*(L"\fICONF_free\fR\|(3), \fICONF_free\fR\|(3)\*(R", \fIerr\fR\|(3),\fIerr\fR\|(3)
+\&\fICONF_free\fR\|(3), \fIerr\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7.
diff --git a/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 b/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
index 23240f3180e9..773dfe90164b 100644
--- a/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
+++ b/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_set_ex_data 3"
-.TH CRYPTO_set_ex_data 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CRYPTO_set_ex_data 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DH_generate_key.3 b/secure/lib/libcrypto/man/DH_generate_key.3
index bd2b092164cc..eb8f8325a8c0 100644
--- a/secure/lib/libcrypto/man/DH_generate_key.3
+++ b/secure/lib/libcrypto/man/DH_generate_key.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_key 3"
-.TH DH_generate_key 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DH_generate_key 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DH_generate_parameters.3 b/secure/lib/libcrypto/man/DH_generate_parameters.3
index 78c2524f7c44..34647502b1a0 100644
--- a/secure/lib/libcrypto/man/DH_generate_parameters.3
+++ b/secure/lib/libcrypto/man/DH_generate_parameters.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_generate_parameters 3"
-.TH DH_generate_parameters 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DH_generate_parameters 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -191,4 +200,4 @@ a usable generator.
 The \fBcb_arg\fR argument to \fIDH_generate_parameters()\fR was added in SSLeay 0.9.0.
 .PP
 In versions before OpenSSL 0.9.5, \s-1DH_CHECK_P_NOT_STRONG_PRIME\s0 is used
-instead of \s-1DH_CHECK_P_NOT_SAFE_PRIME\s0.
+instead of \s-1DH_CHECK_P_NOT_SAFE_PRIME.\s0
diff --git a/secure/lib/libcrypto/man/DH_get_ex_new_index.3 b/secure/lib/libcrypto/man/DH_get_ex_new_index.3
index ccd60b99c0bd..5b13279707a9 100644
--- a/secure/lib/libcrypto/man/DH_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/DH_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_get_ex_new_index 3"
-.TH DH_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DH_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DH_new.3 b/secure/lib/libcrypto/man/DH_new.3
index e6725cb33a7c..2802a10b0305 100644
--- a/secure/lib/libcrypto/man/DH_new.3
+++ b/secure/lib/libcrypto/man/DH_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_new 3"
-.TH DH_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DH_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DH_set_method.3 b/secure/lib/libcrypto/man/DH_set_method.3
index 1daf75984b64..d1a8c57aadf8 100644
--- a/secure/lib/libcrypto/man/DH_set_method.3
+++ b/secure/lib/libcrypto/man/DH_set_method.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_set_method 3"
-.TH DH_set_method 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DH_set_method 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -153,7 +162,7 @@ DH_set_method, DH_new_method, DH_OpenSSL \- select DH method
 A \fB\s-1DH_METHOD\s0\fR specifies the functions that OpenSSL uses for Diffie-Hellman
 operations. By modifying the method, alternative implementations
 such as hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
-important information about how these \s-1DH\s0 \s-1API\s0 functions are affected by the use
+important information about how these \s-1DH API\s0 functions are affected by the use
 of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
 .PP
 Initially, the default \s-1DH_METHOD\s0 is the OpenSSL internal implementation, as
@@ -161,22 +170,22 @@ returned by \fIDH_OpenSSL()\fR.
 .PP
 \&\fIDH_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DH\s0
 structures created later. \fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set
-as a default for \s-1DH\s0, so this function is no longer recommended.
+as a default for \s-1DH,\s0 so this function is no longer recommended.
 .PP
-\&\fIDH_get_default_method()\fR returns a pointer to the current default \s-1DH_METHOD\s0.
-However, the meaningfulness of this result is dependent on whether the \s-1ENGINE\s0
-\&\s-1API\s0 is being used, so this function is no longer recommended.
+\&\fIDH_get_default_method()\fR returns a pointer to the current default \s-1DH_METHOD.\s0
+However, the meaningfulness of this result is dependent on whether the \s-1ENGINE
+API\s0 is being used, so this function is no longer recommended.
 .PP
 \&\fIDH_set_method()\fR selects \fBmeth\fR to perform all operations using the key \fBdh\fR.
 This will replace the \s-1DH_METHOD\s0 used by the \s-1DH\s0 key and if the previous method
-was supplied by an \s-1ENGINE\s0, the handle to that \s-1ENGINE\s0 will be released during the
+was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will be released during the
 change. It is possible to have \s-1DH\s0 keys that only work with certain \s-1DH_METHOD\s0
 implementations (eg. from an \s-1ENGINE\s0 module that supports embedded
 hardware-protected keys), and in such cases attempting to change the \s-1DH_METHOD\s0
 for the key can have unexpected results.
 .PP
 \&\fIDH_new_method()\fR allocates and initializes a \s-1DH\s0 structure so that \fBengine\fR will
-be used for the \s-1DH\s0 operations. If \fBengine\fR is \s-1NULL\s0, the default \s-1ENGINE\s0 for \s-1DH\s0
+be used for the \s-1DH\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default \s-1ENGINE\s0 for \s-1DH\s0
 operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DH_METHOD\s0 controlled by
 \&\fIDH_set_default_method()\fR is used.
 .SH "THE DH_METHOD STRUCTURE"
@@ -227,10 +236,10 @@ returns a pointer to the newly allocated structure.
 .SH "NOTES"
 .IX Header "NOTES"
 As of version 0.9.7, \s-1DH_METHOD\s0 implementations are grouped together with other
-algorithmic APIs (eg. \s-1RSA_METHOD\s0, \s-1EVP_CIPHER\s0, etc) in \fB\s-1ENGINE\s0\fR modules. If a
-default \s-1ENGINE\s0 is specified for \s-1DH\s0 functionality using an \s-1ENGINE\s0 \s-1API\s0 function,
-that will override any \s-1DH\s0 defaults set using the \s-1DH\s0 \s-1API\s0 (ie.
-\&\fIDH_set_default_method()\fR). For this reason, the \s-1ENGINE\s0 \s-1API\s0 is the recommended way
+algorithmic APIs (eg. \s-1RSA_METHOD, EVP_CIPHER,\s0 etc) in \fB\s-1ENGINE\s0\fR modules. If a
+default \s-1ENGINE\s0 is specified for \s-1DH\s0 functionality using an \s-1ENGINE API\s0 function,
+that will override any \s-1DH\s0 defaults set using the \s-1DH API \s0(ie.
+\&\fIDH_set_default_method()\fR). For this reason, the \s-1ENGINE API\s0 is the recommended way
 to control default implementations for use in \s-1DH\s0 and other cryptographic
 algorithms.
 .SH "SEE ALSO"
@@ -245,8 +254,8 @@ algorithms.
 \&\fIDH_set_default_method()\fR and \fIDH_get_default_method()\fR respectively, and
 \&\fIDH_set_method()\fR and \fIDH_new_method()\fR were altered to use \fB\s-1ENGINE\s0\fRs rather than
 \&\fB\s-1DH_METHOD\s0\fRs during development of the engine version of OpenSSL 0.9.6. For
-0.9.7, the handling of defaults in the \s-1ENGINE\s0 \s-1API\s0 was restructured so that this
+0.9.7, the handling of defaults in the \s-1ENGINE API\s0 was restructured so that this
 change was reversed, and behaviour of the other functions resembled more closely
-the previous behaviour. The behaviour of defaults in the \s-1ENGINE\s0 \s-1API\s0 now
-transparently overrides the behaviour of defaults in the \s-1DH\s0 \s-1API\s0 without
+the previous behaviour. The behaviour of defaults in the \s-1ENGINE API\s0 now
+transparently overrides the behaviour of defaults in the \s-1DH API\s0 without
 requiring changing these function prototypes.
diff --git a/secure/lib/libcrypto/man/DH_size.3 b/secure/lib/libcrypto/man/DH_size.3
index 94ed8fec16a7..a57ee47b739f 100644
--- a/secure/lib/libcrypto/man/DH_size.3
+++ b/secure/lib/libcrypto/man/DH_size.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DH_size 3"
-.TH DH_size 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DH_size 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_SIG_new.3 b/secure/lib/libcrypto/man/DSA_SIG_new.3
index 065a9e77c2a9..6c27b32a23b0 100644
--- a/secure/lib/libcrypto/man/DSA_SIG_new.3
+++ b/secure/lib/libcrypto/man/DSA_SIG_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIG_new 3"
-.TH DSA_SIG_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_SIG_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_do_sign.3 b/secure/lib/libcrypto/man/DSA_do_sign.3
index b7bc71f3758d..050b16576a55 100644
--- a/secure/lib/libcrypto/man/DSA_do_sign.3
+++ b/secure/lib/libcrypto/man/DSA_do_sign.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_do_sign 3"
-.TH DSA_do_sign 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_do_sign 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_dup_DH.3 b/secure/lib/libcrypto/man/DSA_dup_DH.3
index ce051490b2f4..4e87b9572636 100644
--- a/secure/lib/libcrypto/man/DSA_dup_DH.3
+++ b/secure/lib/libcrypto/man/DSA_dup_DH.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_dup_DH 3"
-.TH DSA_dup_DH 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_dup_DH 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_generate_key.3 b/secure/lib/libcrypto/man/DSA_generate_key.3
index f631b7dc09b9..a56e7b24f7ff 100644
--- a/secure/lib/libcrypto/man/DSA_generate_key.3
+++ b/secure/lib/libcrypto/man/DSA_generate_key.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_generate_key 3"
-.TH DSA_generate_key 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_generate_key 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_generate_parameters.3 b/secure/lib/libcrypto/man/DSA_generate_parameters.3
index 274c0ad9b6a1..31bb637385a3 100644
--- a/secure/lib/libcrypto/man/DSA_generate_parameters.3
+++ b/secure/lib/libcrypto/man/DSA_generate_parameters.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_generate_parameters 3"
-.TH DSA_generate_parameters 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_generate_parameters 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,7 +152,7 @@ DSA_generate_parameters \- generate DSA parameters
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fIDSA_generate_parameters()\fR generates primes p and q and a generator g
-for use in the \s-1DSA\s0.
+for use in the \s-1DSA.\s0
 .PP
 \&\fBbits\fR is the length of the prime to be generated; the \s-1DSS\s0 allows a
 maximum of 1024 bits.
diff --git a/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 b/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
index 0857366bb909..1a42e95099ad 100644
--- a/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_get_ex_new_index 3"
-.TH DSA_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_new.3 b/secure/lib/libcrypto/man/DSA_new.3
index 204cdb1fd261..b2d1a936780c 100644
--- a/secure/lib/libcrypto/man/DSA_new.3
+++ b/secure/lib/libcrypto/man/DSA_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_new 3"
-.TH DSA_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/DSA_set_method.3 b/secure/lib/libcrypto/man/DSA_set_method.3
index 9f893d08055d..7e7ba5078a70 100644
--- a/secure/lib/libcrypto/man/DSA_set_method.3
+++ b/secure/lib/libcrypto/man/DSA_set_method.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_set_method 3"
-.TH DSA_set_method 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_set_method 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -153,7 +162,7 @@ DSA_set_method, DSA_new_method, DSA_OpenSSL \- select DSA method
 A \fB\s-1DSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1DSA\s0
 operations. By modifying the method, alternative implementations
 such as hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
-important information about how these \s-1DSA\s0 \s-1API\s0 functions are affected by the use
+important information about how these \s-1DSA API\s0 functions are affected by the use
 of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
 .PP
 Initially, the default \s-1DSA_METHOD\s0 is the OpenSSL internal implementation,
@@ -161,16 +170,16 @@ as returned by \fIDSA_OpenSSL()\fR.
 .PP
 \&\fIDSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DSA\s0
 structures created later. \fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
-been set as a default for \s-1DSA\s0, so this function is no longer recommended.
+been set as a default for \s-1DSA,\s0 so this function is no longer recommended.
 .PP
 \&\fIDSA_get_default_method()\fR returns a pointer to the current default
-\&\s-1DSA_METHOD\s0. However, the meaningfulness of this result is dependent on
-whether the \s-1ENGINE\s0 \s-1API\s0 is being used, so this function is no longer 
+\&\s-1DSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
+whether the \s-1ENGINE API\s0 is being used, so this function is no longer 
 recommended.
 .PP
 \&\fIDSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
 \&\fBrsa\fR. This will replace the \s-1DSA_METHOD\s0 used by the \s-1DSA\s0 key and if the
-previous method was supplied by an \s-1ENGINE\s0, the handle to that \s-1ENGINE\s0 will
+previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
 be released during the change. It is possible to have \s-1DSA\s0 keys that only
 work with certain \s-1DSA_METHOD\s0 implementations (eg. from an \s-1ENGINE\s0 module
 that supports embedded hardware-protected keys), and in such cases
@@ -178,7 +187,7 @@ attempting to change the \s-1DSA_METHOD\s0 for the key can have unexpected
 results.
 .PP
 \&\fIDSA_new_method()\fR allocates and initializes a \s-1DSA\s0 structure so that \fBengine\fR
-will be used for the \s-1DSA\s0 operations. If \fBengine\fR is \s-1NULL\s0, the default engine
+will be used for the \s-1DSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default engine
 for \s-1DSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DSA_METHOD\s0
 controlled by \fIDSA_set_default_method()\fR is used.
 .SH "THE DSA_METHOD STRUCTURE"
@@ -241,10 +250,10 @@ fails. Otherwise it returns a pointer to the newly allocated structure.
 .SH "NOTES"
 .IX Header "NOTES"
 As of version 0.9.7, \s-1DSA_METHOD\s0 implementations are grouped together with other
-algorithmic APIs (eg. \s-1RSA_METHOD\s0, \s-1EVP_CIPHER\s0, etc) in \fB\s-1ENGINE\s0\fR modules. If a
-default \s-1ENGINE\s0 is specified for \s-1DSA\s0 functionality using an \s-1ENGINE\s0 \s-1API\s0 function,
-that will override any \s-1DSA\s0 defaults set using the \s-1DSA\s0 \s-1API\s0 (ie.
-\&\fIDSA_set_default_method()\fR). For this reason, the \s-1ENGINE\s0 \s-1API\s0 is the recommended way
+algorithmic APIs (eg. \s-1RSA_METHOD, EVP_CIPHER,\s0 etc) in \fB\s-1ENGINE\s0\fR modules. If a
+default \s-1ENGINE\s0 is specified for \s-1DSA\s0 functionality using an \s-1ENGINE API\s0 function,
+that will override any \s-1DSA\s0 defaults set using the \s-1DSA API \s0(ie.
+\&\fIDSA_set_default_method()\fR). For this reason, the \s-1ENGINE API\s0 is the recommended way
 to control default implementations for use in \s-1DSA\s0 and other cryptographic
 algorithms.
 .SH "SEE ALSO"
@@ -259,8 +268,8 @@ algorithms.
 \&\fIDSA_set_default_method()\fR and \fIDSA_get_default_method()\fR respectively, and
 \&\fIDSA_set_method()\fR and \fIDSA_new_method()\fR were altered to use \fB\s-1ENGINE\s0\fRs rather than
 \&\fB\s-1DSA_METHOD\s0\fRs during development of the engine version of OpenSSL 0.9.6. For
-0.9.7, the handling of defaults in the \s-1ENGINE\s0 \s-1API\s0 was restructured so that this
+0.9.7, the handling of defaults in the \s-1ENGINE API\s0 was restructured so that this
 change was reversed, and behaviour of the other functions resembled more closely
-the previous behaviour. The behaviour of defaults in the \s-1ENGINE\s0 \s-1API\s0 now
-transparently overrides the behaviour of defaults in the \s-1DSA\s0 \s-1API\s0 without
+the previous behaviour. The behaviour of defaults in the \s-1ENGINE API\s0 now
+transparently overrides the behaviour of defaults in the \s-1DSA API\s0 without
 requiring changing these function prototypes.
diff --git a/secure/lib/libcrypto/man/DSA_sign.3 b/secure/lib/libcrypto/man/DSA_sign.3
index f72f31e75ecf..e6d21dad7cff 100644
--- a/secure/lib/libcrypto/man/DSA_sign.3
+++ b/secure/lib/libcrypto/man/DSA_sign.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_sign 3"
-.TH DSA_sign 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_sign 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,7 +157,7 @@ DSA_sign, DSA_sign_setup, DSA_verify \- DSA signatures
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fIDSA_sign()\fR computes a digital signature on the \fBlen\fR byte message
-digest \fBdgst\fR using the private key \fBdsa\fR and places its \s-1ASN\s0.1 \s-1DER\s0
+digest \fBdgst\fR using the private key \fBdsa\fR and places its \s-1ASN.1 DER\s0
 encoding at \fBsigret\fR. The length of the signature is places in
 *\fBsiglen\fR. \fBsigret\fR must point to DSA_size(\fBdsa\fR) bytes of memory.
 .PP
@@ -156,9 +165,9 @@ encoding at \fBsigret\fR. The length of the signature is places in
 operation in case signature generation is time-critical. It expects
 \&\fBdsa\fR to contain \s-1DSA\s0 parameters. It places the precomputed values
 in newly allocated \fB\s-1BIGNUM\s0\fRs at *\fBkinvp\fR and *\fBrp\fR, after freeing
-the old ones unless *\fBkinvp\fR and *\fBrp\fR are \s-1NULL\s0. These values may
+the old ones unless *\fBkinvp\fR and *\fBrp\fR are \s-1NULL.\s0 These values may
 be passed to \fIDSA_sign()\fR in \fBdsa\->kinv\fR and \fBdsa\->r\fR.
-\&\fBctx\fR is a pre-allocated \fB\s-1BN_CTX\s0\fR or \s-1NULL\s0.
+\&\fBctx\fR is a pre-allocated \fB\s-1BN_CTX\s0\fR or \s-1NULL.\s0
 .PP
 \&\fIDSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR
 matches a given message digest \fBdgst\fR of size \fBlen\fR.
@@ -176,8 +185,8 @@ signature and \-1 on error. The error codes can be obtained by
 \&\fIERR_get_error\fR\|(3).
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS\s0 186 (Digital Signature
-Standard, \s-1DSS\s0), \s-1ANSI\s0 X9.30
+\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS 186 \s0(Digital Signature
+Standard, \s-1DSS\s0), \s-1ANSI X9.30\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3),
diff --git a/secure/lib/libcrypto/man/DSA_size.3 b/secure/lib/libcrypto/man/DSA_size.3
index 94b57cf229ea..920e2cdbe1dd 100644
--- a/secure/lib/libcrypto/man/DSA_size.3
+++ b/secure/lib/libcrypto/man/DSA_size.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA_size 3"
-.TH DSA_size 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA_size 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -140,7 +149,7 @@ DSA_size \- get DSA signature size
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-This function returns the size of an \s-1ASN\s0.1 encoded \s-1DSA\s0 signature in
+This function returns the size of an \s-1ASN.1\s0 encoded \s-1DSA\s0 signature in
 bytes. It can be used to determine how much memory must be allocated
 for a \s-1DSA\s0 signature.
 .PP
diff --git a/secure/lib/libcrypto/man/ERR_GET_LIB.3 b/secure/lib/libcrypto/man/ERR_GET_LIB.3
index 35280b9c173d..2a93536e5d11 100644
--- a/secure/lib/libcrypto/man/ERR_GET_LIB.3
+++ b/secure/lib/libcrypto/man/ERR_GET_LIB.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_GET_LIB 3"
-.TH ERR_GET_LIB 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_GET_LIB 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -157,7 +166,7 @@ reason codes are unique within each sub-library.  Note that different
 libraries may use the same value to signal different functions and
 reasons.
 .PP
-\&\fB\s-1ERR_R_\s0...\fR reason codes such as \fB\s-1ERR_R_MALLOC_FAILURE\s0\fR are globally
+\&\fB\s-1ERR_R_...\s0\fR reason codes such as \fB\s-1ERR_R_MALLOC_FAILURE\s0\fR are globally
 unique. However, when checking for sub-library specific reason codes,
 be sure to also compare the library number.
 .PP
diff --git a/secure/lib/libcrypto/man/ERR_clear_error.3 b/secure/lib/libcrypto/man/ERR_clear_error.3
index ec2daad2073e..4739dbf264dd 100644
--- a/secure/lib/libcrypto/man/ERR_clear_error.3
+++ b/secure/lib/libcrypto/man/ERR_clear_error.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_clear_error 3"
-.TH ERR_clear_error 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_clear_error 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_error_string.3 b/secure/lib/libcrypto/man/ERR_error_string.3
index c7bab56269a1..bb550cc2f1bd 100644
--- a/secure/lib/libcrypto/man/ERR_error_string.3
+++ b/secure/lib/libcrypto/man/ERR_error_string.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_error_string 3"
-.TH ERR_error_string 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_error_string 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_get_error.3 b/secure/lib/libcrypto/man/ERR_get_error.3
index 8705d94f8cc3..78c8b351d9b9 100644
--- a/secure/lib/libcrypto/man/ERR_get_error.3
+++ b/secure/lib/libcrypto/man/ERR_get_error.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_get_error 3"
-.TH ERR_get_error 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_get_error 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -177,11 +186,14 @@ additionally store the file name and line number where
 the error occurred in *\fBfile\fR and *\fBline\fR, unless these are \fB\s-1NULL\s0\fR.
 .PP
 \&\fIERR_get_error_line_data()\fR, \fIERR_peek_error_line_data()\fR and
-\&\fIERR_get_last_error_line_data()\fR store additional data and flags
+\&\fIERR_peek_last_error_line_data()\fR store additional data and flags
 associated with the error code in *\fBdata\fR
 and *\fBflags\fR, unless these are \fB\s-1NULL\s0\fR. *\fBdata\fR contains a string
-if *\fBflags\fR&\fB\s-1ERR_TXT_STRING\s0\fR. If it has been allocated by \fIOPENSSL_malloc()\fR,
-*\fBflags\fR&\fB\s-1ERR_TXT_MALLOCED\s0\fR is true.
+if *\fBflags\fR&\fB\s-1ERR_TXT_STRING\s0\fR is true.
+.PP
+An application \fB\s-1MUST NOT\s0\fR free the *\fBdata\fR pointer (or any other pointers
+returned by these functions) with \fIOPENSSL_free()\fR as freeing is handled
+automatically by the error library.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The error code, or 0 if there is no error in the queue.
diff --git a/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 b/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
index 067ba78da50b..c671149b14d1 100644
--- a/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
+++ b/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_load_crypto_strings 3"
-.TH ERR_load_crypto_strings 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_load_crypto_strings 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_load_strings.3 b/secure/lib/libcrypto/man/ERR_load_strings.3
index cfeff0066869..a3f804caf5f2 100644
--- a/secure/lib/libcrypto/man/ERR_load_strings.3
+++ b/secure/lib/libcrypto/man/ERR_load_strings.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_load_strings 3"
-.TH ERR_load_strings 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_load_strings 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_print_errors.3 b/secure/lib/libcrypto/man/ERR_print_errors.3
index 274f6c727eee..538c0c85f3df 100644
--- a/secure/lib/libcrypto/man/ERR_print_errors.3
+++ b/secure/lib/libcrypto/man/ERR_print_errors.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_print_errors 3"
-.TH ERR_print_errors 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_print_errors 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_put_error.3 b/secure/lib/libcrypto/man/ERR_put_error.3
index 0cbc6721ad47..6c0fbcde481c 100644
--- a/secure/lib/libcrypto/man/ERR_put_error.3
+++ b/secure/lib/libcrypto/man/ERR_put_error.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_put_error 3"
-.TH ERR_put_error 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_put_error 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_remove_state.3 b/secure/lib/libcrypto/man/ERR_remove_state.3
index 7e1d16e38c27..f98ec586a962 100644
--- a/secure/lib/libcrypto/man/ERR_remove_state.3
+++ b/secure/lib/libcrypto/man/ERR_remove_state.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_remove_state 3"
-.TH ERR_remove_state 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_remove_state 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ERR_set_mark.3 b/secure/lib/libcrypto/man/ERR_set_mark.3
index e5781a706018..7648e71a9ff0 100644
--- a/secure/lib/libcrypto/man/ERR_set_mark.3
+++ b/secure/lib/libcrypto/man/ERR_set_mark.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERR_set_mark 3"
-.TH ERR_set_mark 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERR_set_mark 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_BytesToKey.3 b/secure/lib/libcrypto/man/EVP_BytesToKey.3
index be938f205d80..f3b38ad42699 100644
--- a/secure/lib/libcrypto/man/EVP_BytesToKey.3
+++ b/secure/lib/libcrypto/man/EVP_BytesToKey.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_BytesToKey 3"
-.TH EVP_BytesToKey 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_BytesToKey 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,7 +154,7 @@ EVP_BytesToKey \- password based encryption routine
 .IX Header "DESCRIPTION"
 \&\fIEVP_BytesToKey()\fR derives a key and \s-1IV\s0 from various parameters. \fBtype\fR is
 the cipher to derive the key and \s-1IV\s0 for. \fBmd\fR is the message digest to use.
-The \fBsalt\fR paramter is used as a salt in the derivation: it should point to
+The \fBsalt\fR parameter is used as a salt in the derivation: it should point to
 an 8 byte buffer or \s-1NULL\s0 if no salt is used. \fBdata\fR is a buffer containing
 \&\fBdatal\fR bytes which is used to derive the keying data. \fBcount\fR is the
 iteration count to use. The derived key and \s-1IV\s0 will be written to \fBkey\fR
@@ -168,7 +177,7 @@ v2.0 for key derivation.
 .SH "KEY DERIVATION ALGORITHM"
 .IX Header "KEY DERIVATION ALGORITHM"
 The key and \s-1IV\s0 is derived by concatenating D_1, D_2, etc until
-enough data is available for the key and \s-1IV\s0. D_i is defined as:
+enough data is available for the key and \s-1IV.\s0 D_i is defined as:
 .PP
 .Vb 1
 \&        D_i = HASH^count(D_(i\-1) || data || salt)
@@ -179,7 +188,7 @@ algorithm in use, HASH^1(data) is simply \s-1HASH\s0(data), HASH^2(data)
 is \s-1HASH\s0(\s-1HASH\s0(data)) and so on.
 .PP
 The initial bytes are used for the key and the subsequent bytes for
-the \s-1IV\s0.
+the \s-1IV.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fIEVP_BytesToKey()\fR returns the size of the derived key in bytes.
diff --git a/secure/lib/libcrypto/man/EVP_DigestInit.3 b/secure/lib/libcrypto/man/EVP_DigestInit.3
index 394f9ef39f36..d9d194ddaf28 100644
--- a/secure/lib/libcrypto/man/EVP_DigestInit.3
+++ b/secure/lib/libcrypto/man/EVP_DigestInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_DigestInit 3"
-.TH EVP_DigestInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_DigestInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -154,13 +163,13 @@ EVP digest routines
 \& int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
 \& void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
 \&
-\& int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);  
+\& int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
 \&
 \& int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
 \& int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
 \&        unsigned int *s);
 \&
-\& int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
+\& int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);
 \&
 \& #define EVP_MAX_MD_SIZE 64     /* SHA512 */
 \&
@@ -202,7 +211,7 @@ The \s-1EVP\s0 digest routines are a high level interface to message digests.
 \&\fIEVP_MD_CTX_create()\fR allocates, initializes and returns a digest context.
 .PP
 \&\fIEVP_DigestInit_ex()\fR sets up digest context \fBctx\fR to use a digest
-\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized before calling this
+\&\fBtype\fR from \s-1ENGINE \s0\fBimpl\fR. \fBctx\fR must be initialized before calling this
 function. \fBtype\fR will typically be supplied by a functionsuch as \fIEVP_sha1()\fR.
 If \fBimpl\fR is \s-1NULL\s0 then the default implementation of digest \fBtype\fR is used.
 .PP
@@ -247,7 +256,7 @@ hash.
 \&\fIEVP_MD_block_size()\fR and \fIEVP_MD_CTX_block_size()\fR return the block size of the
 message digest when passed an \fB\s-1EVP_MD\s0\fR or an \fB\s-1EVP_MD_CTX\s0\fR structure.
 .PP
-\&\fIEVP_MD_type()\fR and \fIEVP_MD_CTX_type()\fR return the \s-1NID\s0 of the \s-1OBJECT\s0 \s-1IDENTIFIER\s0
+\&\fIEVP_MD_type()\fR and \fIEVP_MD_CTX_type()\fR return the \s-1NID\s0 of the \s-1OBJECT IDENTIFIER\s0
 representing the given message digest when passed an \fB\s-1EVP_MD\s0\fR structure.
 For example EVP_MD_type(\fIEVP_sha1()\fR) returns \fBNID_sha1\fR. This function is
 normally used when setting \s-1ASN1\s0 OIDs.
@@ -263,11 +272,11 @@ reasons.
 .PP
 \&\fIEVP_md2()\fR, \fIEVP_md5()\fR, \fIEVP_sha()\fR, \fIEVP_sha1()\fR, \fIEVP_sha224()\fR, \fIEVP_sha256()\fR,
 \&\fIEVP_sha384()\fR, \fIEVP_sha512()\fR, \fIEVP_mdc2()\fR and \fIEVP_ripemd160()\fR return \fB\s-1EVP_MD\s0\fR
-structures for the \s-1MD2\s0, \s-1MD5\s0, \s-1SHA\s0, \s-1SHA1\s0, \s-1SHA224\s0, \s-1SHA256\s0, \s-1SHA384\s0, \s-1SHA512\s0, \s-1MDC2\s0
+structures for the \s-1MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2\s0
 and \s-1RIPEMD160\s0 digest algorithms respectively.
 .PP
 \&\fIEVP_dss()\fR and \fIEVP_dss1()\fR return \fB\s-1EVP_MD\s0\fR structures for \s-1SHA\s0 and \s-1SHA1\s0 digest
-algorithms but using \s-1DSS\s0 (\s-1DSA\s0) for the signature algorithm. Note: there is 
+algorithms but using \s-1DSS \s0(\s-1DSA\s0) for the signature algorithm. Note: there is
 no need to use these pseudo-digests in OpenSSL 1.0.0 and later, they are
 however retained for compatibility.
 .PP
@@ -286,11 +295,10 @@ success and 0 for failure.
 \&\fIEVP_MD_CTX_copy_ex()\fR returns 1 if successful or 0 for failure.
 .PP
 \&\fIEVP_MD_type()\fR, \fIEVP_MD_pkey_type()\fR and \fIEVP_MD_type()\fR return the \s-1NID\s0 of the
-corresponding \s-1OBJECT\s0 \s-1IDENTIFIER\s0 or NID_undef if none exists.
+corresponding \s-1OBJECT IDENTIFIER\s0 or NID_undef if none exists.
 .PP
-\&\fIEVP_MD_size()\fR, \fIEVP_MD_block_size()\fR, EVP_MD_CTX_size(e), \fIEVP_MD_size()\fR,
-\&\fIEVP_MD_CTX_block_size()\fR	and \fIEVP_MD_block_size()\fR return the digest or block
-size in bytes.
+\&\fIEVP_MD_size()\fR, \fIEVP_MD_block_size()\fR, \fIEVP_MD_CTX_size()\fR and
+\&\fIEVP_MD_CTX_block_size()\fR return the digest or block size in bytes.
 .PP
 \&\fIEVP_md_null()\fR, \fIEVP_md2()\fR, \fIEVP_md5()\fR, \fIEVP_sha()\fR, \fIEVP_sha1()\fR, \fIEVP_dss()\fR,
 \&\fIEVP_dss1()\fR, \fIEVP_mdc2()\fR and \fIEVP_ripemd160()\fR return pointers to the
@@ -304,15 +312,15 @@ The \fB\s-1EVP\s0\fR interface to message digests should almost always be used i
 preference to the low level interfaces. This is because the code then becomes
 transparent to the digest used and much more flexible.
 .PP
-New applications should use the \s-1SHA2\s0 digest algorithms such as \s-1SHA256\s0. 
+New applications should use the \s-1SHA2\s0 digest algorithms such as \s-1SHA256.\s0
 The other digest algorithms are still in common use.
 .PP
 For most applications the \fBimpl\fR parameter to \fIEVP_DigestInit_ex()\fR will be
 set to \s-1NULL\s0 to use the default digest implementation.
 .PP
-The functions \fIEVP_DigestInit()\fR, \fIEVP_DigestFinal()\fR and \fIEVP_MD_CTX_copy()\fR are 
+The functions \fIEVP_DigestInit()\fR, \fIEVP_DigestFinal()\fR and \fIEVP_MD_CTX_copy()\fR are
 obsolete but are retained to maintain compatibility with existing code. New
-applications should use \fIEVP_DigestInit_ex()\fR, \fIEVP_DigestFinal_ex()\fR and 
+applications should use \fIEVP_DigestInit_ex()\fR, \fIEVP_DigestFinal_ex()\fR and
 \&\fIEVP_MD_CTX_copy_ex()\fR because they can efficiently reuse a digest context
 instead of initializing and cleaning it up on each call and allow non default
 implementations of digests to be specified.
@@ -375,15 +383,19 @@ digest name passed on the command line.
 \& EVP_MD_CTX_destroy(mdctx);
 \&
 \& printf("Digest is: ");
-\& for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
+\& for(i = 0; i < md_len; i++)
+\&        printf("%02x", md_value[i]);
 \& printf("\en");
+\&
+\& /* Call this once before exit. */
+\& EVP_cleanup();
+\& exit(0);
 \& }
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fIevp\fR\|(3), \fIhmac\fR\|(3), \fImd2\fR\|(3),
-\&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3),
-\&\fIsha\fR\|(3), \fIdgst\fR\|(1)
+\&\fIdgst\fR\|(1),
+\&\fIevp\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 \&\fIEVP_DigestInit()\fR, \fIEVP_DigestUpdate()\fR and \fIEVP_DigestFinal()\fR are
@@ -398,7 +410,7 @@ and \fIEVP_DigestFinal_ex()\fR were added in OpenSSL 0.9.7.
 changed to return truely const \s-1EVP_MD\s0 * in OpenSSL 0.9.7.
 .PP
 The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
-later, so now \fIEVP_sha1()\fR can be used with \s-1RSA\s0 and \s-1DSA\s0, there is no need to
+later, so now \fIEVP_sha1()\fR can be used with \s-1RSA\s0 and \s-1DSA\s0; there is no need to
 use \fIEVP_dss1()\fR any more.
 .PP
 OpenSSL 1.0 and later does not include the \s-1MD2\s0 digest algorithm in the
diff --git a/secure/lib/libcrypto/man/EVP_DigestSignInit.3 b/secure/lib/libcrypto/man/EVP_DigestSignInit.3
index 355468ecffa8..6bc40c036e7b 100644
--- a/secure/lib/libcrypto/man/EVP_DigestSignInit.3
+++ b/secure/lib/libcrypto/man/EVP_DigestSignInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_DigestSignInit 3"
-.TH EVP_DigestSignInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_DigestSignInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,7 +155,7 @@ EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal \- EVP signing fun
 The \s-1EVP\s0 signature routines are a high level interface to digital signatures.
 .PP
 \&\fIEVP_DigestSignInit()\fR sets up signing context \fBctx\fR to use digest \fBtype\fR from
-\&\s-1ENGINE\s0 \fBimpl\fR and private key \fBpkey\fR. \fBctx\fR must be initialized with
+\&\s-1ENGINE \s0\fBimpl\fR and private key \fBpkey\fR. \fBctx\fR must be initialized with
 \&\fIEVP_MD_CTX_init()\fR before calling this function. If \fBpctx\fR is not \s-1NULL\s0 the
 \&\s-1EVP_PKEY_CTX\s0 of the signing operation will be written to \fB*pctx\fR: this can
 be used to set alternative signing options.
@@ -178,7 +187,7 @@ transparent to the algorithm used and much more flexible.
 .PP
 In previous versions of OpenSSL there was a link between message digest types
 and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fIEVP_dss1()\fR
-needed to be used to sign using \s-1SHA1\s0 and \s-1DSA\s0. This is no longer necessary and
+needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and
 the use of clone digest is now discouraged.
 .PP
 For some key types and parameters the random number generator must be seeded
diff --git a/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
index baee35a2d670..f3935f87df58 100644
--- a/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
+++ b/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_DigestVerifyInit 3"
-.TH EVP_DigestVerifyInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_DigestVerifyInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,7 +155,7 @@ EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal \- EVP signa
 The \s-1EVP\s0 signature routines are a high level interface to digital signatures.
 .PP
 \&\fIEVP_DigestVerifyInit()\fR sets up verification context \fBctx\fR to use digest
-\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR and public key \fBpkey\fR. \fBctx\fR must be initialized
+\&\fBtype\fR from \s-1ENGINE \s0\fBimpl\fR and public key \fBpkey\fR. \fBctx\fR must be initialized
 with \fIEVP_MD_CTX_init()\fR before calling this function. If \fBpctx\fR is not \s-1NULL\s0 the
 \&\s-1EVP_PKEY_CTX\s0 of the verification operation will be written to \fB*pctx\fR: this
 can be used to set alternative verification options.
@@ -165,7 +174,7 @@ or a negative value for failure. In particular a return value of \-2 indicates
 the operation is not supported by the public key algorithm.
 .PP
 Unlike other functions the return value 0 from \fIEVP_DigestVerifyFinal()\fR only
-indicates that the signature did not not verify successfully (that is tbs did
+indicates that the signature did not verify successfully (that is tbs did
 not match the original data or the signature was of invalid form) it is not an
 indication of a more serious error.
 .PP
@@ -178,14 +187,14 @@ transparent to the algorithm used and much more flexible.
 .PP
 In previous versions of OpenSSL there was a link between message digest types
 and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fIEVP_dss1()\fR
-needed to be used to sign using \s-1SHA1\s0 and \s-1DSA\s0. This is no longer necessary and
+needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and
 the use of clone digest is now discouraged.
 .PP
 For some key types and parameters the random number generator must be seeded
 or the operation will fail.
 .PP
 The call to \fIEVP_DigestVerifyFinal()\fR internally finalizes a copy of the digest
-context. This means that calls to \fIEVP_VerifyUpdate()\fR and \fIEVP_VerifyFinal()\fR can
+context. This means that \fIEVP_VerifyUpdate()\fR and \fIEVP_VerifyFinal()\fR can
 be called later to digest and verify additional data.
 .PP
 Since only a copy of the digest context is ever finalized the context must
diff --git a/secure/lib/libcrypto/man/EVP_EncryptInit.3 b/secure/lib/libcrypto/man/EVP_EncryptInit.3
index 2614b40f9c23..401a2ffab6f5 100644
--- a/secure/lib/libcrypto/man/EVP_EncryptInit.3
+++ b/secure/lib/libcrypto/man/EVP_EncryptInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_EncryptInit 3"
-.TH EVP_EncryptInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_EncryptInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -227,7 +236,7 @@ symmetric ciphers.
 \&\fIEVP_CIPHER_CTX_init()\fR initializes cipher contex \fBctx\fR.
 .PP
 \&\fIEVP_EncryptInit_ex()\fR sets up cipher context \fBctx\fR for encryption
-with cipher \fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized
+with cipher \fBtype\fR from \s-1ENGINE \s0\fBimpl\fR. \fBctx\fR must be initialized
 before calling this function. \fBtype\fR is normally supplied
 by a function such as \fIEVP_des_cbc()\fR. If \fBimpl\fR is \s-1NULL\s0 then the
 default implementation is used. \fBkey\fR is the symmetric key to use
@@ -235,7 +244,7 @@ and \fBiv\fR is the \s-1IV\s0 to use (if necessary), the actual number of bytes
 used for the key and \s-1IV\s0 depends on the cipher. It is possible to set
 all parameters to \s-1NULL\s0 except \fBtype\fR in an initial call and supply
 the remaining parameters in subsequent calls, all of which have \fBtype\fR
-set to \s-1NULL\s0. This is done when the default cipher parameters are not
+set to \s-1NULL.\s0 This is done when the default cipher parameters are not
 appropriate.
 .PP
 \&\fIEVP_EncryptUpdate()\fR encrypts \fBinl\fR bytes from the buffer \fBin\fR and
@@ -243,7 +252,7 @@ writes the encrypted version to \fBout\fR. This function can be called
 multiple times to encrypt successive blocks of data. The amount
 of data written depends on the block alignment of the encrypted data:
 as a result the amount of data written may be anything from zero bytes
-to (inl + cipher_block_size \- 1) so \fBoutl\fR should contain sufficient
+to (inl + cipher_block_size \- 1) so \fBout\fR should contain sufficient
 room. The actual number of bytes written is placed in \fBoutl\fR.
 .PP
 If padding is enabled (the default) then \fIEVP_EncryptFinal_ex()\fR encrypts
@@ -280,7 +289,7 @@ does not remain in memory.
 .PP
 \&\fIEVP_EncryptInit()\fR, \fIEVP_DecryptInit()\fR and \fIEVP_CipherInit()\fR behave in a
 similar way to \fIEVP_EncryptInit_ex()\fR, EVP_DecryptInit_ex and
-\&\fIEVP_CipherInit_ex()\fR except the \fBctx\fR paramter does not need to be
+\&\fIEVP_CipherInit_ex()\fR except the \fBctx\fR parameter does not need to be
 initialized and they always use the default cipher implementation.
 .PP
 \&\fIEVP_EncryptFinal()\fR, \fIEVP_DecryptFinal()\fR and \fIEVP_CipherFinal()\fR behave in a
@@ -294,8 +303,8 @@ return an \s-1EVP_CIPHER\s0 structure when passed a cipher name, a \s-1NID\s0 or
 .PP
 \&\fIEVP_CIPHER_nid()\fR and \fIEVP_CIPHER_CTX_nid()\fR return the \s-1NID\s0 of a cipher when
 passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR structure.  The actual \s-1NID\s0
-value is an internal value which may not have a corresponding \s-1OBJECT\s0
-\&\s-1IDENTIFIER\s0.
+value is an internal value which may not have a corresponding \s-1OBJECT
+IDENTIFIER.\s0
 .PP
 \&\fIEVP_CIPHER_CTX_set_padding()\fR enables or disables padding. By default
 encryption operations are padded using standard block padding and the
@@ -317,7 +326,7 @@ length to any value other than the fixed value is an error.
 .PP
 \&\fIEVP_CIPHER_iv_length()\fR and \fIEVP_CIPHER_CTX_iv_length()\fR return the \s-1IV\s0
 length of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR.
-It will return zero if the cipher does not use an \s-1IV\s0.  The constant
+It will return zero if the cipher does not use an \s-1IV. \s0 The constant
 \&\fB\s-1EVP_MAX_IV_LENGTH\s0\fR is the maximum \s-1IV\s0 length for all ciphers.
 .PP
 \&\fIEVP_CIPHER_block_size()\fR and \fIEVP_CIPHER_CTX_block_size()\fR return the block
@@ -326,9 +335,9 @@ structure. The constant \fB\s-1EVP_MAX_IV_LENGTH\s0\fR is also the maximum block
 length for all ciphers.
 .PP
 \&\fIEVP_CIPHER_type()\fR and \fIEVP_CIPHER_CTX_type()\fR return the type of the passed
-cipher or context. This \*(L"type\*(R" is the actual \s-1NID\s0 of the cipher \s-1OBJECT\s0
-\&\s-1IDENTIFIER\s0 as such it ignores the cipher parameters and 40 bit \s-1RC2\s0 and
-128 bit \s-1RC2\s0 have the same \s-1NID\s0. If the cipher does not have an object
+cipher or context. This \*(L"type\*(R" is the actual \s-1NID\s0 of the cipher \s-1OBJECT
+IDENTIFIER\s0 as such it ignores the cipher parameters and 40 bit \s-1RC2\s0 and
+128 bit \s-1RC2\s0 have the same \s-1NID.\s0 If the cipher does not have an object
 identifier or does not have \s-1ASN1\s0 support this function will return
 \&\fBNID_undef\fR.
 .PP
@@ -336,24 +345,24 @@ identifier or does not have \s-1ASN1\s0 support this function will return
 an \fB\s-1EVP_CIPHER_CTX\s0\fR structure.
 .PP
 \&\fIEVP_CIPHER_mode()\fR and \fIEVP_CIPHER_CTX_mode()\fR return the block cipher mode:
-\&\s-1EVP_CIPH_ECB_MODE\s0, \s-1EVP_CIPH_CBC_MODE\s0, \s-1EVP_CIPH_CFB_MODE\s0 or
-\&\s-1EVP_CIPH_OFB_MODE\s0. If the cipher is a stream cipher then
+\&\s-1EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE\s0 or
+\&\s-1EVP_CIPH_OFB_MODE.\s0 If the cipher is a stream cipher then
 \&\s-1EVP_CIPH_STREAM_CIPHER\s0 is returned.
 .PP
 \&\fIEVP_CIPHER_param_to_asn1()\fR sets the AlgorithmIdentifier \*(L"parameter\*(R" based
 on the passed cipher. This will typically include any parameters and an
-\&\s-1IV\s0. The cipher \s-1IV\s0 (if any) must be set when this call is made. This call
+\&\s-1IV.\s0 The cipher \s-1IV \s0(if any) must be set when this call is made. This call
 should be made before the cipher is actually \*(L"used\*(R" (before any
 \&\fIEVP_EncryptUpdate()\fR, \fIEVP_DecryptUpdate()\fR calls for example). This function
 may fail if the cipher does not have any \s-1ASN1\s0 support.
 .PP
 \&\fIEVP_CIPHER_asn1_to_param()\fR sets the cipher parameters based on an \s-1ASN1\s0
 AlgorithmIdentifier \*(L"parameter\*(R". The precise effect depends on the cipher
-In the case of \s-1RC2\s0, for example, it will set the \s-1IV\s0 and effective key length.
+In the case of \s-1RC2,\s0 for example, it will set the \s-1IV\s0 and effective key length.
 This function should be called after the base cipher type is set but before
 the key is set. For example \fIEVP_CipherInit()\fR will be called with the \s-1IV\s0 and
-key set to \s-1NULL\s0, \fIEVP_CIPHER_asn1_to_param()\fR will be called and finally
-\&\fIEVP_CipherInit()\fR again with all parameters except the key set to \s-1NULL\s0. It is
+key set to \s-1NULL,\s0 \fIEVP_CIPHER_asn1_to_param()\fR will be called and finally
+\&\fIEVP_CipherInit()\fR again with all parameters except the key set to \s-1NULL.\s0 It is
 possible for this function to fail if the cipher does not have any \s-1ASN1\s0 support
 or the parameters cannot be set (for example the \s-1RC2\s0 effective key length
 is not supported.
@@ -377,7 +386,7 @@ return 1 for success and 0 for failure.
 \&\fIEVP_get_cipherbyname()\fR, \fIEVP_get_cipherbynid()\fR and \fIEVP_get_cipherbyobj()\fR
 return an \fB\s-1EVP_CIPHER\s0\fR structure or \s-1NULL\s0 on error.
 .PP
-\&\fIEVP_CIPHER_nid()\fR and \fIEVP_CIPHER_CTX_nid()\fR return a \s-1NID\s0.
+\&\fIEVP_CIPHER_nid()\fR and \fIEVP_CIPHER_CTX_nid()\fR return a \s-1NID.\s0
 .PP
 \&\fIEVP_CIPHER_block_size()\fR and \fIEVP_CIPHER_CTX_block_size()\fR return the block
 size.
@@ -388,10 +397,10 @@ length.
 \&\fIEVP_CIPHER_CTX_set_padding()\fR always returns 1.
 .PP
 \&\fIEVP_CIPHER_iv_length()\fR and \fIEVP_CIPHER_CTX_iv_length()\fR return the \s-1IV\s0
-length or zero if the cipher does not use an \s-1IV\s0.
+length or zero if the cipher does not use an \s-1IV.\s0
 .PP
 \&\fIEVP_CIPHER_type()\fR and \fIEVP_CIPHER_CTX_type()\fR return the \s-1NID\s0 of the cipher's
-\&\s-1OBJECT\s0 \s-1IDENTIFIER\s0 or NID_undef if it has no defined \s-1OBJECT\s0 \s-1IDENTIFIER\s0.
+\&\s-1OBJECT IDENTIFIER\s0 or NID_undef if it has no defined \s-1OBJECT IDENTIFIER.\s0
 .PP
 \&\fIEVP_CIPHER_CTX_cipher()\fR returns an \fB\s-1EVP_CIPHER\s0\fR structure.
 .PP
@@ -405,13 +414,13 @@ All algorithms have a fixed key length unless otherwise stated.
 Null cipher: does nothing.
 .IP "EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)" 4
 .IX Item "EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)"
-\&\s-1DES\s0 in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively.
+\&\s-1DES\s0 in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively.
 .IP "EVP_des_ede_cbc(void), \fIEVP_des_ede()\fR, EVP_des_ede_ofb(void),  EVP_des_ede_cfb(void)" 4
-.IX Item "EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void),  EVP_des_ede_cfb(void)"
-Two key triple \s-1DES\s0 in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively.
+.IX Item "EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void)"
+Two key triple \s-1DES\s0 in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively.
 .IP "EVP_des_ede3_cbc(void), \fIEVP_des_ede3()\fR, EVP_des_ede3_ofb(void),  EVP_des_ede3_cfb(void)" 4
-.IX Item "EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void),  EVP_des_ede3_cfb(void)"
-Three key triple \s-1DES\s0 in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively.
+.IX Item "EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void)"
+Three key triple \s-1DES\s0 in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively.
 .IP "EVP_desx_cbc(void)" 4
 .IX Item "EVP_desx_cbc(void)"
 \&\s-1DESX\s0 algorithm in \s-1CBC\s0 mode.
@@ -424,10 +433,10 @@ Three key triple \s-1DES\s0 in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0
 and the \fIEVP_CIPHER_CTX_set_key_length()\fR function.
 .IP "\fIEVP_idea_cbc()\fR EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)" 4
 .IX Item "EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)"
-\&\s-1IDEA\s0 encryption algorithm in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively.
+\&\s-1IDEA\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively.
 .IP "EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)" 4
 .IX Item "EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)"
-\&\s-1RC2\s0 encryption algorithm in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key
+\&\s-1RC2\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key
 length cipher with an additional parameter called \*(L"effective key bits\*(R" or \*(L"effective key length\*(R".
 By default both are set to 128 bits.
 .IP "EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)" 4
@@ -437,22 +446,25 @@ These are obsolete and new code should use \fIEVP_rc2_cbc()\fR, \fIEVP_CIPHER_CT
 \&\fIEVP_CIPHER_CTX_ctrl()\fR to set the key length and effective key length.
 .IP "EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);" 4
 .IX Item "EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);"
-Blowfish encryption algorithm in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key
+Blowfish encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key
 length cipher.
 .IP "EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)" 4
 .IX Item "EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)"
-\&\s-1CAST\s0 encryption algorithm in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key
+\&\s-1CAST\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key
 length cipher.
 .IP "EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)" 4
 .IX Item "EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)"
-\&\s-1RC5\s0 encryption algorithm in \s-1CBC\s0, \s-1ECB\s0, \s-1CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key length
+\&\s-1RC5\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key length
 cipher with an additional \*(L"number of rounds\*(R" parameter. By default the key length is set to 128
 bits and 12 rounds.
 .SH "NOTES"
 .IX Header "NOTES"
 Where possible the \fB\s-1EVP\s0\fR interface to symmetric ciphers should be used in
 preference to the low level interfaces. This is because the code then becomes
-transparent to the cipher used and much more flexible.
+transparent to the cipher used and much more flexible. Additionally, the
+\&\fB\s-1EVP\s0\fR interface will ensure the use of platform specific cryptographic
+acceleration such as AES-NI (the low level interfaces do not provide the
+guarantee).
 .PP
 \&\s-1PKCS\s0 padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total 
 length of the encrypted data a multiple of the block size. Padding is always
@@ -487,40 +499,12 @@ unpredictable. This is because it has become standard practice to define a
 generic key as a fixed unsigned char array containing \s-1EVP_MAX_KEY_LENGTH\s0 bytes.
 .PP
 The \s-1ASN1\s0 code is incomplete (and sometimes inaccurate) it has only been tested
-for certain common S/MIME ciphers (\s-1RC2\s0, \s-1DES\s0, triple \s-1DES\s0) in \s-1CBC\s0 mode.
+for certain common S/MIME ciphers (\s-1RC2, DES,\s0 triple \s-1DES\s0) in \s-1CBC\s0 mode.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
-Get the number of rounds used in \s-1RC5:\s0
-.PP
-.Vb 2
-\& int nrounds;
-\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
-.Ve
-.PP
-Get the \s-1RC2\s0 effective key length:
-.PP
-.Vb 2
-\& int key_bits;
-\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
-.Ve
-.PP
-Set the number of rounds used in \s-1RC5:\s0
-.PP
-.Vb 2
-\& int nrounds;
-\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
-.Ve
+Encrypt a string using \s-1IDEA:\s0
 .PP
-Set the effective key length used in \s-1RC2:\s0
-.PP
-.Vb 2
-\& int key_bits;
-\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
-.Ve
-.PP
-Encrypt a string using blowfish:
-.PP
-.Vb 10
+.Vb 12
 \& int do_crypt(char *outfile)
 \&        {
 \&        unsigned char outbuf[1024];
@@ -533,8 +517,9 @@ Encrypt a string using blowfish:
 \&        char intext[] = "Some Crypto Text";
 \&        EVP_CIPHER_CTX ctx;
 \&        FILE *out;
+\&
 \&        EVP_CIPHER_CTX_init(&ctx);
-\&        EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
+\&        EVP_EncryptInit_ex(&ctx, EVP_idea_cbc(), NULL, key, iv);
 \&
 \&        if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
 \&                {
@@ -564,31 +549,37 @@ Encrypt a string using blowfish:
 .Ve
 .PP
 The ciphertext from the above example can be decrypted using the \fBopenssl\fR
-utility with the command line:
+utility with the command line (shown on two lines for clarity):
 .PP
-.Vb 1
-\& S<openssl bf \-in cipher.bin \-K 000102030405060708090A0B0C0D0E0F \-iv 0102030405060708 \-d>
+.Vb 2
+\& openssl idea \-d <filename
+\&          \-K 000102030405060708090A0B0C0D0E0F \-iv 0102030405060708
 .Ve
 .PP
-General encryption, decryption function example using \s-1FILE\s0 I/O and \s-1RC2\s0 with an
-80 bit key:
+General encryption and decryption function example using \s-1FILE I/O\s0 and \s-1AES128\s0
+with a 128\-bit key:
 .PP
-.Vb 10
+.Vb 11
 \& int do_crypt(FILE *in, FILE *out, int do_encrypt)
 \&        {
 \&        /* Allow enough space in output buffer for additional block */
-\&        inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
+\&        unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
 \&        int inlen, outlen;
+\&        EVP_CIPHER_CTX ctx;
 \&        /* Bogus key and IV: we\*(Aqd normally set these from
 \&         * another source.
 \&         */
-\&        unsigned char key[] = "0123456789";
-\&        unsigned char iv[] = "12345678";
-\&        /* Don\*(Aqt set key or IV because we will modify the parameters */
+\&        unsigned char key[] = "0123456789abcdeF";
+\&        unsigned char iv[] = "1234567887654321";
+\&
+\&        /* Don\*(Aqt set key or IV right away; we want to check lengths */
 \&        EVP_CIPHER_CTX_init(&ctx);
-\&        EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt);
-\&        EVP_CIPHER_CTX_set_key_length(&ctx, 10);
-\&        /* We finished modifying parameters so now we can set key and IV */
+\&        EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
+\&                do_encrypt);
+\&        OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx) == 16);
+\&        OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx) == 16);
+\&
+\&        /* Now we can set key and IV */
 \&        EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
 \&
 \&        for(;;) 
@@ -624,3 +615,6 @@ General encryption, decryption function example using \s-1FILE\s0 I/O and \s-1RC
 \&\fIEVP_DecryptInit_ex()\fR, \fIEVP_DecryptFinal_ex()\fR, \fIEVP_CipherInit_ex()\fR,
 \&\fIEVP_CipherFinal_ex()\fR and \fIEVP_CIPHER_CTX_set_padding()\fR appeared in
 OpenSSL 0.9.7.
+.PP
+\&\s-1IDEA\s0 appeared in OpenSSL 0.9.7 but was often disabled due to
+patent concerns; the last patents expired in 2012.
diff --git a/secure/lib/libcrypto/man/EVP_OpenInit.3 b/secure/lib/libcrypto/man/EVP_OpenInit.3
index 6c29e0127ee6..378a9dc51232 100644
--- a/secure/lib/libcrypto/man/EVP_OpenInit.3
+++ b/secure/lib/libcrypto/man/EVP_OpenInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_OpenInit 3"
-.TH EVP_OpenInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_OpenInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -163,7 +172,7 @@ page.
 It is possible to call \fIEVP_OpenInit()\fR twice in the same way as
 \&\fIEVP_DecryptInit()\fR. The first call should have \fBpriv\fR set to \s-1NULL\s0
 and (after setting any cipher parameters) it should be called again
-with \fBtype\fR set to \s-1NULL\s0.
+with \fBtype\fR set to \s-1NULL.\s0
 .PP
 If the cipher passed in the \fBtype\fR parameter is a variable length
 cipher then the key length will be set to the value of the recovered
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index d7988e1d50ef..7e18afe3e4b9 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_ctrl 3"
-.TH EVP_PKEY_CTX_ctrl 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_CTX_ctrl 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -191,7 +200,7 @@ The \fBpad\fR parameter can take the value \s-1RSA_PKCS1_PADDING\s0 for PKCS#1 p
 \&\s-1RSA_SSLV23_PADDING\s0 for SSLv23 padding, \s-1RSA_NO_PADDING\s0 for no padding,
 \&\s-1RSA_PKCS1_OAEP_PADDING\s0 for \s-1OAEP\s0 padding (encrypt and decrypt only),
 \&\s-1RSA_X931_PADDING\s0 for X9.31 padding (signature operations only) and 
-\&\s-1RSA_PKCS1_PSS_PADDING\s0 (sign and verify only).
+\&\s-1RSA_PKCS1_PSS_PADDING \s0(sign and verify only).
 .PP
 Two \s-1RSA\s0 padding modes behave differently if \fIEVP_PKEY_CTX_set_signature_md()\fR
 is used. If this macro is called for PKCS#1 padding the plaintext buffer is
@@ -202,7 +211,7 @@ supplied data is used directly and not encapsulated. In the case of X9.31
 padding for \s-1RSA\s0 the algorithm identifier byte is added or checked and removed
 if this control is called. If it is not called then the first byte of the plaintext buffer is expected to be the algorithm identifier byte.
 .PP
-The \fIEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro sets the \s-1RSA\s0 \s-1PSS\s0 salt length to
+The \fIEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro sets the \s-1RSA PSS\s0 salt length to
 \&\fBlen\fR as its name implies it is only supported for \s-1PSS\s0 padding.  Two special
 values are supported: \-1 sets the salt length to the digest length. When
 signing \-2 sets the salt length to the maximum permissible value. When
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
index ad4429f6302a..5455e07bc75d 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_new 3"
-.TH EVP_PKEY_CTX_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_CTX_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -144,10 +153,10 @@ EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free \- pu
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fIEVP_PKEY_CTX_new()\fR function allocates public key algorithm context using
-the algorithm specified in \fBpkey\fR and \s-1ENGINE\s0 \fBe\fR.
+the algorithm specified in \fBpkey\fR and \s-1ENGINE \s0\fBe\fR.
 .PP
 The \fIEVP_PKEY_CTX_new_id()\fR function allocates public key algorithm context
-using the algorithm specified by \fBid\fR and \s-1ENGINE\s0 \fBe\fR. It is normally used
+using the algorithm specified by \fBid\fR and \s-1ENGINE \s0\fBe\fR. It is normally used
 when no \fB\s-1EVP_PKEY\s0\fR structure is associated with the operations, for example
 during parameter generation of key genration for some algorithms.
 .PP
@@ -157,7 +166,7 @@ during parameter generation of key genration for some algorithms.
 .SH "NOTES"
 .IX Header "NOTES"
 The \fB\s-1EVP_PKEY_CTX\s0\fR structure is an opaque public key algorithm context used
-by the OpenSSL high level public key \s-1API\s0. Contexts \fB\s-1MUST\s0 \s-1NOT\s0\fR be shared between
+by the OpenSSL high level public key \s-1API.\s0 Contexts \fB\s-1MUST NOT\s0\fR be shared between
 threads: that is it is not permissible to use the same context simultaneously
 in two threads.
 .SH "RETURN VALUES"
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 b/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
index 98d8fda28d52..98e405863eb6 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_cmp 3"
-.TH EVP_PKEY_cmp 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_cmp 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
index 7cbc226af55a..a1d725eb6eb3 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_decrypt 3"
-.TH EVP_PKEY_decrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_decrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -168,7 +177,7 @@ or a negative value for failure. In particular a return value of \-2
 indicates the operation is not supported by the public key algorithm.
 .SH "EXAMPLE"
 .IX Header "EXAMPLE"
-Decrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys):
+Decrypt data using \s-1OAEP \s0(for \s-1RSA\s0 keys):
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_derive.3 b/secure/lib/libcrypto/man/EVP_PKEY_derive.3
index c6a3420dbf79..6f51b0fd0d0f 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_derive.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_derive.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_derive 3"
-.TH EVP_PKEY_derive 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_derive 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
index 4e2ecb315193..50f3e93a9696 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_encrypt 3"
-.TH EVP_PKEY_encrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_encrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -168,20 +177,24 @@ or a negative value for failure. In particular a return value of \-2
 indicates the operation is not supported by the public key algorithm.
 .SH "EXAMPLE"
 .IX Header "EXAMPLE"
-Encrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys):
+Encrypt data using \s-1OAEP \s0(for \s-1RSA\s0 keys). See also \fIPEM_read_PUBKEY\fR\|(3) or
+\&\fId2i_X509\fR\|(3) for means to load a public key. You may also simply
+set 'eng = \s-1NULL\s0;' to start with the default OpenSSL \s-1RSA\s0 implementation:
 .PP
-.Vb 2
+.Vb 3
 \& #include <openssl/evp.h>
 \& #include <openssl/rsa.h>
+\& #include <openssl/engine.h>
 \&
 \& EVP_PKEY_CTX *ctx;
+\& ENGINE *eng;
 \& unsigned char *out, *in;
 \& size_t outlen, inlen; 
 \& EVP_PKEY *key;
-\& /* NB: assumes key in, inlen are already set up
+\& /* NB: assumes eng, key, in, inlen are already set up,
 \&  * and that key is an RSA public key
 \&  */
-\& ctx = EVP_PKEY_CTX_new(key);
+\& ctx = EVP_PKEY_CTX_new(key,eng);
 \& if (!ctx)
 \&        /* Error occurred */
 \& if (EVP_PKEY_encrypt_init(ctx) <= 0)
@@ -205,6 +218,8 @@ Encrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys):
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fId2i_X509\fR\|(3),
+\&\fIengine\fR\|(3),
 \&\fIEVP_PKEY_CTX_new\fR\|(3),
 \&\fIEVP_PKEY_decrypt\fR\|(3),
 \&\fIEVP_PKEY_sign\fR\|(3),
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 b/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
index dc60d18c4505..e9370d5ebf11 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_get_default_digest 3"
-.TH EVP_PKEY_get_default_digest 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_get_default_digest 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 b/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
index 8e76de1bca3d..e1d06b408a00 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_keygen 3"
-.TH EVP_PKEY_keygen 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_keygen 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_new.3 b/secure/lib/libcrypto/man/EVP_PKEY_new.3
index 8ff2465783bc..ba384e280fe0 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_new.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_new 3"
-.TH EVP_PKEY_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 b/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
index 1bca9c9b9d62..dde58b7a3c8d 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_print_private 3"
-.TH EVP_PKEY_print_private 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_print_private 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params \- public k
 .IX Header "DESCRIPTION"
 The functions \fIEVP_PKEY_print_public()\fR, \fIEVP_PKEY_print_private()\fR and
 \&\fIEVP_PKEY_print_params()\fR print out the public, private or parameter components
-of key \fBpkey\fR respectively. The key is sent to \s-1BIO\s0 \fBout\fR in human readable
+of key \fBpkey\fR respectively. The key is sent to \s-1BIO \s0\fBout\fR in human readable
 form. The parameter \fBindent\fR indicated how far the printout should be indented.
 .PP
 The \fBpctx\fR parameter allows the print output to be finely tuned by using
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 b/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
index 305f03544722..8b20dbb7d80d 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_set1_RSA 3"
-.TH EVP_PKEY_set1_RSA 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_set1_RSA 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -165,15 +174,15 @@ EVP_PKEY_type \- EVP_PKEY assignment functions.
 \&\fIEVP_PKEY_get1_EC_KEY()\fR return the referenced key in \fBpkey\fR or
 \&\fB\s-1NULL\s0\fR if the key is not of the correct type.
 .PP
-\&\fIEVP_PKEY_assign_RSA()\fR \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR
+\&\fIEVP_PKEY_assign_RSA()\fR, \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR
 and \fIEVP_PKEY_assign_EC_KEY()\fR also set the referenced key to \fBkey\fR
 however these use the supplied \fBkey\fR internally and so \fBkey\fR
 will be freed when the parent \fBpkey\fR is freed.
 .PP
 \&\fIEVP_PKEY_type()\fR returns the type of key corresponding to the value
 \&\fBtype\fR. The type of a key can be obtained with
-EVP_PKEY_type(pkey\->type). The return value will be \s-1EVP_PKEY_RSA\s0,
-\&\s-1EVP_PKEY_DSA\s0, \s-1EVP_PKEY_DH\s0 or \s-1EVP_PKEY_EC\s0 for the corresponding
+EVP_PKEY_type(pkey\->type). The return value will be \s-1EVP_PKEY_RSA,
+EVP_PKEY_DSA, EVP_PKEY_DH\s0 or \s-1EVP_PKEY_EC\s0 for the corresponding
 key types or NID_undef if the key type is unassigned.
 .SH "NOTES"
 .IX Header "NOTES"
@@ -181,8 +190,8 @@ In accordance with the OpenSSL naming convention the key obtained
 from or assigned to the \fBpkey\fR using the \fB1\fR functions must be
 freed as well as \fBpkey\fR.
 .PP
-\&\fIEVP_PKEY_assign_RSA()\fR \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR
-\&\fIEVP_PKEY_assign_EC_KEY()\fR are implemented as macros.
+\&\fIEVP_PKEY_assign_RSA()\fR, \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR
+and \fIEVP_PKEY_assign_EC_KEY()\fR are implemented as macros.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fIEVP_PKEY_set1_RSA()\fR, \fIEVP_PKEY_set1_DSA()\fR, \fIEVP_PKEY_set1_DH()\fR and
@@ -192,7 +201,7 @@ freed as well as \fBpkey\fR.
 \&\fIEVP_PKEY_get1_EC_KEY()\fR return the referenced key or \fB\s-1NULL\s0\fR if 
 an error occurred.
 .PP
-\&\fIEVP_PKEY_assign_RSA()\fR \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR
+\&\fIEVP_PKEY_assign_RSA()\fR, \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR
 and \fIEVP_PKEY_assign_EC_KEY()\fR return 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_sign.3 b/secure/lib/libcrypto/man/EVP_PKEY_sign.3
index 5c96bf8a5d06..c65f3e104696 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_sign.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_sign.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_sign 3"
-.TH EVP_PKEY_sign 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_sign 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -155,9 +164,14 @@ before the call the \fBsiglen\fR parameter should contain the length of the
 \&\fBsig\fR and the amount of data written to \fBsiglen\fR.
 .SH "NOTES"
 .IX Header "NOTES"
+\&\fIEVP_PKEY_sign()\fR does not hash the data to be signed, and therefore is
+normally used to sign digests. For signing arbitrary messages, see the
+\&\fIEVP_DigestSignInit\fR\|(3) and
+\&\fIEVP_SignInit\fR\|(3) signing interfaces instead.
+.PP
 After the call to \fIEVP_PKEY_sign_init()\fR algorithm specific control
 operations can be performed to set any appropriate parameters for the
-operation.
+operation (see \fIEVP_PKEY_CTX_ctrl\fR\|(3)).
 .PP
 The function \fIEVP_PKEY_sign()\fR can be called more than once on the same
 context if several operations are performed using the same parameters.
@@ -175,13 +189,17 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
 \& #include <openssl/rsa.h>
 \&
 \& EVP_PKEY_CTX *ctx;
+\& /* md is a SHA\-256 digest in this example. */
 \& unsigned char *md, *sig;
-\& size_t mdlen, siglen; 
+\& size_t mdlen = 32, siglen;
 \& EVP_PKEY *signing_key;
-\& /* NB: assumes signing_key, md and mdlen are already set up
-\&  * and that signing_key is an RSA private key
+\&
+\& /*
+\&  * NB: assumes signing_key and md are set up before the next
+\&  * step. signing_key must be an RSA private key and md must
+\&  * point to the SHA\-256 digest to be signed.
 \&  */
-\& ctx = EVP_PKEY_CTX_new(signing_key);
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
 \& if (!ctx)
 \&        /* Error occurred */
 \& if (EVP_PKEY_sign_init(ctx) <= 0)
@@ -208,6 +226,7 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIEVP_PKEY_CTX_new\fR\|(3),
+\&\fIEVP_PKEY_CTX_ctrl\fR\|(3),
 \&\fIEVP_PKEY_encrypt\fR\|(3),
 \&\fIEVP_PKEY_decrypt\fR\|(3),
 \&\fIEVP_PKEY_verify\fR\|(3),
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_verify.3 b/secure/lib/libcrypto/man/EVP_PKEY_verify.3
index cc645e942ebe..c4004cce0627 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_verify.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_verify.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_verify 3"
-.TH EVP_PKEY_verify 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_verify 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
index 0f432c7bb8aa..6da4f2a97a93 100644
--- a/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
+++ b/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_verify_recover 3"
-.TH EVP_PKEY_verify_recover 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_PKEY_verify_recover 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/EVP_SealInit.3 b/secure/lib/libcrypto/man/EVP_SealInit.3
index 264413524db6..621e8e5d9736 100644
--- a/secure/lib/libcrypto/man/EVP_SealInit.3
+++ b/secure/lib/libcrypto/man/EVP_SealInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_SealInit 3"
-.TH EVP_SealInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_SealInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,12 +156,12 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \s-1EVP\s0 envelope routines are a high level interface to envelope
-encryption. They generate a random key and \s-1IV\s0 (if required) then
+encryption. They generate a random key and \s-1IV \s0(if required) then
 \&\*(L"envelope\*(R" it by using public key encryption. Data can then be
 encrypted using this key.
 .PP
 \&\fIEVP_SealInit()\fR initializes a cipher context \fBctx\fR for encryption
-with cipher \fBtype\fR using a random secret key and \s-1IV\s0. \fBtype\fR is normally
+with cipher \fBtype\fR using a random secret key and \s-1IV. \s0\fBtype\fR is normally
 supplied by a function such as \fIEVP_des_cbc()\fR. The secret key is encrypted
 using one or more public keys, this allows the same encrypted data to be
 decrypted using any of the corresponding private keys. \fBek\fR is an array of
@@ -163,7 +172,7 @@ size of each encrypted secret key is written to the array \fBekl\fR. \fBpubk\fR
 an array of \fBnpubk\fR public keys.
 .PP
 The \fBiv\fR parameter is a buffer where the generated \s-1IV\s0 is written to. It must
-contain enough room for the corresponding cipher's \s-1IV\s0, as determined by (for
+contain enough room for the corresponding cipher's \s-1IV,\s0 as determined by (for
 example) EVP_CIPHER_iv_length(type).
 .PP
 If the cipher does not require an \s-1IV\s0 then the \fBiv\fR parameter is ignored
@@ -196,7 +205,7 @@ using public key encryption.
 It is possible to call \fIEVP_SealInit()\fR twice in the same way as
 \&\fIEVP_EncryptInit()\fR. The first call should have \fBnpubk\fR set to 0
 and (after setting any cipher parameters) it should be called again
-with \fBtype\fR set to \s-1NULL\s0.
+with \fBtype\fR set to \s-1NULL.\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIevp\fR\|(3), \fIrand\fR\|(3),
diff --git a/secure/lib/libcrypto/man/EVP_SignInit.3 b/secure/lib/libcrypto/man/EVP_SignInit.3
index c471ac220cf3..af84780ec538 100644
--- a/secure/lib/libcrypto/man/EVP_SignInit.3
+++ b/secure/lib/libcrypto/man/EVP_SignInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_SignInit 3"
-.TH EVP_SignInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_SignInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,7 +159,7 @@ The \s-1EVP\s0 signature routines are a high level interface to digital
 signatures.
 .PP
 \&\fIEVP_SignInit_ex()\fR sets up signing context \fBctx\fR to use digest
-\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized with
+\&\fBtype\fR from \s-1ENGINE \s0\fBimpl\fR. \fBctx\fR must be initialized with
 \&\fIEVP_MD_CTX_init()\fR before calling this function.
 .PP
 \&\fIEVP_SignUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the
@@ -158,9 +167,11 @@ signature context \fBctx\fR. This function can be called several times on the
 same \fBctx\fR to include additional data.
 .PP
 \&\fIEVP_SignFinal()\fR signs the data in \fBctx\fR using the private key \fBpkey\fR and
-places the signature in \fBsig\fR. The number of bytes of data written (i.e. the
-length of the signature) will be written to the integer at \fBs\fR, at most
-EVP_PKEY_size(pkey) bytes will be written.
+places the signature in \fBsig\fR. \fBsig\fR must be at least EVP_PKEY_size(pkey)
+bytes in size. \fBs\fR is an \s-1OUT\s0 paramter, and not used as an \s-1IN\s0 parameter.
+The number of bytes of data written (i.e. the length of the signature)
+will be written to the integer at \fBs\fR, at most EVP_PKEY_size(pkey) bytes
+will be written.
 .PP
 \&\fIEVP_SignInit()\fR initializes a signing context \fBctx\fR to use the default
 implementation of digest \fBtype\fR.
diff --git a/secure/lib/libcrypto/man/EVP_VerifyInit.3 b/secure/lib/libcrypto/man/EVP_VerifyInit.3
index 11e6c2936def..24eb98e9d4b5 100644
--- a/secure/lib/libcrypto/man/EVP_VerifyInit.3
+++ b/secure/lib/libcrypto/man/EVP_VerifyInit.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EVP_VerifyInit 3"
-.TH EVP_VerifyInit 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EVP_VerifyInit 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,7 +157,7 @@ The \s-1EVP\s0 signature verification routines are a high level interface to dig
 signatures.
 .PP
 \&\fIEVP_VerifyInit_ex()\fR sets up verification context \fBctx\fR to use digest
-\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized by calling
+\&\fBtype\fR from \s-1ENGINE \s0\fBimpl\fR. \fBctx\fR must be initialized by calling
 \&\fIEVP_MD_CTX_init()\fR before calling this function.
 .PP
 \&\fIEVP_VerifyUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the
diff --git a/secure/lib/libcrypto/man/OBJ_nid2obj.3 b/secure/lib/libcrypto/man/OBJ_nid2obj.3
index 232c41da6f6e..63d5863b2720 100644
--- a/secure/lib/libcrypto/man/OBJ_nid2obj.3
+++ b/secure/lib/libcrypto/man/OBJ_nid2obj.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OBJ_nid2obj 3"
-.TH OBJ_nid2obj 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OBJ_nid2obj 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -160,9 +169,9 @@ functions
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \s-1ASN1\s0 object utility functions process \s-1ASN1_OBJECT\s0 structures which are
-a representation of the \s-1ASN1\s0 \s-1OBJECT\s0 \s-1IDENTIFIER\s0 (\s-1OID\s0) type.
+a representation of the \s-1ASN1 OBJECT IDENTIFIER \s0(\s-1OID\s0) type.
 .PP
-\&\fIOBJ_nid2obj()\fR, \fIOBJ_nid2ln()\fR and \fIOBJ_nid2sn()\fR convert the \s-1NID\s0 \fBn\fR to 
+\&\fIOBJ_nid2obj()\fR, \fIOBJ_nid2ln()\fR and \fIOBJ_nid2sn()\fR convert the \s-1NID \s0\fBn\fR to 
 an \s-1ASN1_OBJECT\s0 structure, its long name and its short name respectively,
 or \fB\s-1NULL\s0\fR is an error occurred.
 .PP
@@ -223,7 +232,7 @@ Objects which are not in the table have the \s-1NID\s0 value NID_undef.
 .PP
 Objects do not need to be in the internal tables to be processed,
 the functions \fIOBJ_txt2obj()\fR and \fIOBJ_obj2txt()\fR can process the numerical
-form of an \s-1OID\s0.
+form of an \s-1OID.\s0
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Create an object for \fBcommonName\fR:
diff --git a/secure/lib/libcrypto/man/OPENSSL_Applink.3 b/secure/lib/libcrypto/man/OPENSSL_Applink.3
index 6cd69fc27264..dc532467afc4 100644
--- a/secure/lib/libcrypto/man/OPENSSL_Applink.3
+++ b/secure/lib/libcrypto/man/OPENSSL_Applink.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_Applink 3"
-.TH OPENSSL_Applink 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OPENSSL_Applink 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 b/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
index 47e072ad8489..f3f30ecccaad 100644
--- a/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
+++ b/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_VERSION_NUMBER 3"
-.TH OPENSSL_VERSION_NUMBER 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OPENSSL_VERSION_NUMBER 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -205,8 +214,8 @@ The \*(L"Configure\*(R" target of the library build in the form \*(L"platform: .
 if available or \*(L"platform: information not available\*(R" otherwise.
 .IP "\s-1SSLEAY_DIR\s0" 4
 .IX Item "SSLEAY_DIR"
-The \*(L"\s-1OPENSSLDIR\s0\*(R" setting of the library build in the form \*(L"\s-1OPENSSLDIR:\s0 \*(R"..."\*(L"
-if available or \*(R"\s-1OPENSSLDIR:\s0 N/A" otherwise.
+The \*(L"\s-1OPENSSLDIR\*(R"\s0 setting of the library build in the form \*(L"\s-1OPENSSLDIR: \*(R"..."\*(L"\s0
+if available or \*(R"\s-1OPENSSLDIR: N/A"\s0 otherwise.
 .PP
 For an unknown \fBt\fR, the text \*(L"not available\*(R" is returned.
 .SH "RETURN VALUE"
diff --git a/secure/lib/libcrypto/man/OPENSSL_config.3 b/secure/lib/libcrypto/man/OPENSSL_config.3
index 108359433f0a..443b9a05327a 100644
--- a/secure/lib/libcrypto/man/OPENSSL_config.3
+++ b/secure/lib/libcrypto/man/OPENSSL_config.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_config 3"
-.TH OPENSSL_config 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OPENSSL_config 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -197,7 +206,7 @@ Neither \fIOPENSSL_config()\fR nor \fIOPENSSL_no_config()\fR return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIconf\fR\|(5), \fICONF_load_modules_file\fR\|(3),
-\&\fICONF_modules_free\fR\|(3),\fICONF_modules_free\fR\|(3)
+\&\fICONF_modules_free\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 \&\fIOPENSSL_config()\fR and \fIOPENSSL_no_config()\fR first appeared in OpenSSL 0.9.7
diff --git a/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 b/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
index 94b79a78a962..d0a990667363 100644
--- a/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
+++ b/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_ia32cap 3"
-.TH OPENSSL_ia32cap 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OPENSSL_ia32cap 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -159,7 +168,7 @@ significant, namely:
 .PP
 For example, clearing bit #26 at run-time disables high-performance
 \&\s-1SSE2\s0 code present in the crypto library. You might have to do this if
-target OpenSSL application is executed on \s-1SSE2\s0 capable \s-1CPU\s0, but under
+target OpenSSL application is executed on \s-1SSE2\s0 capable \s-1CPU,\s0 but under
 control of \s-1OS\s0 which does not support \s-1SSE2\s0 extentions. Even though you
 can manipulate the value programmatically, you most likely will find it
 more appropriate to set up an environment variable with the same name
diff --git a/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 b/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
index f98e8416a934..6e870123ae06 100644
--- a/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
+++ b/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_load_builtin_modules 3"
-.TH OPENSSL_load_builtin_modules 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OPENSSL_load_builtin_modules 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,7 +155,7 @@ The function \fIOPENSSL_load_builtin_modules()\fR adds all the standard OpenSSL
 configuration modules to the internal list. They can then be used by the
 OpenSSL configuration code.
 .PP
-\&\fIASN1_add_oid_module()\fR adds just the \s-1ASN1\s0 \s-1OBJECT\s0 module.
+\&\fIASN1_add_oid_module()\fR adds just the \s-1ASN1 OBJECT\s0 module.
 .PP
 \&\fIENGINE_add_conf_module()\fR adds just the \s-1ENGINE\s0 configuration module.
 .SH "NOTES"
diff --git a/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 b/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
index c613485c1da2..e163c3355c28 100644
--- a/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
+++ b/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OpenSSL_add_all_algorithms 3"
-.TH OpenSSL_add_all_algorithms 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OpenSSL_add_all_algorithms 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -171,7 +180,7 @@ needs to lookup algorithms.
 .PP
 The cipher and digest lookup functions are used in many parts of the library. If
 the table is not initialized several functions will misbehave and complain they
-cannot find algorithms. This includes the \s-1PEM\s0, PKCS#12, \s-1SSL\s0 and S/MIME libraries.
+cannot find algorithms. This includes the \s-1PEM,\s0 PKCS#12, \s-1SSL\s0 and S/MIME libraries.
 This is a common query in the OpenSSL mailing lists.
 .PP
 Calling \fIOpenSSL_add_all_algorithms()\fR links in all algorithms: as a result a
diff --git a/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
index 03c3c4cb3106..7266ca6d3f0e 100644
--- a/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
+++ b/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PEM_write_bio_CMS_stream 3"
-.TH PEM_write_bio_CMS_stream 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PEM_write_bio_CMS_stream 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 b/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
index fd29f02d8e98..4949cd05bfd4 100644
--- a/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
+++ b/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PEM_write_bio_PKCS7_stream 3"
-.TH PEM_write_bio_PKCS7_stream 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PEM_write_bio_PKCS7_stream 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/PKCS12_create.3 b/secure/lib/libcrypto/man/PKCS12_create.3
index 1c0c78fa6360..361f64afa6d9 100644
--- a/secure/lib/libcrypto/man/PKCS12_create.3
+++ b/secure/lib/libcrypto/man/PKCS12_create.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_create 3"
-.TH PKCS12_create 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS12_create 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -158,15 +167,15 @@ The parameters \fBnid_key\fR, \fBnid_cert\fR, \fBiter\fR, \fBmac_iter\fR and \fB
 can all be set to zero and sensible defaults will be used.
 .PP
 These defaults are: 40 bit \s-1RC2\s0 encryption for certificates, triple \s-1DES\s0
-encryption for private keys, a key iteration count of \s-1PKCS12_DEFAULT_ITER\s0
-(currently 2048) and a \s-1MAC\s0 iteration count of 1.
+encryption for private keys, a key iteration count of \s-1PKCS12_DEFAULT_ITER
+\&\s0(currently 2048) and a \s-1MAC\s0 iteration count of 1.
 .PP
 The default \s-1MAC\s0 iteration count is 1 in order to retain compatibility with
 old software which did not interpret \s-1MAC\s0 iteration counts. If such compatibility
-is not required then \fBmac_iter\fR should be set to \s-1PKCS12_DEFAULT_ITER\s0.
+is not required then \fBmac_iter\fR should be set to \s-1PKCS12_DEFAULT_ITER.\s0
 .PP
 \&\fBkeytype\fR adds a flag to the store private key. This is a non standard extension
-that is only currently interpreted by \s-1MSIE\s0. If set to zero the flag is omitted,
+that is only currently interpreted by \s-1MSIE.\s0 If set to zero the flag is omitted,
 if set to \fB\s-1KEY_SIG\s0\fR the key can be used for signing only, if set to \fB\s-1KEY_EX\s0\fR
 it can be used for signing and encryption. This option was useful for old
 export grade software which could use signing only keys of arbitrary size but
diff --git a/secure/lib/libcrypto/man/PKCS12_parse.3 b/secure/lib/libcrypto/man/PKCS12_parse.3
index 3e5785ab75b0..ea9b28e5d21f 100644
--- a/secure/lib/libcrypto/man/PKCS12_parse.3
+++ b/secure/lib/libcrypto/man/PKCS12_parse.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_parse 3"
-.TH PKCS12_parse 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS12_parse 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/PKCS7_decrypt.3 b/secure/lib/libcrypto/man/PKCS7_decrypt.3
index 5d08017e490f..d71ff2560b3a 100644
--- a/secure/lib/libcrypto/man/PKCS7_decrypt.3
+++ b/secure/lib/libcrypto/man/PKCS7_decrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_decrypt 3"
-.TH PKCS7_decrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS7_decrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/PKCS7_encrypt.3 b/secure/lib/libcrypto/man/PKCS7_encrypt.3
index d4f111c5dc6e..f43661351cbf 100644
--- a/secure/lib/libcrypto/man/PKCS7_encrypt.3
+++ b/secure/lib/libcrypto/man/PKCS7_encrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_encrypt 3"
-.TH PKCS7_encrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS7_encrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -153,7 +162,7 @@ they do not have to be signed using the \s-1RSA\s0 algorithm.
 because most clients will support it.
 .PP
 Some old \*(L"export grade\*(R" clients may only support weak encryption using 40 or 64
-bit \s-1RC2\s0. These can be used by passing \fIEVP_rc2_40_cbc()\fR and \fIEVP_rc2_64_cbc()\fR
+bit \s-1RC2.\s0 These can be used by passing \fIEVP_rc2_40_cbc()\fR and \fIEVP_rc2_64_cbc()\fR
 respectively.
 .PP
 The algorithm passed in the \fBcipher\fR parameter must support \s-1ASN1\s0 encoding of
@@ -176,7 +185,7 @@ otherwise the translation will corrupt it. If \fB\s-1PKCS7_BINARY\s0\fR is set t
 \&\fB\s-1PKCS7_TEXT\s0\fR is ignored.
 .PP
 If the \fB\s-1PKCS7_STREAM\s0\fR flag is set a partial \fB\s-1PKCS7\s0\fR structure is output
-suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
+suitable for streaming I/O: no data is read from the \s-1BIO \s0\fBin\fR.
 .SH "NOTES"
 .IX Header "NOTES"
 If the flag \fB\s-1PKCS7_STREAM\s0\fR is set the returned \fB\s-1PKCS7\s0\fR structure is \fBnot\fR
@@ -186,7 +195,7 @@ results.
 .PP
 Several functions including \fISMIME_write_PKCS7()\fR, \fIi2d_PKCS7_bio_stream()\fR,
 \&\fIPEM_write_bio_PKCS7_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming \s-1ASN1 \s0\fB\s-1BIO\s0\fR directly using
 \&\fIBIO_new_PKCS7()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
diff --git a/secure/lib/libcrypto/man/PKCS7_sign.3 b/secure/lib/libcrypto/man/PKCS7_sign.3
index 58039dc8e269..55978ea2d621 100644
--- a/secure/lib/libcrypto/man/PKCS7_sign.3
+++ b/secure/lib/libcrypto/man/PKCS7_sign.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_sign 3"
-.TH PKCS7_sign 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS7_sign 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,7 +154,7 @@ the certificate to sign with, \fBpkey\fR is the corresponsding private key.
 \&\fBcerts\fR is an optional additional set of certificates to include in the PKCS#7
 structure (for example any intermediate CAs in the chain).
 .PP
-The data to be signed is read from \s-1BIO\s0 \fBdata\fR.
+The data to be signed is read from \s-1BIO \s0\fBdata\fR.
 .PP
 \&\fBflags\fR is an optional set of flags.
 .SH "NOTES"
@@ -180,7 +189,7 @@ authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set th
 the SMIMECapabilities are omitted.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple \s-1DES\s0, 128 bit \s-1RC2\s0, 64 bit \s-1RC2\s0, \s-1DES\s0 and 40 bit \s-1RC2\s0. If any of
+algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0 If any of
 these algorithms is disabled then it will not be included.
 .PP
 If the flags \fB\s-1PKCS7_STREAM\s0\fR is set then the returned \fB\s-1PKCS7\s0\fR structure is
@@ -199,7 +208,7 @@ finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable results.
 .PP
 Several functions including \fISMIME_write_PKCS7()\fR, \fIi2d_PKCS7_bio_stream()\fR,
 \&\fIPEM_write_bio_PKCS7_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming \s-1ASN1 \s0\fB\s-1BIO\s0\fR directly using
 \&\fIBIO_new_PKCS7()\fR.
 .PP
 If a signer is specified it will use the default digest for the signing
@@ -215,7 +224,7 @@ In OpenSSL 1.0.0 if \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certifi
 PKCS#7 structure is output.
 .PP
 In versions of OpenSSL before 1.0.0 the \fBsigncert\fR and \fBpkey\fR parameters must
-\&\fB\s-1NOT\s0\fR be \s-1NULL\s0.
+\&\fB\s-1NOT\s0\fR be \s-1NULL.\s0
 .SH "BUGS"
 .IX Header "BUGS"
 Some advanced attributes such as counter signatures are not supported.
diff --git a/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 b/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
index 1be7b3edc4af..20fbd2e2a9ff 100644
--- a/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
+++ b/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_sign_add_signer 3"
-.TH PKCS7_sign_add_signer 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS7_sign_add_signer 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -187,7 +196,7 @@ authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set th
 the SMIMECapabilities are omitted.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple \s-1DES\s0, 128 bit \s-1RC2\s0, 64 bit \s-1RC2\s0, \s-1DES\s0 and 40 bit \s-1RC2\s0. If any of
+algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0 If any of
 these algorithms is disabled then it will not be included.
 .PP
 \&\fIPKCS7_sign_add_signers()\fR returns an internal pointer to the \s-1PKCS7_SIGNER_INFO\s0
diff --git a/secure/lib/libcrypto/man/PKCS7_verify.3 b/secure/lib/libcrypto/man/PKCS7_verify.3
index a3dc4face303..8be5135c6fcd 100644
--- a/secure/lib/libcrypto/man/PKCS7_verify.3
+++ b/secure/lib/libcrypto/man/PKCS7_verify.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_verify 3"
-.TH PKCS7_verify 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS7_verify 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ structure to verify. \fBcerts\fR is a set of certificates in which to search for
 the signer's certificate. \fBstore\fR is a trusted certficate store (used for
 chain verification). \fBindata\fR is the signed data if the content is not
 present in \fBp7\fR (that is it is detached). The content is written to \fBout\fR
-if it is not \s-1NULL\s0.
+if it is not \s-1NULL.\s0
 .PP
 \&\fBflags\fR is an optional set of flags, which can be used to modify the verify
 operation.
diff --git a/secure/lib/libcrypto/man/RAND_add.3 b/secure/lib/libcrypto/man/RAND_add.3
index 716a7e12f4ba..e77dbf1b1d2e 100644
--- a/secure/lib/libcrypto/man/RAND_add.3
+++ b/secure/lib/libcrypto/man/RAND_add.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND_add 3"
-.TH RAND_add 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND_add 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -156,7 +165,7 @@ key presses, mouse movements) and certain hardware events. The
 \&\fBentropy\fR argument is (the lower bound of) an estimate of how much
 randomness is contained in \fBbuf\fR, measured in bytes. Details about
 sources of randomness and how to estimate their entropy can be found
-in the literature, e.g. \s-1RFC\s0 1750.
+in the literature, e.g. \s-1RFC 1750.\s0
 .PP
 \&\fIRAND_add()\fR may be called with sensitive data such as user entered
 passwords. The seed values cannot be recovered from the \s-1PRNG\s0 output.
@@ -174,11 +183,11 @@ or \fIRAND_load_file\fR\|(3).
 movements and other user interaction. It should be called with the
 \&\fBiMsg\fR, \fBwParam\fR and \fBlParam\fR arguments of \fIall\fR messages sent to
 the window procedure. It will estimate the entropy contained in the
-event message (if any), and add it to the \s-1PRNG\s0. The program can then
+event message (if any), and add it to the \s-1PRNG.\s0 The program can then
 process the messages as usual.
 .PP
 The \fIRAND_screen()\fR function is available for the convenience of Windows
-programmers. It adds the current contents of the screen to the \s-1PRNG\s0.
+programmers. It adds the current contents of the screen to the \s-1PRNG.\s0
 For applications that can catch Windows events, seeding the \s-1PRNG\s0 by
 calling \fIRAND_event()\fR is a significantly better source of
 randomness. It should be noted that both methods cannot be used on
diff --git a/secure/lib/libcrypto/man/RAND_bytes.3 b/secure/lib/libcrypto/man/RAND_bytes.3
index eada733d5970..0a33f050a1dd 100644
--- a/secure/lib/libcrypto/man/RAND_bytes.3
+++ b/secure/lib/libcrypto/man/RAND_bytes.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND_bytes 3"
-.TH RAND_bytes 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND_bytes 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RAND_cleanup.3 b/secure/lib/libcrypto/man/RAND_cleanup.3
index 9558a3ac10aa..924999de8766 100644
--- a/secure/lib/libcrypto/man/RAND_cleanup.3
+++ b/secure/lib/libcrypto/man/RAND_cleanup.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND_cleanup 3"
-.TH RAND_cleanup 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND_cleanup 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -140,7 +149,7 @@ RAND_cleanup \- erase the PRNG state
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fIRAND_cleanup()\fR erases the memory used by the \s-1PRNG\s0.
+\&\fIRAND_cleanup()\fR erases the memory used by the \s-1PRNG.\s0
 .SH "RETURN VALUE"
 .IX Header "RETURN VALUE"
 \&\fIRAND_cleanup()\fR returns no value.
diff --git a/secure/lib/libcrypto/man/RAND_egd.3 b/secure/lib/libcrypto/man/RAND_egd.3
index 523689a6ea6c..0484e11c61f9 100644
--- a/secure/lib/libcrypto/man/RAND_egd.3
+++ b/secure/lib/libcrypto/man/RAND_egd.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND_egd 3"
-.TH RAND_egd 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND_egd 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,12 +154,12 @@ RAND_egd \- query entropy gathering daemon
 .IX Header "DESCRIPTION"
 \&\fIRAND_egd()\fR queries the entropy gathering daemon \s-1EGD\s0 on socket \fBpath\fR.
 It queries 255 bytes and uses \fIRAND_add\fR\|(3) to seed the
-OpenSSL built-in \s-1PRNG\s0. RAND_egd(path) is a wrapper for
+OpenSSL built-in \s-1PRNG.\s0 RAND_egd(path) is a wrapper for
 RAND_egd_bytes(path, 255);
 .PP
 \&\fIRAND_egd_bytes()\fR queries the entropy gathering daemon \s-1EGD\s0 on socket \fBpath\fR.
 It queries \fBbytes\fR bytes and uses \fIRAND_add\fR\|(3) to seed the
-OpenSSL built-in \s-1PRNG\s0.
+OpenSSL built-in \s-1PRNG.\s0
 This function is more flexible than \fIRAND_egd()\fR.
 When only one secret key must
 be generated, it is not necessary to request the full amount 255 bytes from
@@ -159,7 +168,7 @@ that can be retrieved from \s-1EGD\s0 over time is limited.
 .PP
 \&\fIRAND_query_egd_bytes()\fR performs the actual query of the \s-1EGD\s0 daemon on socket
 \&\fBpath\fR. If \fBbuf\fR is given, \fBbytes\fR bytes are queried and written into
-\&\fBbuf\fR. If \fBbuf\fR is \s-1NULL\s0, \fBbytes\fR bytes are queried and used to seed the
+\&\fBbuf\fR. If \fBbuf\fR is \s-1NULL, \s0\fBbytes\fR bytes are queried and used to seed the
 OpenSSL built-in \s-1PRNG\s0 using \fIRAND_add\fR\|(3).
 .SH "NOTES"
 .IX Header "NOTES"
@@ -191,7 +200,7 @@ is located at /var/run/egd\-pool, /dev/egd\-pool or /etc/egd\-pool.
 .IX Header "RETURN VALUE"
 \&\fIRAND_egd()\fR and \fIRAND_egd_bytes()\fR return the number of bytes read from the
 daemon on success, and \-1 if the connection failed or the daemon did not
-return enough data to fully seed the \s-1PRNG\s0.
+return enough data to fully seed the \s-1PRNG.\s0
 .PP
 \&\fIRAND_query_egd_bytes()\fR returns the number of bytes read from the daemon on
 success, and \-1 if the connection failed. The \s-1PRNG\s0 state is not considered.
diff --git a/secure/lib/libcrypto/man/RAND_load_file.3 b/secure/lib/libcrypto/man/RAND_load_file.3
index 90c738d7963d..180c5fde0bab 100644
--- a/secure/lib/libcrypto/man/RAND_load_file.3
+++ b/secure/lib/libcrypto/man/RAND_load_file.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND_load_file 3"
-.TH RAND_load_file 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND_load_file 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -151,7 +160,7 @@ set, \f(CW$HOME\fR/.rnd otherwise. If \f(CW$HOME\fR is not set either, or \fBnum
 too small for the path name, an error occurs.
 .PP
 \&\fIRAND_load_file()\fR reads a number of bytes from file \fBfilename\fR and
-adds them to the \s-1PRNG\s0. If \fBmax_bytes\fR is non-negative,
+adds them to the \s-1PRNG.\s0 If \fBmax_bytes\fR is non-negative,
 up to to \fBmax_bytes\fR are read; starting with OpenSSL 0.9.5,
 if \fBmax_bytes\fR is \-1, the complete file is read.
 .PP
diff --git a/secure/lib/libcrypto/man/RAND_set_rand_method.3 b/secure/lib/libcrypto/man/RAND_set_rand_method.3
index 1252ae02e4ef..cd8df9cd0cf5 100644
--- a/secure/lib/libcrypto/man/RAND_set_rand_method.3
+++ b/secure/lib/libcrypto/man/RAND_set_rand_method.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND_set_rand_method 3"
-.TH RAND_set_rand_method 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND_set_rand_method 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,19 +156,19 @@ RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay \- select RAND method
 A \fB\s-1RAND_METHOD\s0\fR specifies the functions that OpenSSL uses for random number
 generation. By modifying the method, alternative implementations such as
 hardware RNGs may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for important
-information about how these \s-1RAND\s0 \s-1API\s0 functions are affected by the use of
+information about how these \s-1RAND API\s0 functions are affected by the use of
 \&\fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
 .PP
 Initially, the default \s-1RAND_METHOD\s0 is the OpenSSL internal implementation, as
 returned by \fIRAND_SSLeay()\fR.
 .PP
 \&\fIRAND_set_default_method()\fR makes \fBmeth\fR the method for \s-1PRNG\s0 use. \fB\s-1NB\s0\fR: This is
-true only whilst no \s-1ENGINE\s0 has been set as a default for \s-1RAND\s0, so this function
+true only whilst no \s-1ENGINE\s0 has been set as a default for \s-1RAND,\s0 so this function
 is no longer recommended.
 .PP
-\&\fIRAND_get_default_method()\fR returns a pointer to the current \s-1RAND_METHOD\s0.
-However, the meaningfulness of this result is dependent on whether the \s-1ENGINE\s0
-\&\s-1API\s0 is being used, so this function is no longer recommended.
+\&\fIRAND_get_default_method()\fR returns a pointer to the current \s-1RAND_METHOD.\s0
+However, the meaningfulness of this result is dependent on whether the \s-1ENGINE
+API\s0 is being used, so this function is no longer recommended.
 .SH "THE RAND_METHOD STRUCTURE"
 .IX Header "THE RAND_METHOD STRUCTURE"
 .Vb 9
@@ -185,10 +194,10 @@ Each component may be \s-1NULL\s0 if the function is not implemented.
 .SH "NOTES"
 .IX Header "NOTES"
 As of version 0.9.7, \s-1RAND_METHOD\s0 implementations are grouped together with other
-algorithmic APIs (eg. \s-1RSA_METHOD\s0, \s-1EVP_CIPHER\s0, etc) in \fB\s-1ENGINE\s0\fR modules. If a
-default \s-1ENGINE\s0 is specified for \s-1RAND\s0 functionality using an \s-1ENGINE\s0 \s-1API\s0 function,
-that will override any \s-1RAND\s0 defaults set using the \s-1RAND\s0 \s-1API\s0 (ie.
-\&\fIRAND_set_rand_method()\fR). For this reason, the \s-1ENGINE\s0 \s-1API\s0 is the recommended way
+algorithmic APIs (eg. \s-1RSA_METHOD, EVP_CIPHER,\s0 etc) in \fB\s-1ENGINE\s0\fR modules. If a
+default \s-1ENGINE\s0 is specified for \s-1RAND\s0 functionality using an \s-1ENGINE API\s0 function,
+that will override any \s-1RAND\s0 defaults set using the \s-1RAND API \s0(ie.
+\&\fIRAND_set_rand_method()\fR). For this reason, the \s-1ENGINE API\s0 is the recommended way
 to control default implementations for use in \s-1RAND\s0 and other cryptographic
 algorithms.
 .SH "SEE ALSO"
@@ -201,6 +210,6 @@ available in all versions of OpenSSL.
 .PP
 In the engine version of version 0.9.6, \fIRAND_set_rand_method()\fR was altered to
 take an \s-1ENGINE\s0 pointer as its argument. As of version 0.9.7, that has been
-reverted as the \s-1ENGINE\s0 \s-1API\s0 transparently overrides \s-1RAND\s0 defaults if used,
-otherwise \s-1RAND\s0 \s-1API\s0 functions work as before. \fIRAND_set_rand_engine()\fR was also
+reverted as the \s-1ENGINE API\s0 transparently overrides \s-1RAND\s0 defaults if used,
+otherwise \s-1RAND API\s0 functions work as before. \fIRAND_set_rand_engine()\fR was also
 introduced in version 0.9.7.
diff --git a/secure/lib/libcrypto/man/RSA_blinding_on.3 b/secure/lib/libcrypto/man/RSA_blinding_on.3
index 85862711174c..a77e4d0012ca 100644
--- a/secure/lib/libcrypto/man/RSA_blinding_on.3
+++ b/secure/lib/libcrypto/man/RSA_blinding_on.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_blinding_on 3"
-.TH RSA_blinding_on 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_blinding_on 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_check_key.3 b/secure/lib/libcrypto/man/RSA_check_key.3
index b662958b9421..ca57b5373fc0 100644
--- a/secure/lib/libcrypto/man/RSA_check_key.3
+++ b/secure/lib/libcrypto/man/RSA_check_key.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_check_key 3"
-.TH RSA_check_key 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_check_key 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -173,7 +182,7 @@ acceleration or analysis purposes, then in all likelihood the \s-1RSA\s0 key dat
 is complete and untouched, but this can't be assumed in the general case.
 .SH "BUGS"
 .IX Header "BUGS"
-A method of verifying the \s-1RSA\s0 key using opaque \s-1RSA\s0 \s-1API\s0 functions might need
+A method of verifying the \s-1RSA\s0 key using opaque \s-1RSA API\s0 functions might need
 to be considered. Right now \fIRSA_check_key()\fR simply uses the \s-1RSA\s0 structure
 elements directly, bypassing the \s-1RSA_METHOD\s0 table altogether (and
 completely violating encapsulation and object-orientation in the process).
diff --git a/secure/lib/libcrypto/man/RSA_generate_key.3 b/secure/lib/libcrypto/man/RSA_generate_key.3
index a6ea4f5f5f4a..dc7ce512bfd4 100644
--- a/secure/lib/libcrypto/man/RSA_generate_key.3
+++ b/secure/lib/libcrypto/man/RSA_generate_key.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_generate_key 3"
-.TH RSA_generate_key 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_generate_key 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 b/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
index 879cc1b66054..0d39b86a6db7 100644
--- a/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_get_ex_new_index 3"
-.TH RSA_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -166,7 +175,7 @@ The \fB\f(BIRSA_get_ex_new_index()\fB\fR function is initially called to \*(L"re
 new application specific data. It takes three optional function pointers which
 are called when the parent structure (in this case an \s-1RSA\s0 structure) is
 initially created, when it is copied and when it is freed up. If any or all of
-these function pointer arguments are not used they should be set to \s-1NULL\s0. The
+these function pointer arguments are not used they should be set to \s-1NULL.\s0 The
 precise manner in which these function pointers are called is described in more
 detail below. \fB\f(BIRSA_get_ex_new_index()\fB\fR also takes additional long and pointer
 parameters which will be passed to the supplied functions but which otherwise
diff --git a/secure/lib/libcrypto/man/RSA_new.3 b/secure/lib/libcrypto/man/RSA_new.3
index 28a155a35e01..ec49804679d6 100644
--- a/secure/lib/libcrypto/man/RSA_new.3
+++ b/secure/lib/libcrypto/man/RSA_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_new 3"
-.TH RSA_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
index eb37d086323a..c250e2d9b43c 100644
--- a/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
+++ b/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_padding_add_PKCS1_type_1 3"
-.TH RSA_padding_add_PKCS1_type_1 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_padding_add_PKCS1_type_1 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_print.3 b/secure/lib/libcrypto/man/RSA_print.3
index 789d4f796aa8..bce275e259d9 100644
--- a/secure/lib/libcrypto/man/RSA_print.3
+++ b/secure/lib/libcrypto/man/RSA_print.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_print 3"
-.TH RSA_print 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_print 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_private_encrypt.3 b/secure/lib/libcrypto/man/RSA_private_encrypt.3
index d9013a828b61..77229791db9a 100644
--- a/secure/lib/libcrypto/man/RSA_private_encrypt.3
+++ b/secure/lib/libcrypto/man/RSA_private_encrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_private_encrypt 3"
-.TH RSA_private_encrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_private_encrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/RSA_public_encrypt.3
index 212fb96ab8cd..e97a9d849692 100644
--- a/secure/lib/libcrypto/man/RSA_public_encrypt.3
+++ b/secure/lib/libcrypto/man/RSA_public_encrypt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_public_encrypt 3"
-.TH RSA_public_encrypt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_public_encrypt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -154,7 +163,7 @@ session key) using the public key \fBrsa\fR and stores the ciphertext in
 \&\s-1PKCS\s0 #1 v1.5 padding. This currently is the most widely used mode.
 .IP "\s-1RSA_PKCS1_OAEP_PADDING\s0" 4
 .IX Item "RSA_PKCS1_OAEP_PADDING"
-EME-OAEP as defined in \s-1PKCS\s0 #1 v2.0 with \s-1SHA\-1\s0, \s-1MGF1\s0 and an empty
+EME-OAEP as defined in \s-1PKCS\s0 #1 v2.0 with \s-1SHA\-1, MGF1\s0 and an empty
 encoding parameter. This mode is recommended for all new applications.
 .IP "\s-1RSA_SSLV23_PADDING\s0" 4
 .IX Item "RSA_SSLV23_PADDING"
@@ -168,7 +177,7 @@ Encrypting user data directly with \s-1RSA\s0 is insecure.
 .PP
 \&\fBflen\fR must be less than RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5
 based padding modes, less than RSA_size(\fBrsa\fR) \- 41 for
-\&\s-1RSA_PKCS1_OAEP_PADDING\s0 and exactly RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING\s0.
+\&\s-1RSA_PKCS1_OAEP_PADDING\s0 and exactly RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING.\s0
 The random number generator must be seeded prior to calling
 \&\fIRSA_public_encrypt()\fR.
 .PP
@@ -187,7 +196,7 @@ On error, \-1 is returned; the error codes can be
 obtained by \fIERR_get_error\fR\|(3).
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SSL\s0, \s-1PKCS\s0 #1 v2.0
+\&\s-1SSL, PKCS\s0 #1 v2.0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIERR_get_error\fR\|(3), \fIrand\fR\|(3), \fIrsa\fR\|(3),
diff --git a/secure/lib/libcrypto/man/RSA_set_method.3 b/secure/lib/libcrypto/man/RSA_set_method.3
index 82e8e2f8ff3f..5deb66eb53fa 100644
--- a/secure/lib/libcrypto/man/RSA_set_method.3
+++ b/secure/lib/libcrypto/man/RSA_set_method.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_set_method 3"
-.TH RSA_set_method 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_set_method 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -159,7 +168,7 @@ RSA_new_method \- select RSA method
 An \fB\s-1RSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1RSA\s0
 operations. By modifying the method, alternative implementations such as
 hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
-important information about how these \s-1RSA\s0 \s-1API\s0 functions are affected by the
+important information about how these \s-1RSA API\s0 functions are affected by the
 use of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
 .PP
 Initially, the default \s-1RSA_METHOD\s0 is the OpenSSL internal implementation,
@@ -167,16 +176,16 @@ as returned by \fIRSA_PKCS1_SSLeay()\fR.
 .PP
 \&\fIRSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1RSA\s0
 structures created later. \fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
-been set as a default for \s-1RSA\s0, so this function is no longer recommended.
+been set as a default for \s-1RSA,\s0 so this function is no longer recommended.
 .PP
 \&\fIRSA_get_default_method()\fR returns a pointer to the current default
-\&\s-1RSA_METHOD\s0. However, the meaningfulness of this result is dependent on
-whether the \s-1ENGINE\s0 \s-1API\s0 is being used, so this function is no longer 
+\&\s-1RSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
+whether the \s-1ENGINE API\s0 is being used, so this function is no longer 
 recommended.
 .PP
 \&\fIRSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
 \&\fBrsa\fR. This will replace the \s-1RSA_METHOD\s0 used by the \s-1RSA\s0 key and if the
-previous method was supplied by an \s-1ENGINE\s0, the handle to that \s-1ENGINE\s0 will
+previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
 be released during the change. It is possible to have \s-1RSA\s0 keys that only
 work with certain \s-1RSA_METHOD\s0 implementations (eg. from an \s-1ENGINE\s0 module
 that supports embedded hardware-protected keys), and in such cases
@@ -190,10 +199,10 @@ it is, the return value can only be guaranteed to be valid as long as the
 \&\fIRSA_set_method()\fR.
 .PP
 \&\fIRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current
-\&\s-1RSA_METHOD\s0. See the \s-1BUGS\s0 section.
+\&\s-1RSA_METHOD.\s0 See the \s-1BUGS\s0 section.
 .PP
 \&\fIRSA_new_method()\fR allocates and initializes an \s-1RSA\s0 structure so that
-\&\fBengine\fR will be used for the \s-1RSA\s0 operations. If \fBengine\fR is \s-1NULL\s0, the
+\&\fBengine\fR will be used for the \s-1RSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the
 default \s-1ENGINE\s0 for \s-1RSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set,
 the \s-1RSA_METHOD\s0 controlled by \fIRSA_set_default_method()\fR is used.
 .PP
@@ -253,14 +262,18 @@ the default method is used.
 \&     /* sign. For backward compatibility, this is used only
 \&      * if (flags & RSA_FLAG_SIGN_VER)
 \&      */
-\&        int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
-\&           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-\&
+\&        int (*rsa_sign)(int type,
+\&                const unsigned char *m, unsigned int m_length,
+\&                unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
 \&     /* verify. For backward compatibility, this is used only
 \&      * if (flags & RSA_FLAG_SIGN_VER)
 \&      */
-\&        int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
-\&           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+\&        int (*rsa_verify)(int dtype,
+\&                const unsigned char *m, unsigned int m_length,
+\&                const unsigned char *sigbuf, unsigned int siglen,
+\&                                                                const RSA *rsa);
+\&     /* keygen. If NULL builtin RSA key generation will be used */
+\&        int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
 \&
 \& } RSA_METHOD;
 .Ve
@@ -273,7 +286,7 @@ and \fIRSA_get_method()\fR return pointers to the respective RSA_METHODs.
 .PP
 \&\fIRSA_set_method()\fR returns a pointer to the old \s-1RSA_METHOD\s0 implementation
 that was replaced. However, this return value should probably be ignored
-because if it was supplied by an \s-1ENGINE\s0, the pointer could be invalidated
+because if it was supplied by an \s-1ENGINE,\s0 the pointer could be invalidated
 at any time if the \s-1ENGINE\s0 is unloaded (in fact it could be unloaded as a
 result of the \fIRSA_set_method()\fR function releasing its handle to the
 \&\s-1ENGINE\s0). For this reason, the return type may be replaced with a \fBvoid\fR
@@ -285,10 +298,10 @@ it returns a pointer to the newly allocated structure.
 .SH "NOTES"
 .IX Header "NOTES"
 As of version 0.9.7, \s-1RSA_METHOD\s0 implementations are grouped together with
-other algorithmic APIs (eg. \s-1DSA_METHOD\s0, \s-1EVP_CIPHER\s0, etc) into \fB\s-1ENGINE\s0\fR
+other algorithmic APIs (eg. \s-1DSA_METHOD, EVP_CIPHER,\s0 etc) into \fB\s-1ENGINE\s0\fR
 modules. If a default \s-1ENGINE\s0 is specified for \s-1RSA\s0 functionality using an
-\&\s-1ENGINE\s0 \s-1API\s0 function, that will override any \s-1RSA\s0 defaults set using the \s-1RSA\s0
-\&\s-1API\s0 (ie.  \fIRSA_set_default_method()\fR). For this reason, the \s-1ENGINE\s0 \s-1API\s0 is the
+\&\s-1ENGINE API\s0 function, that will override any \s-1RSA\s0 defaults set using the \s-1RSA
+API \s0(ie.  \fIRSA_set_default_method()\fR). For this reason, the \s-1ENGINE API\s0 is the
 recommended way to control default implementations for use in \s-1RSA\s0 and other
 cryptographic algorithms.
 .SH "BUGS"
@@ -316,9 +329,9 @@ added in OpenSSL 0.9.4.
 replaced \fIRSA_set_default_method()\fR and \fIRSA_get_default_method()\fR
 respectively, and \fIRSA_set_method()\fR and \fIRSA_new_method()\fR were altered to use
 \&\fB\s-1ENGINE\s0\fRs rather than \fB\s-1RSA_METHOD\s0\fRs during development of the engine
-version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the \s-1ENGINE\s0
-\&\s-1API\s0 was restructured so that this change was reversed, and behaviour of the
+version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the \s-1ENGINE
+API\s0 was restructured so that this change was reversed, and behaviour of the
 other functions resembled more closely the previous behaviour. The
-behaviour of defaults in the \s-1ENGINE\s0 \s-1API\s0 now transparently overrides the
-behaviour of defaults in the \s-1RSA\s0 \s-1API\s0 without requiring changing these
+behaviour of defaults in the \s-1ENGINE API\s0 now transparently overrides the
+behaviour of defaults in the \s-1RSA API\s0 without requiring changing these
 function prototypes.
diff --git a/secure/lib/libcrypto/man/RSA_sign.3 b/secure/lib/libcrypto/man/RSA_sign.3
index d98af1bfa1b8..ebc1b5c69ff5 100644
--- a/secure/lib/libcrypto/man/RSA_sign.3
+++ b/secure/lib/libcrypto/man/RSA_sign.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_sign 3"
-.TH RSA_sign 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_sign 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,6 +157,10 @@ RSA_sign, RSA_verify \- RSA signatures
 private key \fBrsa\fR as specified in \s-1PKCS\s0 #1 v2.0. It stores the
 signature in \fBsigret\fR and the signature size in \fBsiglen\fR. \fBsigret\fR
 must point to RSA_size(\fBrsa\fR) bytes of memory.
+Note that \s-1PKCS\s0 #1 adds meta-data, placing limits on the size of the
+key that can be used.
+See \fIRSA_private_encrypt\fR\|(3) for lower-level
+operations.
 .PP
 \&\fBtype\fR denotes the message digest algorithm that was used to generate
 \&\fBm\fR. It usually is one of \fBNID_sha1\fR, \fBNID_ripemd160\fR and \fBNID_md5\fR;
@@ -171,7 +184,7 @@ Certain signatures with an improper algorithm identifier are accepted
 for compatibility with SSLeay 0.4.5 :\-)
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SSL\s0, \s-1PKCS\s0 #1 v2.0
+\&\s-1SSL, PKCS\s0 #1 v2.0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIERR_get_error\fR\|(3), \fIobjects\fR\|(3),
diff --git a/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 b/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
index 71599078ff61..abc9b99cf671 100644
--- a/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
+++ b/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_sign_ASN1_OCTET_STRING 3"
-.TH RSA_sign_ASN1_OCTET_STRING 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_sign_ASN1_OCTET_STRING 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/RSA_size.3 b/secure/lib/libcrypto/man/RSA_size.3
index b907899e16f0..6f23264d6c0c 100644
--- a/secure/lib/libcrypto/man/RSA_size.3
+++ b/secure/lib/libcrypto/man/RSA_size.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA_size 3"
-.TH RSA_size 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA_size 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/SMIME_read_CMS.3 b/secure/lib/libcrypto/man/SMIME_read_CMS.3
index c1860f5276e4..269d6f72a22e 100644
--- a/secure/lib/libcrypto/man/SMIME_read_CMS.3
+++ b/secure/lib/libcrypto/man/SMIME_read_CMS.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME_read_CMS 3"
-.TH SMIME_read_CMS 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SMIME_read_CMS 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@
 \&\fBin\fR is a \s-1BIO\s0 to read the message from.
 .PP
 If cleartext signing is used then the content is saved in a memory bio which is
-written to \fB*bcont\fR, otherwise \fB*bcont\fR is set to \s-1NULL\s0.
+written to \fB*bcont\fR, otherwise \fB*bcont\fR is set to \s-1NULL.\s0
 .PP
 The parsed CMS_ContentInfo structure is returned or \s-1NULL\s0 if an
 error occurred.
@@ -159,8 +168,8 @@ then be passed to \fICMS_verify()\fR with the \fB\s-1CMS_DETACHED\s0\fR flag set
 Otherwise the type of the returned structure can be determined
 using \fICMS_get0_type()\fR.
 .PP
-To support future functionality if \fBbcont\fR is not \s-1NULL\s0 \fB*bcont\fR should be
-initialized to \s-1NULL\s0. For example:
+To support future functionality if \fBbcont\fR is not \s-1NULL \s0\fB*bcont\fR should be
+initialized to \s-1NULL.\s0 For example:
 .PP
 .Vb 2
 \& BIO *cont = NULL;
diff --git a/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 b/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
index 38af8709f0ef..5351fc5292b2 100644
--- a/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
+++ b/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME_read_PKCS7 3"
-.TH SMIME_read_PKCS7 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SMIME_read_PKCS7 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/SMIME_write_CMS.3 b/secure/lib/libcrypto/man/SMIME_write_CMS.3
index e69639cad752..00a541787f32 100644
--- a/secure/lib/libcrypto/man/SMIME_write_CMS.3
+++ b/secure/lib/libcrypto/man/SMIME_write_CMS.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME_write_CMS 3"
-.TH SMIME_write_CMS 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SMIME_write_CMS 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 b/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
index fe8061647d52..f6b6aef265fe 100644
--- a/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
+++ b/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME_write_PKCS7 3"
-.TH SMIME_write_PKCS7 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SMIME_write_PKCS7 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
index b5db120eaca2..a325bf19b1c9 100644
--- a/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
+++ b/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_ENTRY_get_object 3"
-.TH X509_NAME_ENTRY_get_object 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_NAME_ENTRY_get_object 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -191,7 +200,7 @@ set first so the relevant field information can be looked up internally.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIERR_get_error\fR\|(3), \fId2i_X509_NAME\fR\|(3),
-\&\fIOBJ_nid2obj\fR\|(3),\fIOBJ_nid2obj\fR\|(3)
+\&\fIOBJ_nid2obj\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 \&\s-1TBA\s0
diff --git a/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
index 5345b16889c3..268cfc9c0aea 100644
--- a/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
+++ b/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_add_entry_by_txt 3"
-.TH X509_NAME_add_entry_by_txt 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_NAME_add_entry_by_txt 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -151,7 +160,7 @@ X509_NAME_add_entry, X509_NAME_delete_entry \- X509_NAME modification functions
 .IX Header "DESCRIPTION"
 \&\fIX509_NAME_add_entry_by_txt()\fR, \fIX509_NAME_add_entry_by_OBJ()\fR and
 \&\fIX509_NAME_add_entry_by_NID()\fR add a field whose name is defined
-by a string \fBfield\fR, an object \fBobj\fR or a \s-1NID\s0 \fBnid\fR respectively.
+by a string \fBfield\fR, an object \fBobj\fR or a \s-1NID \s0\fBnid\fR respectively.
 The field value to be added is in \fBbytes\fR of length \fBlen\fR. If
 \&\fBlen\fR is \-1 then the field length is calculated internally using
 strlen(bytes).
@@ -208,14 +217,14 @@ Create an \fBX509_NAME\fR structure:
 \& nm = X509_NAME_new();
 \& if (nm == NULL)
 \&        /* Some error */
-\& if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-\&                        "C", "UK", \-1, \-1, 0))
+\& if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, 
+\&                        "UK", \-1, \-1, 0))
 \&        /* Error */
-\& if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-\&                        "O", "Disorganized Organization", \-1, \-1, 0))
+\& if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC,
+\&                        "Disorganized Organization", \-1, \-1, 0))
 \&        /* Error */
-\& if (!X509_NAME_add_entry_by_txt(nm, MBSTRING_ASC,
-\&                        "CN", "Joe Bloggs", \-1, \-1, 0))
+\& if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
+\&                        "Joe Bloggs", \-1, \-1, 0))
 \&        /* Error */
 .Ve
 .SH "RETURN VALUES"
diff --git a/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
index 8ca6ae6ca8df..69d11bc5c888 100644
--- a/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
+++ b/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_get_index_by_NID 3"
-.TH X509_NAME_get_index_by_NID 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_NAME_get_index_by_NID 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -151,7 +160,7 @@ X509_NAME lookup and enumeration functions
 .IX Header "DESCRIPTION"
 These functions allow an \fBX509_NAME\fR structure to be examined. The
 \&\fBX509_NAME\fR structure is the same as the \fBName\fR type defined in
-\&\s-1RFC2459\s0 (and elsewhere) and used for example in certificate subject
+\&\s-1RFC2459 \s0(and elsewhere) and used for example in certificate subject
 and issuer names.
 .PP
 \&\fIX509_NAME_get_index_by_NID()\fR and \fIX509_NAME_get_index_by_OBJ()\fR retrieve
@@ -185,6 +194,10 @@ For a more general solution \fIX509_NAME_get_index_by_NID()\fR or
 \&\fIX509_NAME_get_index_by_OBJ()\fR should be used followed by
 \&\fIX509_NAME_get_entry()\fR on any matching indices and then the
 various \fBX509_NAME_ENTRY\fR utility functions on the result.
+.PP
+The list of all relevant \fBNID_*\fR and \fBOBJ_* codes\fR can be found in
+the source code header files <openssl/obj_mac.h> and/or
+<openssl/objects.h>.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Process all entries:
diff --git a/secure/lib/libcrypto/man/X509_NAME_print_ex.3 b/secure/lib/libcrypto/man/X509_NAME_print_ex.3
index 61f6a2b3a084..046ce98a72be 100644
--- a/secure/lib/libcrypto/man/X509_NAME_print_ex.3
+++ b/secure/lib/libcrypto/man/X509_NAME_print_ex.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_print_ex 3"
-.TH X509_NAME_print_ex 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_NAME_print_ex 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -144,7 +153,7 @@ X509_NAME_oneline \- X509_NAME printing routines.
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fIX509_NAME_print_ex()\fR prints a human readable version of \fBnm\fR to \s-1BIO\s0 \fBout\fR. Each
+\&\fIX509_NAME_print_ex()\fR prints a human readable version of \fBnm\fR to \s-1BIO \s0\fBout\fR. Each
 line (for multiline formats) is indented by \fBindent\fR spaces. The output format
 can be extensively customised by use of the \fBflags\fR parameter.
 .PP
@@ -169,7 +178,7 @@ Although there are a large number of possible flags for most purposes
 \&\fB\s-1XN_FLAG_ONELINE\s0\fR, \fB\s-1XN_FLAG_MULTILINE\s0\fR or \fB\s-1XN_FLAG_RFC2253\s0\fR will suffice.
 As noted on the \fIASN1_STRING_print_ex\fR\|(3) manual page
 for \s-1UTF8\s0 terminals the \fB\s-1ASN1_STRFLGS_ESC_MSB\s0\fR should be unset: so for example
-\&\fB\s-1XN_FLAG_ONELINE\s0 & ~ASN1_STRFLGS_ESC_MSB\fR would be used.
+\&\fB\s-1XN_FLAG_ONELINE &\s0 ~ASN1_STRFLGS_ESC_MSB\fR would be used.
 .PP
 The complete set of the flags supported by \fIX509_NAME_print_ex()\fR is listed below.
 .PP
@@ -178,7 +187,7 @@ Several options can be ored together.
 The options \fB\s-1XN_FLAG_SEP_COMMA_PLUS\s0\fR, \fB\s-1XN_FLAG_SEP_CPLUS_SPC\s0\fR,
 \&\fB\s-1XN_FLAG_SEP_SPLUS_SPC\s0\fR and \fB\s-1XN_FLAG_SEP_MULTILINE\s0\fR determine the field separators
 to use. Two distinct separators are used between distinct RelativeDistinguishedName
-components and separate values in the same \s-1RDN\s0 for a multi-valued \s-1RDN\s0. Multi-valued
+components and separate values in the same \s-1RDN\s0 for a multi-valued \s-1RDN.\s0 Multi-valued
 RDNs are currently very rare so the second separator will hardly ever be used.
 .PP
 \&\fB\s-1XN_FLAG_SEP_COMMA_PLUS\s0\fR uses comma and plus as separators. \fB\s-1XN_FLAG_SEP_CPLUS_SPC\s0\fR
diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index d4d1e47ac6ea..2e5cca1d38f4 100644
--- a/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_get_error 3"
-.TH X509_STORE_CTX_get_error 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_STORE_CTX_get_error 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -152,7 +161,7 @@ These functions are typically called after \fIX509_verify_cert()\fR has indicate
 an error or in a verification callback to determine the nature of an error.
 .PP
 \&\fIX509_STORE_CTX_get_error()\fR returns the error code of \fBctx\fR, see
-the \fB\s-1ERROR\s0 \s-1CODES\s0\fR section for a full description of all error codes.
+the \fB\s-1ERROR CODES\s0\fR section for a full description of all error codes.
 .PP
 \&\fIX509_STORE_CTX_set_error()\fR sets the error code of \fBctx\fR to \fBs\fR. For example
 it might be used in a verification callback to set an error based on additional
@@ -348,7 +357,7 @@ supports directory name, \s-1DNS\s0 name, email and \s-1URI\s0 types.
 .IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax\fR" 4
 .IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax"
 The format of the name constraint is not recognised: for example an email
-address format of a form not mentioned in \s-1RFC3280\s0. This could be caused by
+address format of a form not mentioned in \s-1RFC3280.\s0 This could be caused by
 a garbage extension or some new feature not currently supported.
 .IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR: \s-1CRL\s0 path validation error\fR" 4
 .IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error"
@@ -377,9 +386,3 @@ thread safe but will never happen unless an invalid code is passed.
 .SH "HISTORY"
 .IX Header "HISTORY"
 \&\s-1TBA\s0
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 281:" 4
-.IX Item "Around line 281:"
-You forgot a '=back' before '=head1'
diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
index 7ef0d80e4cdb..9f9d7046adc7 100644
--- a/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_get_ex_new_index 3"
-.TH X509_STORE_CTX_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_STORE_CTX_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,7 +152,7 @@ X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_
 \&
 \& int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg);
 \&
-\& char *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
+\& void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
index 523419019c9b..799c859f7d67 100644
--- a/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
+++ b/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_new 3"
-.TH X509_STORE_CTX_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_STORE_CTX_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
index ec626819ddce..44698beb806a 100644
--- a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
+++ b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_set_verify_cb 3"
-.TH X509_STORE_CTX_set_verify_cb 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_STORE_CTX_set_verify_cb 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
index cd749b22051e..1e13f1a7bfa6 100644
--- a/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
+++ b/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_set_verify_cb_func 3"
-.TH X509_STORE_set_verify_cb_func 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_STORE_set_verify_cb_func 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index d23c916b0bc4..b1c31aac33c9 100644
--- a/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_VERIFY_PARAM_set_flags 3"
-.TH X509_VERIFY_PARAM_set_flags 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_VERIFY_PARAM_set_flags 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -160,7 +169,7 @@ These functions manipulate the \fBX509_VERIFY_PARAM\fR structure associated with
 a certificate verification operation.
 .PP
 The \fIX509_VERIFY_PARAM_set_flags()\fR function sets the flags in \fBparam\fR by oring
-it with \fBflags\fR. See the \fB\s-1VERIFICATION\s0 \s-1FLAGS\s0\fR section for a complete
+it with \fBflags\fR. See the \fB\s-1VERIFICATION FLAGS\s0\fR section for a complete
 description of values the \fBflags\fR parameter can take.
 .PP
 \&\fIX509_VERIFY_PARAM_get_flags()\fR returns the flags in \fBparam\fR.
@@ -239,7 +248,7 @@ a special status code is set to the verification callback. This permits it
 to examine the valid policy tree and perform additional checks or simply
 log it for debugging purposes.
 .PP
-By default some addtional features such as indirect CRLs and CRLs signed by
+By default some additional features such as indirect CRLs and CRLs signed by
 different keys are disabled. If \fBX509_V_FLAG_EXTENDED_CRL_SUPPORT\fR is set
 they are enabled.
 .PP
@@ -274,7 +283,7 @@ corresponding \fBX509_STORE\fR structure. No attempt is made to download
 CRLs from the \s-1CRL\s0 distribution points extension.
 .SH "EXAMPLE"
 .IX Header "EXAMPLE"
-Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL\s0 
+Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL \s0
 connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR:
 .PP
 .Vb 5
diff --git a/secure/lib/libcrypto/man/X509_new.3 b/secure/lib/libcrypto/man/X509_new.3
index 25986a4c8efc..9e9096cd433c 100644
--- a/secure/lib/libcrypto/man/X509_new.3
+++ b/secure/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_new 3"
-.TH X509_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/X509_verify_cert.3 b/secure/lib/libcrypto/man/X509_verify_cert.3
index a3dfddab7d7c..d2dd52867ba8 100644
--- a/secure/lib/libcrypto/man/X509_verify_cert.3
+++ b/secure/lib/libcrypto/man/X509_verify_cert.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_verify_cert 3"
-.TH X509_verify_cert 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509_verify_cert 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/bio.3 b/secure/lib/libcrypto/man/bio.3
index 35fe2a609646..ce7efe791054 100644
--- a/secure/lib/libcrypto/man/bio.3
+++ b/secure/lib/libcrypto/man/bio.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "bio 3"
-.TH bio 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH bio 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,10 +154,10 @@ details from an application. If an application uses a \s-1BIO\s0 for its
 I/O it can transparently handle \s-1SSL\s0 connections, unencrypted network
 connections and file I/O.
 .PP
-There are two type of \s-1BIO\s0, a source/sink \s-1BIO\s0 and a filter \s-1BIO\s0.
+There are two type of \s-1BIO,\s0 a source/sink \s-1BIO\s0 and a filter \s-1BIO.\s0
 .PP
 As its name implies a source/sink \s-1BIO\s0 is a source and/or sink of data,
-examples include a socket \s-1BIO\s0 and a file \s-1BIO\s0.
+examples include a socket \s-1BIO\s0 and a file \s-1BIO.\s0
 .PP
 A filter \s-1BIO\s0 takes data from one \s-1BIO\s0 and passes it through to
 another, or the application. The data may be left unmodified (for
diff --git a/secure/lib/libcrypto/man/blowfish.3 b/secure/lib/libcrypto/man/blowfish.3
index 637660904aab..babab3722b7f 100644
--- a/secure/lib/libcrypto/man/blowfish.3
+++ b/secure/lib/libcrypto/man/blowfish.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "blowfish 3"
-.TH blowfish 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH blowfish 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -161,9 +170,9 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ).
 Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
 It uses a variable size key, but typically, 128 bit (16 byte) keys are
 considered good for strong encryption.  Blowfish can be used in the same
-modes as \s-1DES\s0 (see \fIdes_modes\fR\|(7)).  Blowfish is currently one
-of the faster block ciphers.  It is quite a bit faster than \s-1DES\s0, and much
-faster than \s-1IDEA\s0 or \s-1RC2\s0.
+modes as \s-1DES \s0(see \fIdes_modes\fR\|(7)).  Blowfish is currently one
+of the faster block ciphers.  It is quite a bit faster than \s-1DES,\s0 and much
+faster than \s-1IDEA\s0 or \s-1RC2.\s0
 .PP
 Blowfish consists of a key setup phase and the actual encryption or decryption
 phase.
@@ -183,7 +192,7 @@ all operate on variable length data.  They all take an initialization vector
 \&\fBivec\fR which needs to be passed along into the next call of the same function 
 for the same message.  \fBivec\fR may be initialized with anything, but the
 recipient needs to know what it was initialized with, or it won't be able
-to decrypt.  Some programs and protocols simplify this, like \s-1SSH\s0, where
+to decrypt.  Some programs and protocols simplify this, like \s-1SSH,\s0 where
 \&\fBivec\fR is simply initialized to zero.
 \&\fIBF_cbc_encrypt()\fR operates on data that is a multiple of 8 bytes long, while
 \&\fIBF_cfb64_encrypt()\fR and \fIBF_ofb64_encrypt()\fR are used to encrypt an variable
diff --git a/secure/lib/libcrypto/man/bn.3 b/secure/lib/libcrypto/man/bn.3
index 6cc40504c92b..71b6a9117f9a 100644
--- a/secure/lib/libcrypto/man/bn.3
+++ b/secure/lib/libcrypto/man/bn.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "bn 3"
-.TH bn 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH bn 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/bn_internal.3 b/secure/lib/libcrypto/man/bn_internal.3
index 353a3bcb33c1..dcd9d6079e62 100644
--- a/secure/lib/libcrypto/man/bn_internal.3
+++ b/secure/lib/libcrypto/man/bn_internal.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "bn_internal 3"
-.TH bn_internal 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH bn_internal 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/buffer.3 b/secure/lib/libcrypto/man/buffer.3
index 67c82a62a791..3a508f1ef0e6 100644
--- a/secure/lib/libcrypto/man/buffer.3
+++ b/secure/lib/libcrypto/man/buffer.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "buffer 3"
-.TH buffer 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH buffer 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/crypto.3 b/secure/lib/libcrypto/man/crypto.3
index 422e98873749..fccc59b2cb19 100644
--- a/secure/lib/libcrypto/man/crypto.3
+++ b/secure/lib/libcrypto/man/crypto.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "crypto 3"
-.TH crypto 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH crypto 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -137,8 +146,8 @@ crypto \- OpenSSL cryptographic library
 .IX Header "DESCRIPTION"
 The OpenSSL \fBcrypto\fR library implements a wide range of cryptographic
 algorithms used in various Internet standards. The services provided
-by this library are used by the OpenSSL implementations of \s-1SSL\s0, \s-1TLS\s0
-and S/MIME, and they have also been used to implement \s-1SSH\s0, OpenPGP, and
+by this library are used by the OpenSSL implementations of \s-1SSL, TLS\s0
+and S/MIME, and they have also been used to implement \s-1SSH,\s0 OpenPGP, and
 other cryptographic standards.
 .SH "OVERVIEW"
 .IX Header "OVERVIEW"
@@ -148,30 +157,30 @@ individual algorithms.
 The functionality includes symmetric encryption, public key
 cryptography and key agreement, certificate handling, cryptographic
 hash functions and a cryptographic pseudo-random number generator.
-.IP "\s-1SYMMETRIC\s0 \s-1CIPHERS\s0" 4
+.IP "\s-1SYMMETRIC CIPHERS\s0" 4
 .IX Item "SYMMETRIC CIPHERS"
 \&\fIblowfish\fR\|(3), \fIcast\fR\|(3), \fIdes\fR\|(3),
 \&\fIidea\fR\|(3), \fIrc2\fR\|(3), \fIrc4\fR\|(3), \fIrc5\fR\|(3)
-.IP "\s-1PUBLIC\s0 \s-1KEY\s0 \s-1CRYPTOGRAPHY\s0 \s-1AND\s0 \s-1KEY\s0 \s-1AGREEMENT\s0" 4
+.IP "\s-1PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT\s0" 4
 .IX Item "PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT"
 \&\fIdsa\fR\|(3), \fIdh\fR\|(3), \fIrsa\fR\|(3)
 .IP "\s-1CERTIFICATES\s0" 4
 .IX Item "CERTIFICATES"
 \&\fIx509\fR\|(3), \fIx509v3\fR\|(3)
-.IP "\s-1AUTHENTICATION\s0 \s-1CODES\s0, \s-1HASH\s0 \s-1FUNCTIONS\s0" 4
+.IP "\s-1AUTHENTICATION CODES, HASH FUNCTIONS\s0" 4
 .IX Item "AUTHENTICATION CODES, HASH FUNCTIONS"
 \&\fIhmac\fR\|(3), \fImd2\fR\|(3), \fImd4\fR\|(3),
 \&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3),
 \&\fIsha\fR\|(3)
-.IP "\s-1AUXILIARY\s0 \s-1FUNCTIONS\s0" 4
+.IP "\s-1AUXILIARY FUNCTIONS\s0" 4
 .IX Item "AUXILIARY FUNCTIONS"
 \&\fIerr\fR\|(3), \fIthreads\fR\|(3), \fIrand\fR\|(3),
 \&\s-1\fIOPENSSL_VERSION_NUMBER\s0\fR\|(3)
-.IP "\s-1INPUT/OUTPUT\s0, \s-1DATA\s0 \s-1ENCODING\s0" 4
+.IP "\s-1INPUT/OUTPUT, DATA ENCODING\s0" 4
 .IX Item "INPUT/OUTPUT, DATA ENCODING"
 \&\fIasn1\fR\|(3), \fIbio\fR\|(3), \fIevp\fR\|(3), \fIpem\fR\|(3),
 \&\fIpkcs7\fR\|(3), \fIpkcs12\fR\|(3)
-.IP "\s-1INTERNAL\s0 \s-1FUNCTIONS\s0" 4
+.IP "\s-1INTERNAL FUNCTIONS\s0" 4
 .IX Item "INTERNAL FUNCTIONS"
 \&\fIbn\fR\|(3), \fIbuffer\fR\|(3), \fIlhash\fR\|(3),
 \&\fIobjects\fR\|(3), \fIstack\fR\|(3),
diff --git a/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 b/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
index c36542c52c8c..aa219458cbcf 100644
--- a/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
+++ b/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_ASN1_OBJECT 3"
-.TH d2i_ASN1_OBJECT 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_ASN1_OBJECT 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -141,7 +150,7 @@ d2i_ASN1_OBJECT, i2d_ASN1_OBJECT \- ASN1 OBJECT IDENTIFIER functions
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-These functions decode and encode an \s-1ASN1\s0 \s-1OBJECT\s0 \s-1IDENTIFIER\s0.
+These functions decode and encode an \s-1ASN1 OBJECT IDENTIFIER.\s0
 .PP
 Othewise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR
 described in the \fId2i_X509\fR\|(3) manual page.
diff --git a/secure/lib/libcrypto/man/d2i_DHparams.3 b/secure/lib/libcrypto/man/d2i_DHparams.3
index 78db8e37a41a..8256a770d8a7 100644
--- a/secure/lib/libcrypto/man/d2i_DHparams.3
+++ b/secure/lib/libcrypto/man/d2i_DHparams.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_DHparams 3"
-.TH d2i_DHparams 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_DHparams 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 b/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
index daef0742d182..0f033327fe4b 100644
--- a/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
+++ b/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_DSAPublicKey 3"
-.TH d2i_DSAPublicKey 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_DSAPublicKey 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -171,10 +180,10 @@ a SubjectPublicKeyInfo (certificate public key) structure.
 components.
 .PP
 \&\fId2i_DSAparams()\fR, \fIi2d_DSAparams()\fR decode and encode the \s-1DSA\s0 parameters using
-a \fBDss-Parms\fR structure as defined in \s-1RFC2459\s0.
+a \fBDss-Parms\fR structure as defined in \s-1RFC2459.\s0
 .PP
 \&\fId2i_DSA_SIG()\fR, \fIi2d_DSA_SIG()\fR decode and encode a \s-1DSA\s0 signature using a
-\&\fBDss-Sig-Value\fR structure as defined in \s-1RFC2459\s0.
+\&\fBDss-Sig-Value\fR structure as defined in \s-1RFC2459.\s0
 .PP
 The usage of all of these functions is similar to the \fId2i_X509()\fR and
 \&\fIi2d_X509()\fR described in the \fId2i_X509\fR\|(3) manual page.
diff --git a/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 b/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
index c6adbb6b9ba5..cd8df2d6d709 100644
--- a/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
+++ b/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_PKCS8PrivateKey 3"
-.TH d2i_PKCS8PrivateKey 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_PKCS8PrivateKey 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 b/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
index 2c209118d56e..5cde7ec09e2a 100644
--- a/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
+++ b/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_RSAPublicKey 3"
-.TH d2i_RSAPublicKey 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_RSAPublicKey 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/d2i_X509.3 b/secure/lib/libcrypto/man/d2i_X509.3
index a2a887228b68..4dfb31ae2030 100644
--- a/secure/lib/libcrypto/man/d2i_X509.3
+++ b/secure/lib/libcrypto/man/d2i_X509.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_X509 3"
-.TH d2i_X509 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_X509 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -172,23 +181,23 @@ case \fB*out\fR is not incremented and it points to the start of the
 data just written.
 .PP
 \&\fId2i_X509_bio()\fR is similar to \fId2i_X509()\fR except it attempts
-to parse data from \s-1BIO\s0 \fBbp\fR.
+to parse data from \s-1BIO \s0\fBbp\fR.
 .PP
 \&\fId2i_X509_fp()\fR is similar to \fId2i_X509()\fR except it attempts
 to parse data from \s-1FILE\s0 pointer \fBfp\fR.
 .PP
 \&\fIi2d_X509_bio()\fR is similar to \fIi2d_X509()\fR except it writes
-the encoding of the structure \fBx\fR to \s-1BIO\s0 \fBbp\fR and it
+the encoding of the structure \fBx\fR to \s-1BIO \s0\fBbp\fR and it
 returns 1 for success and 0 for failure.
 .PP
 \&\fIi2d_X509_fp()\fR is similar to \fIi2d_X509()\fR except it writes
-the encoding of the structure \fBx\fR to \s-1BIO\s0 \fBbp\fR and it
+the encoding of the structure \fBx\fR to \s-1BIO \s0\fBbp\fR and it
 returns 1 for success and 0 for failure.
 .SH "NOTES"
 .IX Header "NOTES"
 The letters \fBi\fR and \fBd\fR in for example \fBi2d_X509\fR stand for
-\&\*(L"internal\*(R" (that is an internal C structure) and \*(L"\s-1DER\s0\*(R". So that
-\&\fBi2d_X509\fR converts from internal to \s-1DER\s0.
+\&\*(L"internal\*(R" (that is an internal C structure) and \*(L"\s-1DER\*(R".\s0 So that
+\&\fBi2d_X509\fR converts from internal to \s-1DER.\s0
 .PP
 The functions can also understand \fB\s-1BER\s0\fR forms.
 .PP
diff --git a/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 b/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
index 5819a205fe16..669335a08993 100644
--- a/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
+++ b/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_X509_ALGOR 3"
-.TH d2i_X509_ALGOR 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_X509_ALGOR 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/d2i_X509_CRL.3 b/secure/lib/libcrypto/man/d2i_X509_CRL.3
index 30d59a08926f..06fe7dc8ba53 100644
--- a/secure/lib/libcrypto/man/d2i_X509_CRL.3
+++ b/secure/lib/libcrypto/man/d2i_X509_CRL.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_X509_CRL 3"
-.TH d2i_X509_CRL 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_X509_CRL 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,7 +157,7 @@ i2d_X509_CRL_bio, i2d_X509_CRL_fp \- PKCS#10 certificate request functions.
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-These functions decode and encode an X509 \s-1CRL\s0 (certificate revocation
+These functions decode and encode an X509 \s-1CRL \s0(certificate revocation
 list).
 .PP
 Othewise the functions behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR
diff --git a/secure/lib/libcrypto/man/d2i_X509_NAME.3 b/secure/lib/libcrypto/man/d2i_X509_NAME.3
index f1db1ee23542..fbdd0260344a 100644
--- a/secure/lib/libcrypto/man/d2i_X509_NAME.3
+++ b/secure/lib/libcrypto/man/d2i_X509_NAME.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_X509_NAME 3"
-.TH d2i_X509_NAME 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_X509_NAME 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -142,7 +151,7 @@ d2i_X509_NAME, i2d_X509_NAME \- X509_NAME encoding functions
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 These functions decode and encode an \fBX509_NAME\fR structure which is the
-the same as the \fBName\fR type defined in \s-1RFC2459\s0 (and elsewhere) and used
+the same as the \fBName\fR type defined in \s-1RFC2459 \s0(and elsewhere) and used
 for example in certificate subject and issuer names.
 .PP
 Othewise the functions behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR
diff --git a/secure/lib/libcrypto/man/d2i_X509_REQ.3 b/secure/lib/libcrypto/man/d2i_X509_REQ.3
index 928d93ef638b..1e7fdcf5ed65 100644
--- a/secure/lib/libcrypto/man/d2i_X509_REQ.3
+++ b/secure/lib/libcrypto/man/d2i_X509_REQ.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_X509_REQ 3"
-.TH d2i_X509_REQ 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_X509_REQ 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/d2i_X509_SIG.3 b/secure/lib/libcrypto/man/d2i_X509_SIG.3
index 000ecd28caf4..99ccb8814190 100644
--- a/secure/lib/libcrypto/man/d2i_X509_SIG.3
+++ b/secure/lib/libcrypto/man/d2i_X509_SIG.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_X509_SIG 3"
-.TH d2i_X509_SIG 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_X509_SIG 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/des.3 b/secure/lib/libcrypto/man/des.3
index 47f7cd91f3ac..43b97f0b24e2 100644
--- a/secure/lib/libcrypto/man/des.3
+++ b/secure/lib/libcrypto/man/des.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "des 3"
-.TH des 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH des 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -263,9 +272,8 @@ depend on a global variable.
 .PP
 \&\fIDES_set_odd_parity()\fR sets the parity of the passed \fIkey\fR to odd.
 .PP
-\&\fIDES_is_weak_key()\fR returns 1 is the passed key is a weak key, 0 if it
-is ok.  The probability that a randomly generated key is weak is
-1/2^52, so it is not really worth checking for them.
+\&\fIDES_is_weak_key()\fR returns 1 if the passed key is a weak key, 0 if it
+is ok.
 .PP
 The following routines mostly operate on an input and output stream of
 \&\fIDES_cblock\fRs.
@@ -293,7 +301,7 @@ The macro \fIDES_ecb2_encrypt()\fR is provided to perform two-key Triple-DES
 encryption by using \fIks1\fR for the final encryption.
 .PP
 \&\fIDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher-block-chaining\fR
-(\s-1CBC\s0) mode of \s-1DES\s0.  If the \fIencrypt\fR argument is non-zero, the
+(\s-1CBC\s0) mode of \s-1DES. \s0 If the \fIencrypt\fR argument is non-zero, the
 routine cipher-block-chain encrypts the cleartext data pointed to by
 the \fIinput\fR argument into the ciphertext pointed to by the \fIoutput\fR
 argument, using the key schedule provided by the \fIschedule\fR argument,
@@ -302,14 +310,14 @@ and initialization vector provided by the \fIivec\fR argument.  If the
 last block is copied to a temporary area and zero filled.  The output
 is always an integral multiple of eight bytes.
 .PP
-\&\fIDES_xcbc_encrypt()\fR is \s-1RSA\s0's \s-1DESX\s0 mode of \s-1DES\s0.  It uses \fIinw\fR and
+\&\fIDES_xcbc_encrypt()\fR is \s-1RSA\s0's \s-1DESX\s0 mode of \s-1DES. \s0 It uses \fIinw\fR and
 \&\fIoutw\fR to 'whiten' the encryption.  \fIinw\fR and \fIoutw\fR are secret
 (unlike the iv) and are as such, part of the key.  So the key is sort
-of 24 bytes.  This is much better than \s-1CBC\s0 \s-1DES\s0.
+of 24 bytes.  This is much better than \s-1CBC DES.\s0
 .PP
-\&\fIDES_ede3_cbc_encrypt()\fR implements outer triple \s-1CBC\s0 \s-1DES\s0 encryption with
+\&\fIDES_ede3_cbc_encrypt()\fR implements outer triple \s-1CBC DES\s0 encryption with
 three keys. This means that each \s-1DES\s0 operation inside the \s-1CBC\s0 mode is
-really an \f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR.  This mode is used by \s-1SSL\s0.
+an \f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR.  This mode is used by \s-1SSL.\s0
 .PP
 The \fIDES_ede2_cbc_encrypt()\fR macro implements two-key Triple-DES by
 reusing \fIks1\fR for the final encryption.  \f(CW\*(C`C=E(ks1,D(ks2,E(ks1,M)))\*(C'\fR.
@@ -324,7 +332,7 @@ method takes an array of characters as input and outputs and array of
 characters.  It does not require any padding to 8 character groups.
 Note: the \fIivec\fR variable is changed and the new changed value needs to
 be passed to the next call to this function.  Since this function runs
-a complete \s-1DES\s0 \s-1ECB\s0 encryption per \fInumbits\fR, this function is only
+a complete \s-1DES ECB\s0 encryption per \fInumbits\fR, this function is only
 suggested for use when sending small numbers of characters.
 .PP
 \&\fIDES_cfb64_encrypt()\fR
@@ -333,7 +341,7 @@ useful you ask?  Because this routine will allow you to encrypt an
 arbitrary number of bytes, no 8 byte padding.  Each call to this
 routine will encrypt the input bytes to output and then update ivec
 and num.  num contains 'how far' we are though ivec.  If this does
-not make much sense, read more about cfb mode of \s-1DES\s0 :\-).
+not make much sense, read more about cfb mode of \s-1DES :\-\s0).
 .PP
 \&\fIDES_ede3_cfb64_encrypt()\fR and \fIDES_ede2_cfb64_encrypt()\fR is the same as
 \&\fIDES_cfb64_encrypt()\fR except that Triple-DES is used.
@@ -343,7 +351,7 @@ takes an array of characters as input and outputs and array of
 characters.  It does not require any padding to 8 character groups.
 Note: the \fIivec\fR variable is changed and the new changed value needs to
 be passed to the next call to this function.  Since this function runs
-a complete \s-1DES\s0 \s-1ECB\s0 encryption per numbits, this function is only
+a complete \s-1DES ECB\s0 encryption per numbits, this function is only
 suggested for use when sending small numbers of characters.
 .PP
 \&\fIDES_ofb64_encrypt()\fR is the same as \fIDES_cfb64_encrypt()\fR using Output
@@ -397,7 +405,7 @@ the key schedule and \fIiv\fR for the initial vector.
 \&\fBWarning:\fR The data format used by \fIDES_enc_write()\fR and \fIDES_enc_read()\fR
 has a cryptographic weakness: When asked to write more than \s-1MAXWRITE\s0
 bytes, \fIDES_enc_write()\fR will split the data into several chunks that
-are all encrypted using the same \s-1IV\s0.  So don't use these functions
+are all encrypted using the same \s-1IV. \s0 So don't use these functions
 unless you are sure you know what you do (in which case you might not
 want to use them anyway).  They cannot handle non-blocking sockets.
 \&\fIDES_enc_read()\fR uses an internal state and thus cannot be used on
@@ -435,7 +443,7 @@ get ugly!
 The same applies for \fIDES_string_to_2key()\fR.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ANSI\s0 X3.106
+\&\s-1ANSI X3.106\s0
 .PP
 The \fBdes\fR library was written to be source code compatible with
 the \s-1MIT\s0 Kerberos library.
diff --git a/secure/lib/libcrypto/man/dh.3 b/secure/lib/libcrypto/man/dh.3
index 24d39d11fef8..a51cd29ee3de 100644
--- a/secure/lib/libcrypto/man/dh.3
+++ b/secure/lib/libcrypto/man/dh.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "dh 3"
-.TH dh 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH dh 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/dsa.3 b/secure/lib/libcrypto/man/dsa.3
index cc52e691abda..a3d76f584646 100644
--- a/secure/lib/libcrypto/man/dsa.3
+++ b/secure/lib/libcrypto/man/dsa.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "dsa 3"
-.TH dsa 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH dsa 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -213,7 +222,7 @@ The \fB\s-1DSA\s0\fR structure consists of several \s-1BIGNUM\s0 components.
 \& DSA;
 .Ve
 .PP
-In public keys, \fBpriv_key\fR is \s-1NULL\s0.
+In public keys, \fBpriv_key\fR is \s-1NULL.\s0
 .PP
 Note that \s-1DSA\s0 keys may use non-standard \fB\s-1DSA_METHOD\s0\fR implementations,
 either directly or by the use of \fB\s-1ENGINE\s0\fR modules. In some cases (eg. an
@@ -224,8 +233,8 @@ structure elements directly and instead use \s-1API\s0 functions to query or
 modify keys.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS\s0 186 (Digital Signature
-Standard, \s-1DSS\s0), \s-1ANSI\s0 X9.30
+\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS 186 \s0(Digital Signature
+Standard, \s-1DSS\s0), \s-1ANSI X9.30\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIbn\fR\|(3), \fIdh\fR\|(3), \fIerr\fR\|(3), \fIrand\fR\|(3),
diff --git a/secure/lib/libcrypto/man/ecdsa.3 b/secure/lib/libcrypto/man/ecdsa.3
index 72bf53407e85..78c5bb3428fa 100644
--- a/secure/lib/libcrypto/man/ecdsa.3
+++ b/secure/lib/libcrypto/man/ecdsa.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ecdsa 3"
-.TH ecdsa 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ecdsa 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -178,7 +187,7 @@ ecdsa \- Elliptic Curve Digital Signature Algorithm
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fB\s-1ECDSA_SIG\s0\fR structure consists of two BIGNUMs for the
-r and s value of a \s-1ECDSA\s0 signature (see X9.62 or \s-1FIPS\s0 186\-2).
+r and s value of a \s-1ECDSA\s0 signature (see X9.62 or \s-1FIPS 186\-2\s0).
 .PP
 .Vb 5
 \& struct
@@ -195,7 +204,7 @@ function also allocates the BIGNUMs) and initialize it.
 .PP
 \&\fIi2d_ECDSA_SIG()\fR creates the \s-1DER\s0 encoding of the \s-1ECDSA\s0 signature
 \&\fBsig\fR and writes the encoded signature to \fB*pp\fR (note: if \fBpp\fR
-is \s-1NULL\s0 \fBi2d_ECDSA_SIG\fR returns the expected length in bytes of 
+is \s-1NULL \s0\fBi2d_ECDSA_SIG\fR returns the expected length in bytes of 
 the \s-1DER\s0 encoded signature). \fBi2d_ECDSA_SIG\fR returns the length
 of the \s-1DER\s0 encoded signature (or 0 on error).
 .PP
@@ -214,7 +223,7 @@ values or returned in \fBkinv\fR and \fBrp\fR and can be used in a
 later call to \fBECDSA_sign_ex\fR or \fBECDSA_do_sign_ex\fR.
 .PP
 \&\fIECDSA_sign()\fR is wrapper function for ECDSA_sign_ex with \fBkinv\fR
-and \fBrp\fR set to \s-1NULL\s0.
+and \fBrp\fR set to \s-1NULL.\s0
 .PP
 \&\fIECDSA_sign_ex()\fR computes a digital signature of the \fBdgstlen\fR bytes
 hash value \fBdgst\fR using the private \s-1EC\s0 key \fBeckey\fR and the optional
@@ -225,11 +234,11 @@ is ignored.
 .PP
 \&\fIECDSA_verify()\fR verifies that the signature in \fBsig\fR of size
 \&\fBsiglen\fR is a valid \s-1ECDSA\s0 signature of the hash value
-value \fBdgst\fR of size \fBdgstlen\fR using the public key \fBeckey\fR.
+\&\fBdgst\fR of size \fBdgstlen\fR using the public key \fBeckey\fR.
 The parameter \fBtype\fR is ignored.
 .PP
 \&\fIECDSA_do_sign()\fR is wrapper function for ECDSA_do_sign_ex with \fBkinv\fR
-and \fBrp\fR set to \s-1NULL\s0.
+and \fBrp\fR set to \s-1NULL.\s0
 .PP
 \&\fIECDSA_do_sign_ex()\fR computes a digital signature of the \fBdgst_len\fR
 bytes hash value \fBdgst\fR using the private key \fBeckey\fR and the
@@ -257,19 +266,15 @@ named curve secp192k1.
 First step: create a \s-1EC_KEY\s0 object (note: this part is \fBnot\fR \s-1ECDSA\s0
 specific)
 .PP
-.Vb 10
+.Vb 12
 \& int        ret;
 \& ECDSA_SIG *sig;
-\& EC_KEY    *eckey = EC_KEY_new();
+\& EC_KEY    *eckey;
+\& eckey = EC_KEY_new_by_curve_name(NID_secp192k1);
 \& if (eckey == NULL)
 \&        {
 \&        /* error */
 \&        }
-\& key\->group = EC_GROUP_new_by_nid(NID_secp192k1);
-\& if (key\->group == NULL)
-\&        {
-\&        /* error */
-\&        }
 \& if (!EC_KEY_generate_key(eckey))
 \&        {
 \&        /* error */
@@ -331,8 +336,8 @@ and finally evaluate the return value:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ANSI\s0 X9.62, \s-1US\s0 Federal Information Processing Standard \s-1FIPS\s0 186\-2
-(Digital Signature Standard, \s-1DSS\s0)
+\&\s-1ANSI X9.62, US\s0 Federal Information Processing Standard \s-1FIPS 186\-2
+\&\s0(Digital Signature Standard, \s-1DSS\s0)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIdsa\fR\|(3), \fIrsa\fR\|(3)
diff --git a/secure/lib/libcrypto/man/engine.3 b/secure/lib/libcrypto/man/engine.3
index 6e4ef5f14bc0..6176e7300190 100644
--- a/secure/lib/libcrypto/man/engine.3
+++ b/secure/lib/libcrypto/man/engine.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "engine 3"
-.TH engine 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH engine 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -308,7 +317,7 @@ implementation includes the following abstractions;
 .Ve
 .SS "Reference counting and handles"
 .IX Subsection "Reference counting and handles"
-Due to the modular nature of the \s-1ENGINE\s0 \s-1API\s0, pointers to ENGINEs need to be
+Due to the modular nature of the \s-1ENGINE API,\s0 pointers to ENGINEs need to be
 treated as handles \- ie. not only as pointers, but also as references to
 the underlying \s-1ENGINE\s0 object. Ie. one should obtain a new reference when
 making copies of an \s-1ENGINE\s0 pointer if the copies will be used (and
@@ -330,7 +339,7 @@ specialised form of structural reference, because each functional reference
 implicitly contains a structural reference as well \- however to avoid
 difficult-to-find programming bugs, it is recommended to treat the two
 kinds of reference independently. If you have a functional reference to an
-\&\s-1ENGINE\s0, you have a guarantee that the \s-1ENGINE\s0 has been initialised ready to
+\&\s-1ENGINE,\s0 you have a guarantee that the \s-1ENGINE\s0 has been initialised ready to
 perform cryptographic operations and will remain uninitialised
 until after you have released your reference.
 .PP
@@ -338,19 +347,19 @@ until after you have released your reference.
 .PP
 This basic type of reference is used for instantiating new ENGINEs,
 iterating across OpenSSL's internal linked-list of loaded
-ENGINEs, reading information about an \s-1ENGINE\s0, etc. Essentially a structural
+ENGINEs, reading information about an \s-1ENGINE,\s0 etc. Essentially a structural
 reference is sufficient if you only need to query or manipulate the data of
 an \s-1ENGINE\s0 implementation rather than use its functionality.
 .PP
 The \fIENGINE_new()\fR function returns a structural reference to a new (empty)
-\&\s-1ENGINE\s0 object. There are other \s-1ENGINE\s0 \s-1API\s0 functions that return structural
+\&\s-1ENGINE\s0 object. There are other \s-1ENGINE API\s0 functions that return structural
 references such as; \fIENGINE_by_id()\fR, \fIENGINE_get_first()\fR, \fIENGINE_get_last()\fR,
 \&\fIENGINE_get_next()\fR, \fIENGINE_get_prev()\fR. All structural references should be
 released by a corresponding to call to the \fIENGINE_free()\fR function \- the
 \&\s-1ENGINE\s0 object itself will only actually be cleaned up and deallocated when
 the last structural reference is released.
 .PP
-It should also be noted that many \s-1ENGINE\s0 \s-1API\s0 function calls that accept a
+It should also be noted that many \s-1ENGINE API\s0 function calls that accept a
 structural reference will internally obtain another reference \- typically
 this happens whenever the supplied \s-1ENGINE\s0 will be needed by OpenSSL after
 the function has returned. Eg. the function to add a new \s-1ENGINE\s0 to
@@ -375,7 +384,7 @@ the openssl/engine.h header file includes some hints.
 As mentioned, functional references exist when the cryptographic
 functionality of an \s-1ENGINE\s0 is required to be available. A functional
 reference can be obtained in one of two ways; from an existing structural
-reference to the required \s-1ENGINE\s0, or by asking OpenSSL for the default
+reference to the required \s-1ENGINE,\s0 or by asking OpenSSL for the default
 operational \s-1ENGINE\s0 for a given cryptographic purpose.
 .PP
 To obtain a functional reference from an existing structural reference,
@@ -383,7 +392,7 @@ call the \fIENGINE_init()\fR function. This returns zero if the \s-1ENGINE\s0 wa
 already operational and couldn't be successfully initialised (eg. lack of
 system drivers, no special hardware attached, etc), otherwise it will
 return non-zero to indicate that the \s-1ENGINE\s0 is now operational and will
-have allocated a new \fBfunctional\fR reference to the \s-1ENGINE\s0. All functional
+have allocated a new \fBfunctional\fR reference to the \s-1ENGINE.\s0 All functional
 references are released by calling \fIENGINE_finish()\fR (which removes the
 implicit structural reference as well).
 .PP
@@ -392,7 +401,7 @@ default implementation for a given task, eg. by \fIENGINE_get_default_RSA()\fR,
 \&\fIENGINE_get_default_cipher_engine()\fR, etc. These are discussed in the next
 section, though they are not usually required by application programmers as
 they are used automatically when creating and using the relevant
-algorithm-specific types in OpenSSL, such as \s-1RSA\s0, \s-1DSA\s0, \s-1EVP_CIPHER_CTX\s0, etc.
+algorithm-specific types in OpenSSL, such as \s-1RSA, DSA, EVP_CIPHER_CTX,\s0 etc.
 .SS "Default implementations"
 .IX Subsection "Default implementations"
 For each supported abstraction, the \s-1ENGINE\s0 code maintains an internal table
@@ -401,7 +410,7 @@ abstraction and which should be used by default. These implementations are
 registered in the tables and indexed by an 'nid' value, because
 abstractions like \s-1EVP_CIPHER\s0 and \s-1EVP_DIGEST\s0 support many distinct
 algorithms and modes, and ENGINEs can support arbitrarily many of them.
-In the case of other abstractions like \s-1RSA\s0, \s-1DSA\s0, etc, there is only one
+In the case of other abstractions like \s-1RSA, DSA,\s0 etc, there is only one
 \&\*(L"algorithm\*(R" so all implementations implicitly register using the same 'nid'
 index.
 .PP
@@ -410,15 +419,15 @@ when calling RSA_new_method(\s-1NULL\s0)), a \*(L"get_default\*(R" call will be
 \&\s-1ENGINE\s0 subsystem to process the corresponding state table and return a
 functional reference to an initialised \s-1ENGINE\s0 whose implementation should be
 used. If no \s-1ENGINE\s0 should (or can) be used, it will return \s-1NULL\s0 and the caller
-will operate with a \s-1NULL\s0 \s-1ENGINE\s0 handle \- this usually equates to using the
+will operate with a \s-1NULL ENGINE\s0 handle \- this usually equates to using the
 conventional software implementation. In the latter case, OpenSSL will from
-then on behave the way it used to before the \s-1ENGINE\s0 \s-1API\s0 existed.
+then on behave the way it used to before the \s-1ENGINE API\s0 existed.
 .PP
 Each state table has a flag to note whether it has processed this
 \&\*(L"get_default\*(R" query since the table was last modified, because to process
 this question it must iterate across all the registered ENGINEs in the
 table trying to initialise each of them in turn, in case one of them is
-operational. If it returns a functional reference to an \s-1ENGINE\s0, it will
+operational. If it returns a functional reference to an \s-1ENGINE,\s0 it will
 also cache another reference to speed up processing future queries (without
 needing to iterate across the table). Likewise, it will cache a \s-1NULL\s0
 response if no \s-1ENGINE\s0 was available so that future queries won't repeat the
@@ -429,7 +438,7 @@ instead the only way for the state table to return a non-NULL \s-1ENGINE\s0 to t
 \&\*(L"get_default\*(R" query will be if one is expressly set in the table. Eg.
 \&\fIENGINE_set_default_RSA()\fR does the same job as \fIENGINE_register_RSA()\fR except
 that it also sets the state table's cached response for the \*(L"get_default\*(R"
-query. In the case of abstractions like \s-1EVP_CIPHER\s0, where implementations are
+query. In the case of abstractions like \s-1EVP_CIPHER,\s0 where implementations are
 indexed by 'nid', these flags and cached-responses are distinct for each 'nid'
 value.
 .SS "Application requirements"
@@ -440,7 +449,7 @@ available to the user. The first thing to consider is whether the
 programmer wishes to make alternative \s-1ENGINE\s0 modules available to the
 application and user. OpenSSL maintains an internal linked list of
 \&\*(L"visible\*(R" ENGINEs from which it has to operate \- at start-up, this list is
-empty and in fact if an application does not call any \s-1ENGINE\s0 \s-1API\s0 calls and
+empty and in fact if an application does not call any \s-1ENGINE API\s0 calls and
 it uses static linking against openssl, then the resulting application
 binary will not contain any alternative \s-1ENGINE\s0 code at all. So the first
 consideration is whether any/all available \s-1ENGINE\s0 implementations should be
@@ -468,13 +477,13 @@ mention an important \s-1API\s0 function;
 \& void ENGINE_cleanup(void);
 .Ve
 .PP
-If no \s-1ENGINE\s0 \s-1API\s0 functions are called at all in an application, then there
+If no \s-1ENGINE API\s0 functions are called at all in an application, then there
 are no inherent memory leaks to worry about from the \s-1ENGINE\s0 functionality,
 however if any ENGINEs are loaded, even if they are never registered or
 used, it is necessary to use the \fIENGINE_cleanup()\fR function to
 correspondingly cleanup before program exit, if the caller wishes to avoid
 memory leaks. This mechanism uses an internal callback registration table
-so that any \s-1ENGINE\s0 \s-1API\s0 functionality that knows it requires cleanup can
+so that any \s-1ENGINE API\s0 functionality that knows it requires cleanup can
 register its cleanup details to be called during \fIENGINE_cleanup()\fR. This
 approach allows \fIENGINE_cleanup()\fR to clean up after any \s-1ENGINE\s0 functionality
 at all that your program uses, yet doesn't automatically create linker
@@ -499,9 +508,9 @@ source code to openssl's builtin utilities as guides.
 \&\fIUsing a specific \s-1ENGINE\s0 implementation\fR
 .PP
 Here we'll assume an application has been configured by its user or admin
-to want to use the \*(L"\s-1ACME\s0\*(R" \s-1ENGINE\s0 if it is available in the version of
+to want to use the \*(L"\s-1ACME\*(R" ENGINE\s0 if it is available in the version of
 OpenSSL the application was compiled with. If it is available, it should be
-used by default for all \s-1RSA\s0, \s-1DSA\s0, and symmetric cipher operation, otherwise
+used by default for all \s-1RSA, DSA,\s0 and symmetric cipher operation, otherwise
 OpenSSL should use its builtin software as per usual. The following code
 illustrates how to approach this;
 .PP
@@ -574,7 +583,7 @@ so that it can be initialised for use. This could include the path to any
 driver or config files it needs to load, required network addresses,
 smart-card identifiers, passwords to initialise protected devices,
 logging information, etc etc. This class of commands typically needs to be
-passed to an \s-1ENGINE\s0 \fBbefore\fR attempting to initialise it, ie. before
+passed to an \s-1ENGINE \s0\fBbefore\fR attempting to initialise it, ie. before
 calling \fIENGINE_init()\fR. The other class of commands consist of settings or
 operations that tweak certain behaviour or cause certain operations to take
 place, and these commands may work either before or after \fIENGINE_init()\fR, or
@@ -589,8 +598,8 @@ name of the \s-1ENGINE\s0 it wishes to use, a table of string-pairs for use befo
 initialisation, and another table for use after initialisation. Note that
 the string-pairs used for control commands consist of a command \*(L"name\*(R"
 followed by the command \*(L"parameter\*(R" \- the parameter could be \s-1NULL\s0 in some
-cases but the name can not. This function should initialise the \s-1ENGINE\s0
-(issuing the \*(L"pre\*(R" commands beforehand and the \*(L"post\*(R" commands afterwards)
+cases but the name can not. This function should initialise the \s-1ENGINE
+\&\s0(issuing the \*(L"pre\*(R" commands beforehand and the \*(L"post\*(R" commands afterwards)
 and set it as the default for everything except \s-1RAND\s0 and then return a
 boolean success or failure.
 .PP
@@ -639,7 +648,7 @@ failure if the \s-1ENGINE\s0 supported the given command name but failed while
 executing it, if the \s-1ENGINE\s0 doesn't support the command name it will simply
 return success without doing anything. In this case we assume the user is
 only supplying commands specific to the given \s-1ENGINE\s0 so we set this to
-\&\s-1FALSE\s0.
+\&\s-1FALSE.\s0
 .PP
 \&\fIDiscovering supported control commands\fR
 .PP
@@ -647,14 +656,14 @@ It is possible to discover at run-time the names, numerical-ids, descriptions
 and input parameters of the control commands supported by an \s-1ENGINE\s0 using a
 structural reference. Note that some control commands are defined by OpenSSL
 itself and it will intercept and handle these control commands on behalf of the
-\&\s-1ENGINE\s0, ie. the \s-1ENGINE\s0's \fIctrl()\fR handler is not used for the control command.
-openssl/engine.h defines an index, \s-1ENGINE_CMD_BASE\s0, that all control commands
+\&\s-1ENGINE,\s0 ie. the \s-1ENGINE\s0's \fIctrl()\fR handler is not used for the control command.
+openssl/engine.h defines an index, \s-1ENGINE_CMD_BASE,\s0 that all control commands
 implemented by ENGINEs should be numbered from. Any command value lower than
 this symbol is considered a \*(L"generic\*(R" command is handled directly by the
 OpenSSL core routines.
 .PP
 It is using these \*(L"core\*(R" control commands that one can discover the control
-commands implemented by a given \s-1ENGINE\s0, specifically the commands;
+commands implemented by a given \s-1ENGINE,\s0 specifically the commands;
 .PP
 .Vb 9
 \& #define ENGINE_HAS_CTRL_FUNCTION               10
@@ -693,7 +702,7 @@ OpenSSL framework code will work with the following rules;
 .PP
 If the \s-1ENGINE\s0's array of control commands is empty then all other commands will
 fail, otherwise; \s-1ENGINE_CTRL_GET_FIRST_CMD_TYPE\s0 returns the identifier of
-the first command supported by the \s-1ENGINE\s0, \s-1ENGINE_GET_NEXT_CMD_TYPE\s0 takes the
+the first command supported by the \s-1ENGINE, ENGINE_GET_NEXT_CMD_TYPE\s0 takes the
 identifier of a command supported by the \s-1ENGINE\s0 and returns the next command
 identifier or fails if there are no more, \s-1ENGINE_CMD_FROM_NAME\s0 takes a string
 name for a command and returns the corresponding identifier or fails if no such
@@ -714,18 +723,18 @@ possible values;
 If the \s-1ENGINE_CMD_FLAG_INTERNAL\s0 flag is set, then any other flags are purely
 informational to the caller \- this flag will prevent the command being usable
 for any higher-level \s-1ENGINE\s0 functions such as \fIENGINE_ctrl_cmd_string()\fR.
-\&\*(L"\s-1INTERNAL\s0\*(R" commands are not intended to be exposed to text-based configuration
+\&\*(L"\s-1INTERNAL\*(R"\s0 commands are not intended to be exposed to text-based configuration
 by applications, administrations, users, etc. These can support arbitrary
 operations via \fIENGINE_ctrl()\fR, including passing to and/or from the control
 commands data of any arbitrary type. These commands are supported in the
 discovery mechanisms simply to allow applications determinie if an \s-1ENGINE\s0
 supports certain specific commands it might want to use (eg. application \*(L"foo\*(R"
-might query various ENGINEs to see if they implement \*(L"\s-1FOO_GET_VENDOR_LOGO_GIF\s0\*(R" \-
+might query various ENGINEs to see if they implement \*(L"\s-1FOO_GET_VENDOR_LOGO_GIF\*(R" \-\s0
 and \s-1ENGINE\s0 could therefore decide whether or not to support this \*(L"foo\*(R"\-specific
 extension).
 .SS "Future developments"
 .IX Subsection "Future developments"
-The \s-1ENGINE\s0 \s-1API\s0 and internal architecture is currently being reviewed. Slated for
+The \s-1ENGINE API\s0 and internal architecture is currently being reviewed. Slated for
 possible release in 0.9.8 is support for transparent loading of \*(L"dynamic\*(R"
 ENGINEs (built as self-contained shared-libraries). This would allow \s-1ENGINE\s0
 implementations to be provided independently of OpenSSL libraries and/or
diff --git a/secure/lib/libcrypto/man/err.3 b/secure/lib/libcrypto/man/err.3
index b4d3f184462a..248e0c84ba86 100644
--- a/secure/lib/libcrypto/man/err.3
+++ b/secure/lib/libcrypto/man/err.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "err 3"
-.TH err 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH err 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -202,8 +211,8 @@ new error codes to OpenSSL or add error codes from external libraries.
 .SS "Reporting errors"
 .IX Subsection "Reporting errors"
 Each sub-library has a specific macro \fIXXXerr()\fR that is used to report
-errors. Its first argument is a function code \fB\s-1XXX_F_\s0...\fR, the second
-argument is a reason code \fB\s-1XXX_R_\s0...\fR. Function codes are derived
+errors. Its first argument is a function code \fB\s-1XXX_F_...\s0\fR, the second
+argument is a reason code \fB\s-1XXX_R_...\s0\fR. Function codes are derived
 from the function names; reason codes consist of textual error
 descriptions. For example, the function \fIssl23_read()\fR reports a
 \&\*(L"handshake failure\*(R" as follows:
@@ -216,7 +225,7 @@ Function and reason codes should consist of upper case characters,
 numbers and underscores only. The error file generation script translates
 function codes into function names by looking in the header files
 for an appropriate function name, if none is found it just uses
-the capitalized form such as \*(L"\s-1SSL23_READ\s0\*(R" in the above example.
+the capitalized form such as \*(L"\s-1SSL23_READ\*(R"\s0 in the above example.
 .PP
 The trailing section of a reason code (after the \*(L"_R_\*(R") is translated
 into lower case and underscores changed to spaces.
@@ -267,7 +276,7 @@ Typically it will initially look like this:
 \& /* BEGIN ERROR CODES */
 .Ve
 .PP
-The \fB\s-1BEGIN\s0 \s-1ERROR\s0 \s-1CODES\s0\fR sequence is used by the error code
+The \fB\s-1BEGIN ERROR CODES\s0\fR sequence is used by the error code
 generation script as the point to place new error codes, any text
 after this point will be overwritten when \fBmake errors\fR is run.
 The closing #endif etc will be automatically added by the script.
@@ -299,7 +308,6 @@ be obtained by calling ERR_get_err_state_table(void) and
 ERR_get_string_table(void) respectively.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fICRYPTO_set_id_callback\fR\|(3),
 \&\fICRYPTO_set_locking_callback\fR\|(3),
 \&\fIERR_get_error\fR\|(3),
 \&\s-1\fIERR_GET_LIB\s0\fR\|(3),
diff --git a/secure/lib/libcrypto/man/evp.3 b/secure/lib/libcrypto/man/evp.3
index e44453ae33e2..9a1d1f1a4c95 100644
--- a/secure/lib/libcrypto/man/evp.3
+++ b/secure/lib/libcrypto/man/evp.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "evp 3"
-.TH evp 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH evp 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/hmac.3 b/secure/lib/libcrypto/man/hmac.3
index a9aa21d74685..59e4bf9a5feb 100644
--- a/secure/lib/libcrypto/man/hmac.3
+++ b/secure/lib/libcrypto/man/hmac.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "hmac 3"
-.TH hmac 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH hmac 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -155,7 +164,7 @@ authentication code
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\s-1HMAC\s0 is a \s-1MAC\s0 (message authentication code), i.e. a keyed hash
+\&\s-1HMAC\s0 is a \s-1MAC \s0(message authentication code), i.e. a keyed hash
 function used for message authentication, which is based on a hash
 function.
 .PP
@@ -165,7 +174,7 @@ function.
 .PP
 It places the result in \fBmd\fR (which must have space for the output of
 the hash function, which is no more than \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes).
-If \fBmd\fR is \s-1NULL\s0, the digest is placed in a static array.  The size of
+If \fBmd\fR is \s-1NULL,\s0 the digest is placed in a static array.  The size of
 the output is placed in \fBmd_len\fR, unless it is \fB\s-1NULL\s0\fR.
 .PP
 \&\fBevp_md\fR can be \fIEVP_sha1()\fR, \fIEVP_ripemd160()\fR etc.
@@ -189,7 +198,7 @@ long. It is deprecated and only included for backward compatibility
 with OpenSSL 0.9.6b.
 .PP
 \&\fIHMAC_Init_ex()\fR initializes or reuses a \fB\s-1HMAC_CTX\s0\fR structure to use
-the function \fBevp_md\fR and key \fBkey\fR. Either can be \s-1NULL\s0, in which
+the function \fBevp_md\fR and key \fBkey\fR. Either can be \s-1NULL,\s0 in which
 case the existing one will be reused. \fIHMAC_CTX_init()\fR must have been
 called before the first use of an \fB\s-1HMAC_CTX\s0\fR in this
 function. \fBN.B. \f(BIHMAC_Init()\fB had this undocumented behaviour in
@@ -212,7 +221,7 @@ an error occurred.
 \&\fIHMAC_CTX_init()\fR and \fIHMAC_CTX_cleanup()\fR do not return values.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC\s0 2104
+\&\s-1RFC 2104\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIsha\fR\|(3), \fIevp\fR\|(3)
diff --git a/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
index e024ff9dd37a..95c295cde6d2 100644
--- a/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
+++ b/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "i2d_CMS_bio_stream 3"
-.TH i2d_CMS_bio_stream 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH i2d_CMS_bio_stream 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 b/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
index 589a5cd367d9..16cedd69d0bf 100644
--- a/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
+++ b/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "i2d_PKCS7_bio_stream 3"
-.TH i2d_PKCS7_bio_stream 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH i2d_PKCS7_bio_stream 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/lh_stats.3 b/secure/lib/libcrypto/man/lh_stats.3
index fe8207bc25d8..b45d3845e35c 100644
--- a/secure/lib/libcrypto/man/lh_stats.3
+++ b/secure/lib/libcrypto/man/lh_stats.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "lh_stats 3"
-.TH lh_stats 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH lh_stats 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/lhash.3 b/secure/lib/libcrypto/man/lhash.3
index 59466b3cdd54..2508b9627356 100644
--- a/secure/lib/libcrypto/man/lhash.3
+++ b/secure/lib/libcrypto/man/lhash.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "lhash 3"
-.TH lhash 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH lhash 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -357,7 +366,7 @@ the wrapper functions without \*(L"const\*(R" types.
 Callers that only have \*(L"const\*(R" access to data they're indexing in a
 table, yet declare callbacks without constant types (or cast the
 \&\*(L"const\*(R" away themselves), are therefore creating their own risks/bugs
-without being encouraged to do so by the \s-1API\s0.  On a related note,
+without being encouraged to do so by the \s-1API. \s0 On a related note,
 those auditing code should pay special attention to any instances of
 DECLARE/IMPLEMENT_LHASH_DOALL_[\s-1ARG_\s0]_FN macros that provide types
 without any \*(L"const\*(R" qualifiers.
@@ -422,8 +431,8 @@ The \fBlhash\fR library is available in all versions of SSLeay and OpenSSL.
 This manpage is derived from the SSLeay documentation.
 .PP
 In OpenSSL 0.9.7, all lhash functions that were passed function pointers
-were changed for better type safety, and the function types \s-1LHASH_COMP_FN_TYPE\s0,
-\&\s-1LHASH_HASH_FN_TYPE\s0, \s-1LHASH_DOALL_FN_TYPE\s0 and \s-1LHASH_DOALL_ARG_FN_TYPE\s0 
+were changed for better type safety, and the function types \s-1LHASH_COMP_FN_TYPE,
+LHASH_HASH_FN_TYPE, LHASH_DOALL_FN_TYPE\s0 and \s-1LHASH_DOALL_ARG_FN_TYPE \s0
 became available.
 .PP
 In OpenSSL 1.0.0, the lhash interface was revamped for even better
diff --git a/secure/lib/libcrypto/man/md5.3 b/secure/lib/libcrypto/man/md5.3
index 4f47e3acea27..0ff06c04e84c 100644
--- a/secure/lib/libcrypto/man/md5.3
+++ b/secure/lib/libcrypto/man/md5.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "md5 3"
-.TH md5 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH md5 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -169,12 +178,12 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final \- MD2, MD4, and MD5 hash functions
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\s-1MD2\s0, \s-1MD4\s0, and \s-1MD5\s0 are cryptographic hash functions with a 128 bit output.
+\&\s-1MD2, MD4,\s0 and \s-1MD5\s0 are cryptographic hash functions with a 128 bit output.
 .PP
-\&\s-1\fIMD2\s0()\fR, \s-1\fIMD4\s0()\fR, and \s-1\fIMD5\s0()\fR compute the \s-1MD2\s0, \s-1MD4\s0, and \s-1MD5\s0 message digest
+\&\s-1\fIMD2\s0()\fR, \s-1\fIMD4\s0()\fR, and \s-1\fIMD5\s0()\fR compute the \s-1MD2, MD4,\s0 and \s-1MD5\s0 message digest
 of the \fBn\fR bytes at \fBd\fR and place it in \fBmd\fR (which must have space
 for \s-1MD2_DIGEST_LENGTH\s0 == \s-1MD4_DIGEST_LENGTH\s0 == \s-1MD5_DIGEST_LENGTH\s0 == 16
-bytes of output). If \fBmd\fR is \s-1NULL\s0, the digest is placed in a static
+bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest is placed in a static
 array.
 .PP
 The following functions may be used if the message is not completely
@@ -196,7 +205,7 @@ Applications should use the higher level functions
 etc. instead of calling the hash functions directly.
 .SH "NOTE"
 .IX Header "NOTE"
-\&\s-1MD2\s0, \s-1MD4\s0, and \s-1MD5\s0 are recommended only for compatibility with existing
+\&\s-1MD2, MD4,\s0 and \s-1MD5\s0 are recommended only for compatibility with existing
 applications. In new applications, \s-1SHA\-1\s0 or \s-1RIPEMD\-160\s0 should be
 preferred.
 .SH "RETURN VALUES"
@@ -208,7 +217,7 @@ preferred.
 success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC\s0 1319, \s-1RFC\s0 1320, \s-1RFC\s0 1321
+\&\s-1RFC 1319, RFC 1320, RFC 1321\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIsha\fR\|(3), \fIripemd\fR\|(3), \fIEVP_DigestInit\fR\|(3)
diff --git a/secure/lib/libcrypto/man/mdc2.3 b/secure/lib/libcrypto/man/mdc2.3
index 7c6a3cc33b97..b936d2b88ffa 100644
--- a/secure/lib/libcrypto/man/mdc2.3
+++ b/secure/lib/libcrypto/man/mdc2.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "mdc2 3"
-.TH mdc2 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH mdc2 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,11 +157,11 @@ MDC2, MDC2_Init, MDC2_Update, MDC2_Final \- MDC2 hash function
 .IX Header "DESCRIPTION"
 \&\s-1MDC2\s0 is a method to construct hash functions with 128 bit output from
 block ciphers.  These functions are an implementation of \s-1MDC2\s0 with
-\&\s-1DES\s0.
+\&\s-1DES.\s0
 .PP
 \&\s-1\fIMDC2\s0()\fR computes the \s-1MDC2\s0 message digest of the \fBn\fR
 bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
-\&\s-1MDC2_DIGEST_LENGTH\s0 == 16 bytes of output). If \fBmd\fR is \s-1NULL\s0, the digest
+\&\s-1MDC2_DIGEST_LENGTH\s0 == 16 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
 is placed in a static array.
 .PP
 The following functions may be used if the message is not completely
@@ -176,7 +185,7 @@ hash functions directly.
 \&\fIMDC2_Init()\fR, \fIMDC2_Update()\fR and \fIMDC2_Final()\fR return 1 for success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC\s0 10118\-2, with \s-1DES\s0
+\&\s-1ISO/IEC 10118\-2,\s0 with \s-1DES\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIsha\fR\|(3), \fIEVP_DigestInit\fR\|(3)
diff --git a/secure/lib/libcrypto/man/pem.3 b/secure/lib/libcrypto/man/pem.3
index 0cab0d334bc7..a840a96c555d 100644
--- a/secure/lib/libcrypto/man/pem.3
+++ b/secure/lib/libcrypto/man/pem.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "pem 3"
-.TH pem 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH pem 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -313,7 +322,7 @@ this sense \s-1PEM\s0 format is simply base64 encoded data surrounded
 by header lines.
 .PP
 For more details about the meaning of arguments see the
-\&\fB\s-1PEM\s0 \s-1FUNCTION\s0 \s-1ARGUMENTS\s0\fR section.
+\&\fB\s-1PEM FUNCTION ARGUMENTS\s0\fR section.
 .PP
 Each operation has four functions associated with it. For
 clarity the term "\fBfoobar\fR functions" will be used to collectively
@@ -329,7 +338,7 @@ handle PKCS#8 format encrypted and unencrypted keys too.
 \&\fIPEM_write_bio_PKCS8PrivateKey()\fR and \fIPEM_write_PKCS8PrivateKey()\fR
 write a private key in an \s-1EVP_PKEY\s0 structure in PKCS#8
 EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
-algorithms. The \fBcipher\fR argument specifies the encryption algoritm to
+algorithms. The \fBcipher\fR argument specifies the encryption algorithm to
 use: unlike all other \s-1PEM\s0 routines the encryption is applied at the
 PKCS#8 level and not in the \s-1PEM\s0 headers. If \fBcipher\fR is \s-1NULL\s0 then no
 encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
@@ -338,7 +347,7 @@ encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
 also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
 it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
 to use is specified in the \fBnid\fR parameter and should be the \s-1NID\s0 of the
-corresponding \s-1OBJECT\s0 \s-1IDENTIFIER\s0 (see \s-1NOTES\s0 section).
+corresponding \s-1OBJECT IDENTIFIER \s0(see \s-1NOTES\s0 section).
 .PP
 The \fB\s-1PUBKEY\s0\fR functions process a public key using an \s-1EVP_PKEY\s0
 structure. The public key is encoded as a SubjectPublicKeyInfo
@@ -346,7 +355,7 @@ structure.
 .PP
 The \fBRSAPrivateKey\fR functions process an \s-1RSA\s0 private key using an
 \&\s-1RSA\s0 structure. It handles the same formats as the \fBPrivateKey\fR
-functions but an error occurs if the private key is not \s-1RSA\s0.
+functions but an error occurs if the private key is not \s-1RSA.\s0
 .PP
 The \fBRSAPublicKey\fR functions process an \s-1RSA\s0 public key using an
 \&\s-1RSA\s0 structure. The public key is encoded using a PKCS#1 RSAPublicKey
@@ -355,16 +364,16 @@ structure.
 The \fB\s-1RSA_PUBKEY\s0\fR functions also process an \s-1RSA\s0 public key using
 an \s-1RSA\s0 structure. However the public key is encoded using a
 SubjectPublicKeyInfo structure and an error occurs if the public
-key is not \s-1RSA\s0.
+key is not \s-1RSA.\s0
 .PP
 The \fBDSAPrivateKey\fR functions process a \s-1DSA\s0 private key using a
 \&\s-1DSA\s0 structure. It handles the same formats as the \fBPrivateKey\fR
-functions but an error occurs if the private key is not \s-1DSA\s0.
+functions but an error occurs if the private key is not \s-1DSA.\s0
 .PP
 The \fB\s-1DSA_PUBKEY\s0\fR functions process a \s-1DSA\s0 public key using
 a \s-1DSA\s0 structure. The public key is encoded using a
 SubjectPublicKeyInfo structure and an error occurs if the public
-key is not \s-1DSA\s0.
+key is not \s-1DSA.\s0
 .PP
 The \fBDSAparams\fR functions process \s-1DSA\s0 parameters using a \s-1DSA\s0
 structure. The parameters are encoded using a foobar structure.
@@ -382,8 +391,8 @@ an X509 structure.
 .PP
 The \fBX509_REQ\fR and \fBX509_REQ_NEW\fR functions process a PKCS#10
 certificate request using an X509_REQ structure. The \fBX509_REQ\fR
-write functions use \fB\s-1CERTIFICATE\s0 \s-1REQUEST\s0\fR in the header whereas
-the \fBX509_REQ_NEW\fR functions use \fB\s-1NEW\s0 \s-1CERTIFICATE\s0 \s-1REQUEST\s0\fR
+write functions use \fB\s-1CERTIFICATE REQUEST\s0\fR in the header whereas
+the \fBX509_REQ_NEW\fR functions use \fB\s-1NEW CERTIFICATE REQUEST\s0\fR
 (as required by some CAs). The \fBX509_REQ\fR read functions will
 handle either form so there are no \fBX509_REQ_NEW\fR read functions.
 .PP
@@ -453,7 +462,7 @@ an error occurred.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Although the \s-1PEM\s0 routines take several arguments in almost all applications
-most of them are set to 0 or \s-1NULL\s0.
+most of them are set to 0 or \s-1NULL.\s0
 .PP
 Read a certificate in \s-1PEM\s0 format from a \s-1BIO:\s0
 .PP
@@ -598,9 +607,9 @@ byte \fBsalt\fR encoded as a set of hexadecimal digits.
 .PP
 After this is the base64 encoded encrypted data.
 .PP
-The encryption key is determined using \fIEVP_bytestokey()\fR, using \fBsalt\fR and an
+The encryption key is determined using \fIEVP_BytesToKey()\fR, using \fBsalt\fR and an
 iteration count of 1. The \s-1IV\s0 used is the value of \fBsalt\fR and *not* the \s-1IV\s0
-returned by \fIEVP_bytestokey()\fR.
+returned by \fIEVP_BytesToKey()\fR.
 .SH "BUGS"
 .IX Header "BUGS"
 The \s-1PEM\s0 read routines in some versions of OpenSSL will not correctly reuse
@@ -624,3 +633,6 @@ The read routines return either a pointer to the structure read or \s-1NULL\s0
 if an error occurred.
 .PP
 The write routines return 1 for success or 0 for failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIEVP_get_cipherbyname\fR\|(3), \fIEVP_BytesToKey\fR\|(3)
diff --git a/secure/lib/libcrypto/man/rand.3 b/secure/lib/libcrypto/man/rand.3
index 26d6539a6b3a..f6c57e5b0e96 100644
--- a/secure/lib/libcrypto/man/rand.3
+++ b/secure/lib/libcrypto/man/rand.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "rand 3"
-.TH rand 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH rand 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -163,8 +172,8 @@ rand \- pseudo\-random number generator
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-Since the introduction of the \s-1ENGINE\s0 \s-1API\s0, the recommended way of controlling
-default implementations is by using the \s-1ENGINE\s0 \s-1API\s0 functions. The default
+Since the introduction of the \s-1ENGINE API,\s0 the recommended way of controlling
+default implementations is by using the \s-1ENGINE API\s0 functions. The default
 \&\fB\s-1RAND_METHOD\s0\fR, as set by \fIRAND_set_rand_method()\fR and returned by
 \&\fIRAND_get_rand_method()\fR, is only used if no \s-1ENGINE\s0 has been set as the default
 \&\*(L"rand\*(R" implementation. Hence, these two functions are no longer the recommened
@@ -188,7 +197,7 @@ described in \fIRAND_add\fR\|(3). Its state can be saved in a seed file
 seeding process whenever the application is started.
 .PP
 \&\fIRAND_bytes\fR\|(3) describes how to obtain random data from the
-\&\s-1PRNG\s0.
+\&\s-1PRNG. \s0
 .SH "INTERNALS"
 .IX Header "INTERNALS"
 The \fIRAND_SSLeay()\fR method implements a \s-1PRNG\s0 based on a cryptographic
@@ -197,9 +206,9 @@ hash function.
 The following description of its design is based on the SSLeay
 documentation:
 .PP
-First up I will state the things I believe I need for a good \s-1RNG\s0.
+First up I will state the things I believe I need for a good \s-1RNG.\s0
 .IP "1." 4
-A good hashing algorithm to mix things up and to convert the \s-1RNG\s0 'state'
+A good hashing algorithm to mix things up and to convert the \s-1RNG \s0'state'
 to random numbers.
 .IP "2." 4
 An initial source of random 'state'.
@@ -251,7 +260,7 @@ believe this system addresses points 1 (hash function; currently
 \&\s-1SHA\-1\s0), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash
 function and xor).
 .PP
-When bytes are extracted from the \s-1RNG\s0, the following process is used.
+When bytes are extracted from the \s-1RNG,\s0 the following process is used.
 For each group of 10 bytes (or less), we do the following:
 .PP
 Input into the hash function the local 'md' (which is initialized from
diff --git a/secure/lib/libcrypto/man/rc4.3 b/secure/lib/libcrypto/man/rc4.3
index f76621991549..ddadf58bbbba 100644
--- a/secure/lib/libcrypto/man/rc4.3
+++ b/secure/lib/libcrypto/man/rc4.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "rc4 3"
-.TH rc4 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH rc4 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ripemd.3 b/secure/lib/libcrypto/man/ripemd.3
index be2060f8f4e8..f79efb15e8a6 100644
--- a/secure/lib/libcrypto/man/ripemd.3
+++ b/secure/lib/libcrypto/man/ripemd.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ripemd 3"
-.TH ripemd 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ripemd 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -152,7 +161,7 @@ RIPEMD\-160 hash function
 .PP
 \&\s-1\fIRIPEMD160\s0()\fR computes the \s-1RIPEMD\-160\s0 message digest of the \fBn\fR
 bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
-\&\s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL\s0, the digest
+\&\s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
 is placed in a static array.
 .PP
 The following functions may be used if the message is not completely
@@ -178,7 +187,7 @@ hash functions directly.
 success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC\s0 10118\-3 (draft) (??)
+\&\s-1ISO/IEC 10118\-3 \s0(draft) (??)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIsha\fR\|(3), \fIhmac\fR\|(3), \fIEVP_DigestInit\fR\|(3)
diff --git a/secure/lib/libcrypto/man/rsa.3 b/secure/lib/libcrypto/man/rsa.3
index 1cab417e82f3..cd045bac5c5a 100644
--- a/secure/lib/libcrypto/man/rsa.3
+++ b/secure/lib/libcrypto/man/rsa.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "rsa 3"
-.TH rsa 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH rsa 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -191,7 +200,7 @@ rsa \- RSA public key cryptosystem
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 These functions implement \s-1RSA\s0 public key encryption and signatures
-as defined in \s-1PKCS\s0 #1 v2.0 [\s-1RFC\s0 2437].
+as defined in \s-1PKCS\s0 #1 v2.0 [\s-1RFC 2437\s0].
 .PP
 The \fB\s-1RSA\s0\fR structure consists of several \s-1BIGNUM\s0 components. It can
 contain public as well as private \s-1RSA\s0 keys:
@@ -228,7 +237,7 @@ structure elements directly and instead use \s-1API\s0 functions to query or
 modify keys.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SSL\s0, \s-1PKCS\s0 #1 v2.0
+\&\s-1SSL, PKCS\s0 #1 v2.0
 .SH "PATENTS"
 .IX Header "PATENTS"
 \&\s-1RSA\s0 was covered by a \s-1US\s0 patent which expired in September 2000.
diff --git a/secure/lib/libcrypto/man/sha.3 b/secure/lib/libcrypto/man/sha.3
index f630fc149596..acbe1dcb1f79 100644
--- a/secure/lib/libcrypto/man/sha.3
+++ b/secure/lib/libcrypto/man/sha.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "sha 3"
-.TH sha 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH sha 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,12 +155,12 @@ SHA1, SHA1_Init, SHA1_Update, SHA1_Final \- Secure Hash Algorithm
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\s-1SHA\-1\s0 (Secure Hash Algorithm) is a cryptographic hash function with a
+\&\s-1SHA\-1 \s0(Secure Hash Algorithm) is a cryptographic hash function with a
 160 bit output.
 .PP
 \&\s-1\fISHA1\s0()\fR computes the \s-1SHA\-1\s0 message digest of the \fBn\fR
 bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
-\&\s-1SHA_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL\s0, the digest
+\&\s-1SHA_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
 is placed in a static array.
 .PP
 The following functions may be used if the message is not completely
@@ -169,7 +178,7 @@ Applications should use the higher level functions
 \&\fIEVP_DigestInit\fR\|(3)
 etc. instead of calling the hash functions directly.
 .PP
-The predecessor of \s-1SHA\-1\s0, \s-1SHA\s0, is also implemented, but it should be
+The predecessor of \s-1SHA\-1, SHA,\s0 is also implemented, but it should be
 used only when backward compatibility is required.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -178,11 +187,11 @@ used only when backward compatibility is required.
 \&\fISHA1_Init()\fR, \fISHA1_Update()\fR and \fISHA1_Final()\fR return 1 for success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SHA:\s0 \s-1US\s0 Federal Information Processing Standard \s-1FIPS\s0 \s-1PUB\s0 180 (Secure Hash
+\&\s-1SHA: US\s0 Federal Information Processing Standard \s-1FIPS PUB 180 \s0(Secure Hash
 Standard),
-\&\s-1SHA\-1:\s0 \s-1US\s0 Federal Information Processing Standard \s-1FIPS\s0 \s-1PUB\s0 180\-1 (Secure Hash
+\&\s-1SHA\-1: US\s0 Federal Information Processing Standard \s-1FIPS PUB 180\-1 \s0(Secure Hash
 Standard),
-\&\s-1ANSI\s0 X9.30
+\&\s-1ANSI X9.30\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIripemd\fR\|(3), \fIhmac\fR\|(3), \fIEVP_DigestInit\fR\|(3)
diff --git a/secure/lib/libcrypto/man/threads.3 b/secure/lib/libcrypto/man/threads.3
index e8c1b0e5a69b..81dc4729ad25 100644
--- a/secure/lib/libcrypto/man/threads.3
+++ b/secure/lib/libcrypto/man/threads.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "threads 3"
-.TH threads 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH threads 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libcrypto/man/ui.3 b/secure/lib/libcrypto/man/ui.3
index 0d23ee6e73d7..79b430eb3ad2 100644
--- a/secure/lib/libcrypto/man/ui.3
+++ b/secure/lib/libcrypto/man/ui.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ui 3"
-.TH ui 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ui 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -201,9 +210,9 @@ prompt the user for text-based information.  Through user-written methods
 imaginable, be it plain text prompting, through dialog boxes or from a
 cell phone.
 .PP
-All the functions work through a context of the type \s-1UI\s0.  This context
+All the functions work through a context of the type \s-1UI. \s0 This context
 contains all the information needed to prompt correctly as well as a
-reference to a \s-1UI_METHOD\s0, which is an ordered vector of functions that
+reference to a \s-1UI_METHOD,\s0 which is an ordered vector of functions that
 carry out the actual prompting.
 .PP
 The first thing to do is to create a \s-1UI\s0 with \fIUI_new()\fR or \fIUI_new_method()\fR,
@@ -222,10 +231,10 @@ result with \fIUI_get0_result()\fR.
 The functions are as follows:
 .PP
 \&\fIUI_new()\fR creates a new \s-1UI\s0 using the default \s-1UI\s0 method.  When done with
-this \s-1UI\s0, it should be freed using \fIUI_free()\fR.
+this \s-1UI,\s0 it should be freed using \fIUI_free()\fR.
 .PP
 \&\fIUI_new_method()\fR creates a new \s-1UI\s0 using the given \s-1UI\s0 method.  When done with
-this \s-1UI\s0, it should be freed using \fIUI_free()\fR.
+this \s-1UI,\s0 it should be freed using \fIUI_free()\fR.
 .PP
 \&\fIUI_OpenSSL()\fR returns the built-in \s-1UI\s0 method (note: not the default one,
 since the default can be changed.  See further on).  This method is the
@@ -235,7 +244,7 @@ most problems when porting.
 \&\fIUI_free()\fR removes a \s-1UI\s0 from memory, along with all other pieces of memory
 that's connected to it, like duplicated input strings, results and others.
 .PP
-\&\fIUI_add_input_string()\fR and \fIUI_add_verify_string()\fR add a prompt to the \s-1UI\s0,
+\&\fIUI_add_input_string()\fR and \fIUI_add_verify_string()\fR add a prompt to the \s-1UI,\s0
 as well as flags and a result buffer and the desired minimum and maximum
 sizes of the result.  The given information is used to prompt for
 information, for example a password, and to verify a password (i.e. having
@@ -247,7 +256,7 @@ verification will fail.
 \&\fIUI_add_input_boolean()\fR adds a prompt to the \s-1UI\s0 that's supposed to be answered
 in a boolean way, with a single character for yes and a different character
 for no.  A set of characters that can be used to cancel the prompt is given
-as well.  The prompt itself is really divided in two, one part being the
+as well.  The prompt itself is divided in two, one part being the
 descriptive text (given through the \fIprompt\fR argument) and one describing
 the possible answers (given through the \fIaction_desc\fR argument).
 .PP
@@ -257,10 +266,10 @@ The difference between the two is only conceptual.  With the builtin method,
 there's no technical difference between them.  Other methods may make a
 difference between them, however.
 .PP
-The flags currently supported are \s-1UI_INPUT_FLAG_ECHO\s0, which is relevant for
+The flags currently supported are \s-1UI_INPUT_FLAG_ECHO,\s0 which is relevant for
 \&\fIUI_add_input_string()\fR and will have the users response be echoed (when
 prompting for a password, this flag should obviously not be used, and
-\&\s-1UI_INPUT_FLAG_DEFAULT_PWD\s0, which means that a default password of some
+\&\s-1UI_INPUT_FLAG_DEFAULT_PWD,\s0 which means that a default password of some
 sort will be used (completely depending on the application and the \s-1UI\s0
 method).
 .PP
@@ -293,18 +302,18 @@ the information indexed by \fIi\fR.
 and prompting and returns.
 .PP
 \&\fIUI_ctrl()\fR adds extra control for the application author.  For now, it
-understands two commands: \s-1UI_CTRL_PRINT_ERRORS\s0, which makes \fIUI_process()\fR
-print the OpenSSL error stack as part of processing the \s-1UI\s0, and
-\&\s-1UI_CTRL_IS_REDOABLE\s0, which returns a flag saying if the used \s-1UI\s0 can
+understands two commands: \s-1UI_CTRL_PRINT_ERRORS,\s0 which makes \fIUI_process()\fR
+print the OpenSSL error stack as part of processing the \s-1UI,\s0 and
+\&\s-1UI_CTRL_IS_REDOABLE,\s0 which returns a flag saying if the used \s-1UI\s0 can
 be used again or not.
 .PP
 \&\fIUI_set_default_method()\fR changes the default \s-1UI\s0 method to the one given.
 .PP
 \&\fIUI_get_default_method()\fR returns a pointer to the current default \s-1UI\s0 method.
 .PP
-\&\fIUI_get_method()\fR returns the \s-1UI\s0 method associated with a given \s-1UI\s0.
+\&\fIUI_get_method()\fR returns the \s-1UI\s0 method associated with a given \s-1UI.\s0
 .PP
-\&\fIUI_set_method()\fR changes the \s-1UI\s0 method associated with a given \s-1UI\s0.
+\&\fIUI_set_method()\fR changes the \s-1UI\s0 method associated with a given \s-1UI.\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIui_create\fR\|(3), \fIui_compat\fR\|(3)
diff --git a/secure/lib/libcrypto/man/ui_compat.3 b/secure/lib/libcrypto/man/ui_compat.3
index 87b7fde4ef04..2372a80146a6 100644
--- a/secure/lib/libcrypto/man/ui_compat.3
+++ b/secure/lib/libcrypto/man/ui_compat.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ui_compat 3"
-.TH ui_compat 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ui_compat 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ Compatibility user interface functions
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \s-1DES\s0 library contained a few routines to prompt for passwords.  These
-aren't necessarely dependent on \s-1DES\s0, and have therefore become part of the
+aren't necessarely dependent on \s-1DES,\s0 and have therefore become part of the
 \&\s-1UI\s0 compatibility library.
 .PP
 \&\fIdes_read_pw()\fR writes the string specified by \fIprompt\fR to standard output
diff --git a/secure/lib/libcrypto/man/x509.3 b/secure/lib/libcrypto/man/x509.3
index bb2f541ab49f..f00e8a0d2b5c 100644
--- a/secure/lib/libcrypto/man/x509.3
+++ b/secure/lib/libcrypto/man/x509.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "x509 3"
-.TH x509 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH x509 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -139,15 +148,15 @@ x509 \- X.509 certificate handling
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 A X.509 certificate is a structured grouping of information about
-an individual, a device, or anything one can imagine.  A X.509 \s-1CRL\s0
-(certificate revocation list) is a tool to help determine if a
+an individual, a device, or anything one can imagine.  A X.509 \s-1CRL
+\&\s0(certificate revocation list) is a tool to help determine if a
 certificate is still valid.  The exact definition of those can be
-found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX\s0.
+found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX.\s0
 In OpenSSL, the type X509 is used to express such a certificate, and
-the type X509_CRL is used to express a \s-1CRL\s0.
+the type X509_CRL is used to express a \s-1CRL.\s0
 .PP
 A related structure is a certificate request, defined in PKCS#10 from
-\&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896\s0.  In OpenSSL, the type
+\&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896. \s0 In OpenSSL, the type
 X509_REQ is used to express such a certificate request.
 .PP
 To handle some complex parts of a certificate, there are the types
@@ -155,7 +164,7 @@ X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
 a certificate attributes), X509_EXTENSION (to express a certificate
 extension) and a few more.
 .PP
-Finally, there's the supertype X509_INFO, which can contain a \s-1CRL\s0, a
+Finally, there's the supertype X509_INFO, which can contain a \s-1CRL,\s0 a
 certificate and a corresponding private key.
 .PP
 \&\fBX509_\fR\fI...\fR, \fBd2i_X509_\fR\fI...\fR and \fBi2d_X509_\fR\fI...\fR handle X.509
diff --git a/secure/lib/libssl/Makefile.man b/secure/lib/libssl/Makefile.man
index 06f684ed1200..6b092db2f060 100644
--- a/secure/lib/libssl/Makefile.man
+++ b/secure/lib/libssl/Makefile.man
@@ -33,6 +33,7 @@ MAN+= SSL_CTX_set_session_cache_mode.3
 MAN+= SSL_CTX_set_session_id_context.3
 MAN+= SSL_CTX_set_ssl_version.3
 MAN+= SSL_CTX_set_timeout.3
+MAN+= SSL_CTX_set_tlsext_ticket_key_cb.3
 MAN+= SSL_CTX_set_tmp_dh_callback.3
 MAN+= SSL_CTX_set_tmp_rsa_callback.3
 MAN+= SSL_CTX_set_verify.3
diff --git a/secure/lib/libssl/man/SSL_CIPHER_get_name.3 b/secure/lib/libssl/man/SSL_CIPHER_get_name.3
index 59d679f32e66..73f06cc3ff6a 100644
--- a/secure/lib/libssl/man/SSL_CIPHER_get_name.3
+++ b/secure/lib/libssl/man/SSL_CIPHER_get_name.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CIPHER_get_name 3"
-.TH SSL_CIPHER_get_name 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CIPHER_get_name 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -144,20 +153,24 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fISSL_CIPHER_get_name()\fR returns a pointer to the name of \fBcipher\fR. If the
-argument is the \s-1NULL\s0 pointer, a pointer to the constant value \*(L"\s-1NONE\s0\*(R" is
+argument is the \s-1NULL\s0 pointer, a pointer to the constant value \*(L"\s-1NONE\*(R"\s0 is
 returned.
 .PP
 \&\fISSL_CIPHER_get_bits()\fR returns the number of secret bits used for \fBcipher\fR. If
-\&\fBalg_bits\fR is not \s-1NULL\s0, it contains the number of bits processed by the
-chosen algorithm. If \fBcipher\fR is \s-1NULL\s0, 0 is returned.
+\&\fBalg_bits\fR is not \s-1NULL,\s0 it contains the number of bits processed by the
+chosen algorithm. If \fBcipher\fR is \s-1NULL, 0\s0 is returned.
 .PP
-\&\fISSL_CIPHER_get_version()\fR returns the protocol version for \fBcipher\fR, currently
-\&\*(L"SSLv2\*(R", \*(L"SSLv3\*(R", or \*(L"TLSv1\*(R". If \fBcipher\fR is \s-1NULL\s0, \*(L"(\s-1NONE\s0)\*(R" is returned.
+\&\fISSL_CIPHER_get_version()\fR returns string which indicates the \s-1SSL/TLS\s0 protocol
+version that first defined the cipher.
+This is currently \fBSSLv2\fR or \fBTLSv1/SSLv3\fR.
+In some cases it should possibly return \*(L"TLSv1.2\*(R" but does not;
+use \fISSL_CIPHER_description()\fR instead.
+If \fBcipher\fR is \s-1NULL, \*(L"\s0(\s-1NONE\s0)\*(R" is returned.
 .PP
 \&\fISSL_CIPHER_description()\fR returns a textual description of the cipher used
 into the buffer \fBbuf\fR of length \fBlen\fR provided. \fBlen\fR must be at least
 128 bytes, otherwise a pointer to the string \*(L"Buffer too small\*(R" is
-returned. If \fBbuf\fR is \s-1NULL\s0, a buffer of 128 bytes is allocated using
+returned. If \fBbuf\fR is \s-1NULL,\s0 a buffer of 128 bytes is allocated using
 \&\fIOPENSSL_malloc()\fR. If the allocation fails, a pointer to the string
 \&\*(L"OPENSSL_malloc Error\*(R" is returned.
 .SH "NOTES"
@@ -175,7 +188,8 @@ sequence:
 Textual representation of the cipher name.
 .IP "<protocol version>" 4
 .IX Item "<protocol version>"
-Protocol version: \fBSSLv2\fR, \fBSSLv3\fR. The TLSv1 ciphers are flagged with SSLv3.
+Protocol version: \fBSSLv2\fR, \fBSSLv3\fR, \fBTLSv1.2\fR. The TLSv1.0 ciphers are
+flagged with SSLv3. No new ciphers were added by TLSv1.1.
 .IP "Kx=<key exchange>" 4
 .IX Item "Kx=<key exchange>"
 Key exchange method: \fB\s-1RSA\s0\fR (for export ciphers as \fB\s-1RSA\s0(512)\fR or
@@ -207,9 +221,15 @@ Some examples for the output of \fISSL_CIPHER_description()\fR:
 \& RC4\-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
 \& EXP\-RC4\-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
 .Ve
+.PP
+A comp[lete list can be retrieved by invoking the following command:
+.PP
+.Vb 1
+\& openssl ciphers \-v ALL
+.Ve
 .SH "BUGS"
 .IX Header "BUGS"
-If \fISSL_CIPHER_description()\fR is called with \fBcipher\fR being \s-1NULL\s0, the
+If \fISSL_CIPHER_description()\fR is called with \fBcipher\fR being \s-1NULL,\s0 the
 library crashes.
 .PP
 If \fISSL_CIPHER_description()\fR cannot handle a built-in cipher, the according
diff --git a/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 b/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
index 62e11a46b32e..77789abeb63d 100644
--- a/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
+++ b/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_COMP_add_compression_method 3"
-.TH SSL_COMP_add_compression_method 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_COMP_add_compression_method 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ It cannot be set for specific \s-1SSL_CTX\s0 or \s-1SSL\s0 objects.
 .SH "NOTES"
 .IX Header "NOTES"
 The \s-1TLS\s0 standard (or SSLv3) allows the integration of compression methods
-into the communication. The \s-1TLS\s0 \s-1RFC\s0 does however not specify compression
+into the communication. The \s-1TLS RFC\s0 does however not specify compression
 methods or their corresponding identifiers, so there is currently no compatible
 way to integrate compression with unknown peers. It is therefore currently not
 recommended to integrate compression into applications. Applications for
diff --git a/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index fc3457b737a8..d6ac48cef8c6 100644
--- a/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_add_extra_chain_cert 3"
-.TH SSL_CTX_add_extra_chain_cert 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_add_extra_chain_cert 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,6 +159,15 @@ these certificates explicitly specified. If no chain is specified,
 the library will try to complete the chain from the available \s-1CA\s0
 certificates in the trusted \s-1CA\s0 storage, see
 \&\fISSL_CTX_load_verify_locations\fR\|(3).
+.PP
+The \fBx509\fR certificate provided to \fISSL_CTX_add_extra_chain_cert()\fR will be freed by the library when the \fB\s-1SSL_CTX\s0\fR is destroyed. An application \fBshould not\fR free the \fBx509\fR object.
+.SH "RESTRICTIONS"
+.IX Header "RESTRICTIONS"
+Only one set of extra chain certificates can be specified per \s-1SSL_CTX\s0
+structure. Different chains for different certificates (for example if both
+\&\s-1RSA\s0 and \s-1DSA\s0 certificates are specified by the same server) or different \s-1SSL\s0
+structures with the same parent \s-1SSL_CTX\s0 cannot be specified using this
+function.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fISSL_CTX_add_extra_chain_cert()\fR returns 1 on success. Check out the
diff --git a/secure/lib/libssl/man/SSL_CTX_add_session.3 b/secure/lib/libssl/man/SSL_CTX_add_session.3
index af145144f8e7..825c8dcafe37 100644
--- a/secure/lib/libssl/man/SSL_CTX_add_session.3
+++ b/secure/lib/libssl/man/SSL_CTX_add_session.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_add_session 3"
-.TH SSL_CTX_add_session 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_add_session 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -168,7 +177,7 @@ If a server \s-1SSL_CTX\s0 is configured with the \s-1SSL_SESS_CACHE_NO_INTERNAL
 flag then the internal cache will not be populated automatically by new
 sessions negotiated by the \s-1SSL/TLS\s0 implementation, even though the internal
 cache will be searched automatically for session-resume requests (the
-latter can be surpressed by \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0). So the
+latter can be suppressed by \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0). So the
 application can use \fISSL_CTX_add_session()\fR directly to have full control
 over the sessions that can be resumed if desired.
 .SH "RETURN VALUES"
diff --git a/secure/lib/libssl/man/SSL_CTX_ctrl.3 b/secure/lib/libssl/man/SSL_CTX_ctrl.3
index a49ce93d42aa..02ffb29bcb4f 100644
--- a/secure/lib/libssl/man/SSL_CTX_ctrl.3
+++ b/secure/lib/libssl/man/SSL_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_ctrl 3"
-.TH SSL_CTX_ctrl 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_ctrl 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 b/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
index 0855b190249a..fc8190c96949 100644
--- a/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
+++ b/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_flush_sessions 3"
-.TH SSL_CTX_flush_sessions 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_flush_sessions 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_free.3 b/secure/lib/libssl/man/SSL_CTX_free.3
index c926c850c727..d0103e3f036d 100644
--- a/secure/lib/libssl/man/SSL_CTX_free.3
+++ b/secure/lib/libssl/man/SSL_CTX_free.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_free 3"
-.TH SSL_CTX_free 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_free 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
index 607142222569..58b45d830544 100644
--- a/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
+++ b/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_get_ex_new_index 3"
-.TH SSL_CTX_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
index 2539e84d5f3c..b5d5000dec13 100644
--- a/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
+++ b/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_get_verify_mode 3"
-.TH SSL_CTX_get_verify_mode 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_get_verify_mode 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
index 57eda086e4e7..6040ef9cd0f0 100644
--- a/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
+++ b/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_load_verify_locations 3"
-.TH SSL_CTX_load_verify_locations 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_load_verify_locations 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ which \s-1CA\s0 certificates for verification purposes are located. The certific
 available via \fBCAfile\fR and \fBCApath\fR are trusted.
 .SH "NOTES"
 .IX Header "NOTES"
-If \fBCAfile\fR is not \s-1NULL\s0, it points to a file of \s-1CA\s0 certificates in \s-1PEM\s0
+If \fBCAfile\fR is not \s-1NULL,\s0 it points to a file of \s-1CA\s0 certificates in \s-1PEM\s0
 format. The file can contain several \s-1CA\s0 certificates identified by
 .PP
 .Vb 3
@@ -162,7 +171,7 @@ which can be used e.g. for descriptions of the certificates.
 The \fBCAfile\fR is processed on execution of the \fISSL_CTX_load_verify_locations()\fR
 function.
 .PP
-If \fBCApath\fR is not \s-1NULL\s0, it points to a directory containing \s-1CA\s0 certificates
+If \fBCApath\fR is not \s-1NULL,\s0 it points to a directory containing \s-1CA\s0 certificates
 in \s-1PEM\s0 format. The files each contain one \s-1CA\s0 certificate. The files are
 looked up by the \s-1CA\s0 subject name hash value, which must hence be available.
 If more than one \s-1CA\s0 certificate with the same name hash value exist, the
diff --git a/secure/lib/libssl/man/SSL_CTX_new.3 b/secure/lib/libssl/man/SSL_CTX_new.3
index 5094c5737663..621d68d552d6 100644
--- a/secure/lib/libssl/man/SSL_CTX_new.3
+++ b/secure/lib/libssl/man/SSL_CTX_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_new 3"
-.TH SSL_CTX_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -172,20 +181,34 @@ compatibility reasons, see SSLv23_*\fI_method()\fR. It will also not understand
 SSLv3 client hello messages.
 .IP "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)" 4
 .IX Item "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)"
-A \s-1TLS/SSL\s0 connection established with these methods will understand the SSLv2,
-SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages
-and will indicate that it also understands SSLv3 and TLSv1. A server will
-understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
-choice when compatibility is a concern.
+A \s-1TLS/SSL\s0 connection established with these methods may understand the SSLv2,
+SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+.Sp
+If the cipher list does not contain any SSLv2 ciphersuites (the default
+cipher list does not) or extensions are required (for example server name)
+a client will send out TLSv1 client hello messages including extensions and
+will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
+fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+protocols. This is the best choice when compatibility is a concern.
+.Sp
+If any SSLv2 ciphersuites are included in the cipher list and no extensions
+are required then SSLv2 compatible client hellos will be used by clients and
+SSLv2 will be accepted by servers. This is \fBnot\fR recommended due to the
+insecurity of SSLv2 and the limited nature of the SSLv2 client hello
+prohibiting the use of extensions.
 .PP
 The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the \fB\f(BISSL_CTX_set_options()\fB\fR or
-\&\fB\f(BISSL_set_options()\fB\fR functions. Using these options it is possible to choose
-e.g. \fISSLv23_server_method()\fR and be able to negotiate with all possible
-clients, but to only allow newer protocols like SSLv3 or TLSv1.
+SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
+options of the \fISSL_CTX_set_options()\fR or \fISSL_set_options()\fR functions.
+Using these options it is possible to choose e.g. \fISSLv23_server_method()\fR and
+be able to negotiate with all possible clients, but to only allow newer
+protocols like TLSv1, TLSv1.1 or \s-1TLS\s0 v1.2.
+.PP
+Applications which never want to support SSLv2 (even is the cipher string
+is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
 .PP
 \&\fISSL_CTX_new()\fR initializes the list of ciphers, the session cache setting,
-the callbacks, the keys and certificates, and the options to its default
+the callbacks, the keys and certificates and the options to its default
 values.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
diff --git a/secure/lib/libssl/man/SSL_CTX_sess_number.3 b/secure/lib/libssl/man/SSL_CTX_sess_number.3
index db2b792fff1f..a8c8e18cb167 100644
--- a/secure/lib/libssl/man/SSL_CTX_sess_number.3
+++ b/secure/lib/libssl/man/SSL_CTX_sess_number.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_sess_number 3"
-.TH SSL_CTX_sess_number 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_sess_number 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
index 85b1218d4617..5110eee19d9e 100644
--- a/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
+++ b/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_sess_set_cache_size 3"
-.TH SSL_CTX_sess_set_cache_size 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_sess_set_cache_size 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ of context \fBctx\fR to \fBt\fR.
 \&\fISSL_CTX_sess_get_cache_size()\fR returns the currently valid session cache size.
 .SH "NOTES"
 .IX Header "NOTES"
-The internal session cache size is \s-1SSL_SESSION_CACHE_MAX_SIZE_DEFAULT\s0,
+The internal session cache size is \s-1SSL_SESSION_CACHE_MAX_SIZE_DEFAULT,\s0
 currently 1024*20, so that up to 20000 sessions can be held. This size
 can be modified using the \fISSL_CTX_sess_set_cache_size()\fR call. A special
 case is the size 0, which is used for unlimited size.
diff --git a/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
index fb89bbde452f..1408d9c434b3 100644
--- a/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
+++ b/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_sess_set_get_cb 3"
-.TH SSL_CTX_sess_set_get_cb 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_sess_set_get_cb 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_sessions.3 b/secure/lib/libssl/man/SSL_CTX_sessions.3
index dfe507b900b7..ea7823ca764a 100644
--- a/secure/lib/libssl/man/SSL_CTX_sessions.3
+++ b/secure/lib/libssl/man/SSL_CTX_sessions.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_sessions 3"
-.TH SSL_CTX_sessions 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_sessions 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 b/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
index 49b678df6db9..14a0a50dd275 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_cert_store 3"
-.TH SSL_CTX_set_cert_store 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_cert_store 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
index 6532ceac194c..eff633b0a9e3 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_cert_verify_callback 3"
-.TH SSL_CTX_set_cert_verify_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_cert_verify_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,7 +159,7 @@ function is called. If the application does not explicitly specify a
 verification callback function, the built-in verification function is used.
 If a verification callback \fIcallback\fR is specified via
 \&\fISSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called
-instead. By setting \fIcallback\fR to \s-1NULL\s0, the default behaviour is restored.
+instead. By setting \fIcallback\fR to \s-1NULL,\s0 the default behaviour is restored.
 .PP
 When the verification must be performed, \fIcallback\fR will be called with
 the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 
diff --git a/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
index 5329bfc22849..6b120d63944a 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_cipher_list 3"
-.TH SSL_CTX_set_cipher_list 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_cipher_list 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -180,6 +189,10 @@ client only supports export \s-1RSA\s0 ciphers with a asymmetric key length
 of 512 bits and the server is not configured to use temporary \s-1RSA\s0
 keys), the \*(L"no shared cipher\*(R" (\s-1SSL_R_NO_SHARED_CIPHER\s0) error is generated
 and the handshake will fail.
+.PP
+If the cipher list does not contain any SSLv2 cipher suites (this is the
+default) then SSLv2 is effectively disabled and neither clients nor servers
+will attempt to use SSLv2.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fISSL_CTX_set_cipher_list()\fR and \fISSL_set_cipher_list()\fR return 1 if any cipher
diff --git a/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
index 90ebeba9d1fc..b30282709acf 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_client_CA_list 3"
-.TH SSL_CTX_set_client_CA_list 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_client_CA_list 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -162,7 +171,7 @@ the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's \s-1SSL_CTX\s
 .SH "NOTES"
 .IX Header "NOTES"
 When a \s-1TLS/SSL\s0 server requests a client certificate (see
-\&\fB\f(BISSL_CTX_set_verify_options()\fB\fR), it sends a list of CAs, for which
+\&\fB\f(BISSL_CTX_set_verify\fB\|(3)\fR), it sends a list of CAs, for which
 it will accept certificates, to the client.
 .PP
 This list must explicitly be set using \fISSL_CTX_set_client_CA_list()\fR for
@@ -189,12 +198,13 @@ diagnostic information.
 .PP
 \&\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR have the following return
 values:
-.IP "1." 4
-The operation succeeded.
-.IP "2." 4
+.IP "0" 4
 A failure while manipulating the \s-1STACK_OF\s0(X509_NAME) object occurred or
 the X509_NAME could not be extracted from \fBcacert\fR. Check the error stack
 to find out the reason.
+.IP "1" 4
+.IX Item "1"
+The operation succeeded.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
@@ -208,9 +218,3 @@ Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
 \&\fISSL_get_client_CA_list\fR\|(3),
 \&\fISSL_load_client_CA_file\fR\|(3),
 \&\fISSL_CTX_load_verify_locations\fR\|(3)
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 73:" 4
-.IX Item "Around line 73:"
-You have '=item 0' instead of the expected '=item 2'
diff --git a/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
index c9bad7550dcc..e7f70c536ff5 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_client_cert_cb 3"
-.TH SSL_CTX_set_client_cert_cb 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_client_cert_cb 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,7 +155,7 @@ SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb \- handle client certific
 called when a client certificate is requested by a server and no certificate
 was yet set for the \s-1SSL\s0 object.
 .PP
-When \fB\f(BIclient_cert_cb()\fB\fR is \s-1NULL\s0, no callback function is used.
+When \fB\f(BIclient_cert_cb()\fB\fR is \s-1NULL,\s0 no callback function is used.
 .PP
 \&\fISSL_CTX_get_client_cert_cb()\fR returns a pointer to the currently set callback
 function.
@@ -157,7 +166,7 @@ using the \fBx509\fR and \fBpkey\fR arguments and \*(L"1\*(R" must be returned.
 certificate will be installed into \fBssl\fR, see the \s-1NOTES\s0 and \s-1BUGS\s0 sections.
 If no certificate should be set, \*(L"0\*(R" has to be returned and no certificate
 will be sent. A negative return value will suspend the handshake and the
-handshake function will return immediatly. \fISSL_get_error\fR\|(3)
+handshake function will return immediately. \fISSL_get_error\fR\|(3)
 will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to indicate, that the handshake was
 suspended. The next call to the handshake function will again lead to the call
 of \fIclient_cert_cb()\fR. It is the job of the \fIclient_cert_cb()\fR to store information
diff --git a/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
index bc37f3c14205..2e9dfc182bd6 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_default_passwd_cb 3"
-.TH SSL_CTX_set_default_passwd_cb 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_default_passwd_cb 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index c8f02d060d85..d9e9714494f2 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_generate_session_id 3"
-.TH SSL_CTX_set_generate_session_id 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_generate_session_id 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
index 822ebd491467..0271b617e810 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_info_callback 3"
-.TH SSL_CTX_set_info_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_info_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,11 +157,11 @@ SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL
 obtain state information for \s-1SSL\s0 objects created from \fBctx\fR during connection
 setup and use. The setting for \fBctx\fR is overridden from the setting for
 a specific \s-1SSL\s0 object, if specified.
-When \fBcallback\fR is \s-1NULL\s0, not callback function is used.
+When \fBcallback\fR is \s-1NULL,\s0 not callback function is used.
 .PP
 \&\fISSL_set_info_callback()\fR sets the \fBcallback\fR function, that can be used to
 obtain state information for \fBssl\fR during connection setup and use.
-When \fBcallback\fR is \s-1NULL\s0, the callback setting currently valid for
+When \fBcallback\fR is \s-1NULL,\s0 the callback setting currently valid for
 \&\fBctx\fR is used.
 .PP
 \&\fISSL_CTX_get_info_callback()\fR returns a pointer to the currently set information
@@ -189,25 +198,25 @@ Callback has been called during write operation.
 .IP "\s-1SSL_CB_ALERT\s0" 4
 .IX Item "SSL_CB_ALERT"
 Callback has been called due to an alert being sent or received.
-.IP "\s-1SSL_CB_READ_ALERT\s0               (SSL_CB_ALERT|SSL_CB_READ)" 4
-.IX Item "SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)"
+.IP "\s-1SSL_CB_READ_ALERT               \s0(SSL_CB_ALERT|SSL_CB_READ)" 4
+.IX Item "SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)"
 .PD 0
-.IP "\s-1SSL_CB_WRITE_ALERT\s0              (SSL_CB_ALERT|SSL_CB_WRITE)" 4
-.IX Item "SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)"
-.IP "\s-1SSL_CB_ACCEPT_LOOP\s0              (SSL_ST_ACCEPT|SSL_CB_LOOP)" 4
-.IX Item "SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)"
-.IP "\s-1SSL_CB_ACCEPT_EXIT\s0              (SSL_ST_ACCEPT|SSL_CB_EXIT)" 4
-.IX Item "SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)"
-.IP "\s-1SSL_CB_CONNECT_LOOP\s0             (SSL_ST_CONNECT|SSL_CB_LOOP)" 4
-.IX Item "SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)"
-.IP "\s-1SSL_CB_CONNECT_EXIT\s0             (SSL_ST_CONNECT|SSL_CB_EXIT)" 4
-.IX Item "SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)"
+.IP "\s-1SSL_CB_WRITE_ALERT              \s0(SSL_CB_ALERT|SSL_CB_WRITE)" 4
+.IX Item "SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)"
+.IP "\s-1SSL_CB_ACCEPT_LOOP              \s0(SSL_ST_ACCEPT|SSL_CB_LOOP)" 4
+.IX Item "SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)"
+.IP "\s-1SSL_CB_ACCEPT_EXIT              \s0(SSL_ST_ACCEPT|SSL_CB_EXIT)" 4
+.IX Item "SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)"
+.IP "\s-1SSL_CB_CONNECT_LOOP             \s0(SSL_ST_CONNECT|SSL_CB_LOOP)" 4
+.IX Item "SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)"
+.IP "\s-1SSL_CB_CONNECT_EXIT             \s0(SSL_ST_CONNECT|SSL_CB_EXIT)" 4
+.IX Item "SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)"
 .IP "\s-1SSL_CB_HANDSHAKE_START\s0" 4
 .IX Item "SSL_CB_HANDSHAKE_START"
 .PD
 Callback has been called because a new handshake is started.
-.IP "\s-1SSL_CB_HANDSHAKE_DONE\s0           0x20" 4
-.IX Item "SSL_CB_HANDSHAKE_DONE           0x20"
+.IP "\s-1SSL_CB_HANDSHAKE_DONE          \s0 0x20" 4
+.IX Item "SSL_CB_HANDSHAKE_DONE 0x20"
 Callback has been called because a handshake is finished.
 .PP
 The current state information can be obtained using the
@@ -223,7 +232,7 @@ The \fBret\fR information can be evaluated using the
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 The following example callback function prints state strings, information
-about alerts being handled and error messages to the \fBbio_err\fR \s-1BIO\s0.
+about alerts being handled and error messages to the \fBbio_err\fR \s-1BIO.\s0
 .PP
 .Vb 4
 \& void apps_ssl_info_callback(SSL *s, int where, int ret)
diff --git a/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
index 2e94813843f1..e8dcab885c76 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_max_cert_list 3"
-.TH SSL_CTX_set_max_cert_list 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_max_cert_list 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_mode.3 b/secure/lib/libssl/man/SSL_CTX_set_mode.3
index d64a01229e69..8cabf34ea34a 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_mode.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_mode.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_mode 3"
-.TH SSL_CTX_set_mode 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_mode 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -175,7 +184,7 @@ non-blocking \fIwrite()\fR.
 Never bother the application with retries if the transport is blocking.
 If a renegotiation take place during normal operation, a
 \&\fISSL_read\fR\|(3) or \fISSL_write\fR\|(3) would return
-with \-1 and indicate the need to retry with \s-1SSL_ERROR_WANT_READ\s0.
+with \-1 and indicate the need to retry with \s-1SSL_ERROR_WANT_READ.\s0
 In a non-blocking environment applications must be prepared to handle
 incomplete read/write operations.
 In a blocking environment, applications are not always prepared to
@@ -184,13 +193,22 @@ flag \s-1SSL_MODE_AUTO_RETRY\s0 will cause read/write operations to only
 return after the handshake and successful completion.
 .IP "\s-1SSL_MODE_RELEASE_BUFFERS\s0" 4
 .IX Item "SSL_MODE_RELEASE_BUFFERS"
-When we no longer need a read buffer or a write buffer for a given \s-1SSL\s0,
+When we no longer need a read buffer or a write buffer for a given \s-1SSL,\s0
 then release the memory we were using to hold it.  Released memory is
-either appended to a list of unused \s-1RAM\s0 chunks on the \s-1SSL_CTX\s0, or simply
+either appended to a list of unused \s-1RAM\s0 chunks on the \s-1SSL_CTX,\s0 or simply
 freed if the list of unused chunks would become longer than 
 \&\s-1SSL_CTX\-\s0>freelist_max_len, which defaults to 32.  Using this flag can
 save around 34k per idle \s-1SSL\s0 connection.
 This flag has no effect on \s-1SSL\s0 v2 connections, or on \s-1DTLS\s0 connections.
+.IP "\s-1SSL_MODE_SEND_FALLBACK_SCSV\s0" 4
+.IX Item "SSL_MODE_SEND_FALLBACK_SCSV"
+Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
+To be set only by applications that reconnect with a downgraded protocol
+version; see draft\-ietf\-tls\-downgrade\-scsv\-00 for details.
+.Sp
+\&\s-1DO NOT ENABLE THIS\s0 if your application attempts a normal handshake.
+Only use this in explicit fallback retries, following the guidance
+in draft\-ietf\-tls\-downgrade\-scsv\-00.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fISSL_CTX_set_mode()\fR and \fISSL_set_mode()\fR return the new mode bitmask
diff --git a/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
index 52cc6f63ba3c..a281ae8f6dad 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_msg_callback 3"
-.TH SSL_CTX_set_msg_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_msg_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -139,8 +148,8 @@ SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SS
 \& void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 \& void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
 \&
-\& void SSL_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
-\& void SSL_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+\& void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+\& void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -167,12 +176,12 @@ when a protocol message has been sent.
 .IX Item "version"
 The protocol version according to which the protocol message is
 interpreted by the library. Currently, this is one of
-\&\fB\s-1SSL2_VERSION\s0\fR, \fB\s-1SSL3_VERSION\s0\fR and \fB\s-1TLS1_VERSION\s0\fR (for \s-1SSL\s0 2.0, \s-1SSL\s0
-3.0 and \s-1TLS\s0 1.0, respectively).
+\&\fB\s-1SSL2_VERSION\s0\fR, \fB\s-1SSL3_VERSION\s0\fR and \fB\s-1TLS1_VERSION\s0\fR (for \s-1SSL 2.0, SSL
+3.0\s0 and \s-1TLS 1.0,\s0 respectively).
 .IP "\fIcontent_type\fR" 4
 .IX Item "content_type"
-In the case of \s-1SSL\s0 2.0, this is always \fB0\fR.  In the case of \s-1SSL\s0 3.0
-or \s-1TLS\s0 1.0, this is one of the \fBContentType\fR values defined in the
+In the case of \s-1SSL 2.0,\s0 this is always \fB0\fR.  In the case of \s-1SSL 3.0\s0
+or \s-1TLS 1.0,\s0 this is one of the \fBContentType\fR values defined in the
 protocol specification (\fBchange_cipher_spec(20)\fR, \fBalert(21)\fR,
 \&\fBhandshake(22)\fR; but never \fBapplication_data(23)\fR because the
 callback will only be called for protocol messages).
@@ -201,7 +210,7 @@ processed.
 .PP
 Due to automatic protocol version negotiation, \fIversion\fR is not
 necessarily the protocol version used by the sender of the message: If
-a \s-1TLS\s0 1.0 ClientHello message is received by an \s-1SSL\s0 3.0\-only server,
+a \s-1TLS 1.0\s0 ClientHello message is received by an \s-1SSL 3\s0.0\-only server,
 \&\fIversion\fR will be \fB\s-1SSL3_VERSION\s0\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
diff --git a/secure/lib/libssl/man/SSL_CTX_set_options.3 b/secure/lib/libssl/man/SSL_CTX_set_options.3
index 2e7a8d065a99..8937e092181c 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_options.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_options 3"
-.TH SSL_CTX_set_options 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_options 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -207,9 +216,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 .IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4
 .IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER"
 \&...
-.IP "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4
-.IX Item "SSL_OP_MSIE_SSLV2_RSA_PADDING"
-As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
+.IP "\s-1SSL_OP_SAFARI_ECDHE_ECDSA_BUG\s0" 4
+.IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG"
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on \s-1OS X.
+OS X 10.8..10.8.3\s0 has broken support for ECDHE-ECDSA ciphers.
 .IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4
 .IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG"
 \&...
@@ -221,10 +231,15 @@ As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 \&...
 .IP "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4
 .IX Item "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS"
-Disables a countermeasure against a \s-1SSL\s0 3.0/TLS 1.0 protocol
+Disables a countermeasure against a \s-1SSL 3.0/TLS 1.0\s0 protocol
 vulnerability affecting \s-1CBC\s0 ciphers, which cannot be handled by some
 broken \s-1SSL\s0 implementations.  This option has no effect for connections
 using other ciphers.
+.IP "\s-1SSL_OP_TLSEXT_PADDING\s0" 4
+.IX Item "SSL_OP_TLSEXT_PADDING"
+Adds a padding extension to ensure the ClientHello size is never between
+256 and 511 bytes in length. This is needed as a workaround for some
+implementations.
 .IP "\s-1SSL_OP_ALL\s0" 4
 .IX Item "SSL_OP_ALL"
 All of the above bug workarounds.
@@ -258,15 +273,7 @@ a new \s-1DH\s0 key during each handshake but it is also recommended.
 temporary/ephemeral \s-1DH\s0 parameters are used.
 .IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4
 .IX Item "SSL_OP_EPHEMERAL_RSA"
-Always use ephemeral (temporary) \s-1RSA\s0 key when doing \s-1RSA\s0 operations
-(see \fISSL_CTX_set_tmp_rsa_callback\fR\|(3)).
-According to the specifications this is only done, when a \s-1RSA\s0 key
-can only be used for signature operations (namely under export ciphers
-with restricted \s-1RSA\s0 keylength). By setting this option, ephemeral
-\&\s-1RSA\s0 keys are always used. This option breaks compatibility with the
-\&\s-1SSL/TLS\s0 specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with \s-1EDH\s0 (ephemeral
-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
 .IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4
 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE"
 When choosing a cipher, use the server's preferences instead of the client
@@ -312,16 +319,16 @@ not be used by clients or servers.
 .IP "\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0" 4
 .IX Item "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION"
 Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
-servers. See the \fB\s-1SECURE\s0 \s-1RENEGOTIATION\s0\fR section for more details.
+servers. See the \fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
 .IP "\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0" 4
 .IX Item "SSL_OP_LEGACY_SERVER_CONNECT"
 Allow legacy insecure renegotiation between OpenSSL and unpatched servers
 \&\fBonly\fR: this option is currently set by default. See the
-\&\fB\s-1SECURE\s0 \s-1RENEGOTIATION\s0\fR section for more details.
+\&\fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
 .SH "SECURE RENEGOTIATION"
 .IX Header "SECURE RENEGOTIATION"
 OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in \s-1RFC5746\s0. This counters the prefix attack described in
+described in \s-1RFC5746.\s0 This counters the prefix attack described in
 \&\s-1CVE\-2009\-3555\s0 and elsewhere.
 .PP
 The deprecated and highly broken SSLv2 protocol does not support
@@ -339,7 +346,7 @@ renegotiation implementation.
 Connections and renegotiation are always permitted by OpenSSL implementations.
 .SS "Unpatched client and patched OpenSSL server"
 .IX Subsection "Unpatched client and patched OpenSSL server"
-The initial connection suceeds but client renegotiation is denied by the
+The initial connection succeeds but client renegotiation is denied by the
 server with a \fBno_renegotiation\fR warning alert if \s-1TLS\s0 v1.0 is used or a fatal
 \&\fBhandshake_failure\fR alert in \s-1SSL\s0 v3.0.
 .PP
diff --git a/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
index 58c138a3e001..c095acf061f8 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_psk_client_callback 3"
-.TH SSL_CTX_set_psk_client_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_psk_client_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
index 0ca922a0cdec..bce78ff49367 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_quiet_shutdown 3"
-.TH SSL_CTX_set_quiet_shutdown 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_quiet_shutdown 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
index 67c89f6f3188..cf3613ec848f 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_session_cache_mode 3"
-.TH SSL_CTX_set_session_cache_mode 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_session_cache_mode 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -207,10 +216,10 @@ As automatic lookup only applies for \s-1SSL/TLS\s0 servers, the flag has no eff
 clients.
 .IP "\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0" 4
 .IX Item "SSL_SESS_CACHE_NO_INTERNAL_STORE"
-Depending on the presence of \s-1SSL_SESS_CACHE_CLIENT\s0 and/or \s-1SSL_SESS_CACHE_SERVER\s0,
+Depending on the presence of \s-1SSL_SESS_CACHE_CLIENT\s0 and/or \s-1SSL_SESS_CACHE_SERVER,\s0
 sessions negotiated in an \s-1SSL/TLS\s0 handshake may be cached for possible reuse.
 Normally a new session is added to the internal cache as well as any external
-session caching (callback) that is configured for the \s-1SSL_CTX\s0. This flag will
+session caching (callback) that is configured for the \s-1SSL_CTX.\s0 This flag will
 prevent sessions being stored in the internal cache (though the application can
 add them manually using \fISSL_CTX_add_session\fR\|(3)). Note:
 in any \s-1SSL/TLS\s0 servers where external caching is configured, any successful
@@ -222,7 +231,7 @@ prevents these additions to the internal cache as well.
 Enable both \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0 and
 \&\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0 at the same time.
 .PP
-The default mode is \s-1SSL_SESS_CACHE_SERVER\s0.
+The default mode is \s-1SSL_SESS_CACHE_SERVER.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fISSL_CTX_set_session_cache_mode()\fR returns the previously set cache mode.
diff --git a/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
index 2b23c4aa6368..fddc582ee7c7 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_session_id_context 3"
-.TH SSL_CTX_set_session_id_context 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_session_id_context 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
index c3b784cd5393..9fb461c3441e 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_ssl_version 3"
-.TH SSL_CTX_set_ssl_version 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_ssl_version 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,12 +152,12 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fISSL_CTX_set_ssl_version()\fR sets a new default \s-1TLS/SSL\s0 \fBmethod\fR for \s-1SSL\s0 objects
+\&\fISSL_CTX_set_ssl_version()\fR sets a new default \s-1TLS/SSL \s0\fBmethod\fR for \s-1SSL\s0 objects
 newly created from this \fBctx\fR. \s-1SSL\s0 objects already created with
 \&\fISSL_new\fR\|(3) are not affected, except when
 \&\fISSL_clear\fR\|(3) is being called.
 .PP
-\&\fISSL_set_ssl_method()\fR sets a new \s-1TLS/SSL\s0 \fBmethod\fR for a particular \fBssl\fR
+\&\fISSL_set_ssl_method()\fR sets a new \s-1TLS/SSL \s0\fBmethod\fR for a particular \fBssl\fR
 object. It may be reset, when \fISSL_clear()\fR is called.
 .PP
 \&\fISSL_get_ssl_method()\fR returns a function pointer to the \s-1TLS/SSL\s0 method
diff --git a/secure/lib/libssl/man/SSL_CTX_set_timeout.3 b/secure/lib/libssl/man/SSL_CTX_set_timeout.3
index 6ed92d5f88bc..3a2c417d506c 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_timeout.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_timeout.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_timeout 3"
-.TH SSL_CTX_set_timeout 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_timeout 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
new file mode 100644
index 000000000000..e1078f06df38
--- /dev/null
+++ b/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -0,0 +1,316 @@
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SSL_CTX_set_tlsext_ticket_key_cb 3"
+.TH SSL_CTX_set_tlsext_ticket_key_cb 3 "2015-01-15" "1.0.1l" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+SSL_CTX_set_tlsext_ticket_key_cb \- set a callback for session ticket processing
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/tls1.h>
+\&
+\& long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx,
+\&        int (*cb)(SSL *s, unsigned char key_name[16],
+\&                  unsigned char iv[EVP_MAX_IV_LENGTH],
+\&                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
+.Ve
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fISSL_CTX_set_tlsext_ticket_key_cb()\fR sets a callback fuction \fIcb\fR for handling 
+session tickets for the ssl context \fIsslctx\fR. Session tickets, defined in 
+\&\s-1RFC5077\s0 provide an enhanced session resumption capability where the server
+implementation is not required to maintain per session state. It only applies
+to \s-1TLS\s0 and there is no SSLv3 implementation.
+.PP
+The callback is available when the OpenSSL library was built without 
+\&\fI\s-1OPENSSL_NO_TLSEXT\s0\fR being defined.
+.PP
+The callback function \fIcb\fR will be called for every client instigated \s-1TLS\s0
+session when session ticket extension is presented in the \s-1TLS\s0 hello
+message. It is the responsibility of this function to create or retrieve the
+cryptographic parameters and to maintain their state.
+.PP
+The OpenSSL library uses your callback function to help implement a common \s-1TLS \s0
+ticket construction state according to \s-1RFC5077\s0 Section 4 such that per session
+state is unnecessary and a small set of cryptographic variables needs to be 
+maintained by the callback function implementation.
+.PP
+In order to reuse a session, a \s-1TLS\s0 client must send the a session ticket
+extension to the server. The client can only send exactly one session ticket.
+The server, through the callback function, either agrees to reuse the session
+ticket information or it starts a full \s-1TLS\s0 handshake to create a new session
+ticket.
+.PP
+Before the callback function is started \fIctx\fR and \fIhctx\fR have been 
+initialised with EVP_CIPHER_CTX_init and HMAC_CTX_init respectively.
+.PP
+For new sessions tickets, when the client doesn't present a session ticket, or
+an attempted retreival of the ticket failed, or a renew option was indicated,
+the callback function will be called with \fIenc\fR equal to 1. The OpenSSL
+library expects that the function will set an arbitary \fIname\fR, initialize
+\&\fIiv\fR, and set the cipher context \fIctx\fR and the hash context \fIhctx\fR.
+.PP
+The \fIname\fR is 16 characters long and is used as a key identifier.
+.PP
+The \fIiv\fR length is the length of the \s-1IV\s0 of the corresponding cipher. The
+maximum \s-1IV\s0 length is \s-1EVP_MAX_IV_LENGTH\s0 bytes defined in \fBevp.h\fR.
+.PP
+The initialization vector \fIiv\fR should be a random value. The cipher context 
+\&\fIctx\fR should use the initialisation vector \fIiv\fR. The cipher context can be 
+set using EVP_EncryptInit_ex. The hmac context can be set using HMAC_Init_ex.
+.PP
+When the client presents a session ticket, the callback function with be called 
+with \fIenc\fR set to 0 indicating that the \fIcb\fR function should retreive a set
+of parameters. In this case \fIname\fR and \fIiv\fR have already been parsed out of
+the session ticket. The OpenSSL library expects that the \fIname\fR will be used
+to retrieve a cryptographic parameters and that the cryptographic context
+\&\fIctx\fR will be set with the retreived parameters and the initialization vector
+\&\fIiv\fR. using a function like EVP_DecryptInit_ex. The \fIhctx\fR needs to be set
+using HMAC_Init_ex.
+.PP
+If the \fIname\fR is still valid but a renewal of the ticket is required the
+callback function should return 2. The library will call the callback again
+with an arguement of enc equal to 1 to set the new ticket.
+.PP
+The return value of the \fIcb\fR function is used by OpenSSL to determine what
+further processing will occur. The following return values have meaning:
+.IP "2" 4
+.IX Item "2"
+This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can 
+continue on those parameters. Additionally it indicates that the session
+ticket is in a renewal period and should be replaced. The OpenSSL library will
+call \fIcb\fR again with an enc argument of 1 to set the new ticket (see \s-1RFC5077
+3.3\s0 paragraph 2).
+.IP "1" 4
+.IX Item "1"
+This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can 
+continue on those parameters.
+.IP "0" 4
+This indicates that it was not possible to set/retrieve a session ticket and 
+the \s-1SSL/TLS\s0 session will continue by by negiotationing a set of cryptographic
+parameters or using the alternate \s-1SSL/TLS\s0 resumption mechanism, session ids.
+.Sp
+If called with enc equal to 0 the library will call the \fIcb\fR again to get
+a new set of parameters.
+.IP "less than 0" 4
+.IX Item "less than 0"
+This indicates an error.
+.SH "NOTES"
+.IX Header "NOTES"
+Session resumption shortcuts the \s-1TLS\s0 so that the client certificate
+negiotation don't occur. It makes up for this by storing client certificate
+an all other negotiated state information encrypted within the ticket. In a
+resumed session the applications will have all this state information available
+exactly as if a full negiotation had occured.
+.PP
+If an attacker can obtain the key used to encrypt a session ticket, they can
+obtain the master secret for any ticket using that key and decrypt any traffic
+using that session: even if the ciphersuite supports forward secrecy. As
+a result applications may wish to use multiple keys and avoid using long term
+keys stored in files.
+.PP
+Applications can use longer keys to maintain a consistent level of security.
+For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key
+the overall security is only 128 bits because breaking the ticket key will
+enable an attacker to obtain the session keys.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Reference Implemention:
+  SSL_CTX_set_tlsext_ticket_key_cb(\s-1SSL\s0,ssl_tlsext_ticket_key_cb);
+  ....
+.PP
+.Vb 6
+\&  static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
+\&  {
+\&      if (enc) { /* create new session */
+\&          if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) {
+\&              return \-1; /* insufficient random */
+\&          }
+\&  
+\&          key = currentkey(); /* something that you need to implement */
+\&          if ( !key ) {
+\&              /* current key doesn\*(Aqt exist or isn\*(Aqt valid */
+\&              key = createkey(); /* something that you need to implement.
+\&                                   * createkey needs to initialise, a name,
+\&                                   * an aes_key, a hmac_key and optionally
+\&                                   * an expire time. */
+\&              if ( !key ) { /* key couldn\*(Aqt be created */
+\&                  return 0;
+\&              }
+\&          }
+\&          memcpy(key_name, key\->name, 16);
+\&  
+\&          EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv);
+\&          HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL);
+\&  
+\&          return 1;
+\&  
+\&      } else { /* retrieve session */
+\&          key = findkey(name);
+\&  
+\&          if  (!key || key\->expire < now() ) {
+\&              return 0;
+\&          }
+\&  
+\&          HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL);
+\&          EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv );
+\&
+\&          if (key\->expire < ( now() \- RENEW_TIME ) ) {
+\&              /* return 2 \- this session will get a new ticket even though the current is still valid */
+\&              return 2;
+\&          }
+\&          return 1;
+\&  
+\&      }
+\&  }
+.Ve
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+returns 0 to indicate the callback function was set.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIssl\fR\|(3), \fISSL_set_session\fR\|(3),
+\&\fISSL_session_reused\fR\|(3),
+\&\fISSL_CTX_add_session\fR\|(3),
+\&\fISSL_CTX_sess_number\fR\|(3),
+\&\fISSL_CTX_sess_set_get_cb\fR\|(3),
+\&\fISSL_CTX_set_session_id_context\fR\|(3),
+.SH "HISTORY"
+.IX Header "HISTORY"
+This function was introduced in OpenSSL 0.9.8h
diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
index d250689af14a..76e7e989793c 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_tmp_dh_callback 3"
-.TH SSL_CTX_set_tmp_dh_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_tmp_dh_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -140,11 +149,9 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_se
 \&            DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
 \& long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
 \&
-\& void SSL_set_tmp_dh_callback(SSL_CTX *ctx,
+\& void SSL_set_tmp_dh_callback(SSL *ctx,
 \&            DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
 \& long SSL_set_tmp_dh(SSL *ssl, DH *dh)
-\&
-\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -177,12 +184,13 @@ even if he gets hold of the normal (certified) key, as this key was
 only used for signing.
 .PP
 In order to perform a \s-1DH\s0 key exchange the server must use a \s-1DH\s0 group
-(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key. The server will always generate a new
-\&\s-1DH\s0 key during the negotiation, when the \s-1DH\s0 parameters are supplied via
-callback and/or when the \s-1SSL_OP_SINGLE_DH_USE\s0 option of
-\&\fISSL_CTX_set_options\fR\|(3) is set. It will
-immediately create a \s-1DH\s0 key, when \s-1DH\s0 parameters are supplied via
-\&\fISSL_CTX_set_tmp_dh()\fR and \s-1SSL_OP_SINGLE_DH_USE\s0 is not set. In this case,
+(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key.
+The server will always generate a new \s-1DH\s0 key during the negotiation
+if either the \s-1DH\s0 parameters are supplied via callback or the
+\&\s-1SSL_OP_SINGLE_DH_USE\s0 option of \fISSL_CTX_set_options\fR\|(3) is set (or both).
+It will  immediately create a \s-1DH\s0 key if \s-1DH\s0 parameters are supplied via
+\&\fISSL_CTX_set_tmp_dh()\fR and \s-1SSL_OP_SINGLE_DH_USE\s0 is not set.
+In this case,
 it may happen that a key is generated on initialization without later
 being needed, while on the other hand the computer time during the
 negotiation is being saved.
@@ -208,7 +216,7 @@ instead (see \fIdhparam\fR\|(1)), but in this case \s-1SSL_OP_SINGLE_DH_USE\s0
 is mandatory.
 .PP
 Application authors may compile in \s-1DH\s0 parameters. Files dh512.pem,
-dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current
+dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current
 version of the OpenSSL distribution contain the '\s-1SKIP\s0' \s-1DH\s0 parameters,
 which use safe primes and were generated verifiably pseudo-randomly.
 These files can be converted into C code using the \fB\-C\fR option of the
@@ -268,7 +276,7 @@ partly left out.)
 \&      dh_tmp = dh_512;
 \&      break;
 \&    case 1024:
-\&      if (!dh_1024) 
+\&      if (!dh_1024)
 \&        dh_1024 = get_dh1024();
 \&      dh_tmp = dh_1024;
 \&      break;
diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
index f16d4a8b6771..1b858e145cbe 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_tmp_rsa_callback 3"
-.TH SSL_CTX_set_tmp_rsa_callback 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_tmp_rsa_callback 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -197,25 +206,18 @@ the \s-1TLS\s0 standard, when the \s-1RSA\s0 key can be used for signing only, t
 for export ciphers. Using ephemeral \s-1RSA\s0 key exchange for other purposes
 violates the standard and can break interoperability with clients.
 It is therefore strongly recommended to not use ephemeral \s-1RSA\s0 key
-exchange and use \s-1EDH\s0 (Ephemeral Diffie-Hellman) key exchange instead
+exchange and use \s-1EDH \s0(Ephemeral Diffie-Hellman) key exchange instead
 in order to achieve forward secrecy (see
 \&\fISSL_CTX_set_tmp_dh_callback\fR\|(3)).
 .PP
-On OpenSSL servers ephemeral \s-1RSA\s0 key exchange is therefore disabled by default
-and must be explicitly enabled  using the \s-1SSL_OP_EPHEMERAL_RSA\s0 option of
-\&\fISSL_CTX_set_options\fR\|(3), violating the \s-1TLS/SSL\s0
-standard. When ephemeral \s-1RSA\s0 key exchange is required for export ciphers,
-it will automatically be used without this option!
-.PP
-An application may either directly specify the key or can supply the key via
-a callback function. The callback approach has the advantage, that the
-callback may generate the key only in case it is actually needed. As the
-generation of a \s-1RSA\s0 key is however costly, it will lead to a significant
-delay in the handshake procedure.  Another advantage of the callback function
-is that it can supply keys of different size (e.g. for \s-1SSL_OP_EPHEMERAL_RSA\s0
-usage) while the explicit setting of the key is only useful for key size of
-512 bits to satisfy the export restricted ciphers and does give away key length
-if a longer key would be allowed.
+An application may either directly specify the key or can supply the key via a
+callback function. The callback approach has the advantage, that the callback
+may generate the key only in case it is actually needed. As the generation of a
+\&\s-1RSA\s0 key is however costly, it will lead to a significant delay in the handshake
+procedure.  Another advantage of the callback function is that it can supply
+keys of different size while the explicit setting of the key is only useful for
+key size of 512 bits to satisfy the export restricted ciphers and does give
+away key length if a longer key would be allowed.
 .PP
 The \fBtmp_rsa_callback\fR is called with the \fBkeylength\fR needed and
 the \fBis_export\fR information. The \fBis_export\fR flag is set, when the
diff --git a/secure/lib/libssl/man/SSL_CTX_set_verify.3 b/secure/lib/libssl/man/SSL_CTX_set_verify.3
index 83bd539c9325..73c447c430df 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_verify.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_verify 3"
-.TH SSL_CTX_set_verify 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_verify 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -197,14 +206,14 @@ anonymous cipher is used, \s-1SSL_VERIFY_PEER\s0 is ignored.
 .IX Item "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"
 \&\fBServer mode:\fR if the client did not return a certificate, the \s-1TLS/SSL\s0
 handshake is immediately terminated with a \*(L"handshake failure\*(R" alert.
-This flag must be used together with \s-1SSL_VERIFY_PEER\s0.
+This flag must be used together with \s-1SSL_VERIFY_PEER.\s0
 .Sp
 \&\fBClient mode:\fR ignored
 .IP "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4
 .IX Item "SSL_VERIFY_CLIENT_ONCE"
 \&\fBServer mode:\fR only request a client certificate on the initial \s-1TLS/SSL\s0
 handshake. Do not ask for a client certificate again in case of a
-renegotiation. This flag must be used together with \s-1SSL_VERIFY_PEER\s0.
+renegotiation. This flag must be used together with \s-1SSL_VERIFY_PEER.\s0
 .Sp
 \&\fBClient mode:\fR ignored
 .PP
@@ -228,8 +237,8 @@ certificates would not be present, most likely a
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued.
 The depth count is \*(L"level 0:peer certificate\*(R", \*(L"level 1: \s-1CA\s0 certificate\*(R",
 \&\*(L"level 2: higher level \s-1CA\s0 certificate\*(R", and so on. Setting the maximum
-depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9,
-allowing for the peer certificate and additional 9 \s-1CA\s0 certificates.
+depth to 2 allows the levels 0, 1, and 2. The default depth limit is 100,
+allowing for the peer certificate and additional 100 \s-1CA\s0 certificates.
 .PP
 The \fBverify_callback\fR function is used to control the behaviour when the
 \&\s-1SSL_VERIFY_PEER\s0 flag is set. It must be supplied by the application and
@@ -285,8 +294,8 @@ that will always continue the \s-1TLS/SSL\s0 handshake regardless of verificatio
 failure, if wished. The callback realizes a verification depth limit with
 more informational output.
 .PP
-All verification errors are printed, informations about the certificate chain
-are printed on request.
+All verification errors are printed; information about the certificate chain
+is printed on request.
 The example is realized for a server that does allow but not require client
 certificates.
 .PP
diff --git a/secure/lib/libssl/man/SSL_CTX_use_certificate.3 b/secure/lib/libssl/man/SSL_CTX_use_certificate.3
index beaf8029f8be..639c6948901c 100644
--- a/secure/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/secure/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_use_certificate 3"
-.TH SSL_CTX_use_certificate 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_use_certificate 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -189,7 +198,7 @@ the memory location \fBd\fR (with length \fBlen\fR) into \fBctx\fR,
 .PP
 \&\fISSL_CTX_use_certificate_file()\fR loads the first certificate stored in \fBfile\fR
 into \fBctx\fR. The formatting \fBtype\fR of the certificate must be specified
-from the known types \s-1SSL_FILETYPE_PEM\s0, \s-1SSL_FILETYPE_ASN1\s0.
+from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0
 \&\fISSL_use_certificate_file()\fR loads the certificate from \fBfile\fR into \fBssl\fR.
 See the \s-1NOTES\s0 section on why \fISSL_CTX_use_certificate_chain_file()\fR
 should be preferred.
@@ -198,7 +207,7 @@ should be preferred.
 \&\fBfile\fR into \fBctx\fR. The certificates must be in \s-1PEM\s0 format and must
 be sorted starting with the subject's certificate (actual client or server
 certificate), followed by intermediate \s-1CA\s0 certificates if applicable, and
-ending at the highest level (root) \s-1CA\s0.
+ending at the highest level (root) \s-1CA.\s0
 There is no corresponding function working on a single \s-1SSL\s0 object.
 .PP
 \&\fISSL_CTX_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBctx\fR.
@@ -220,7 +229,7 @@ key to \fBssl\fR.
 .PP
 \&\fISSL_CTX_use_PrivateKey_file()\fR adds the first private key found in
 \&\fBfile\fR to \fBctx\fR. The formatting \fBtype\fR of the certificate must be specified
-from the known types \s-1SSL_FILETYPE_PEM\s0, \s-1SSL_FILETYPE_ASN1\s0.
+from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0
 \&\fISSL_CTX_use_RSAPrivateKey_file()\fR adds the first private \s-1RSA\s0 key found in
 \&\fBfile\fR to \fBctx\fR. \fISSL_use_PrivateKey_file()\fR adds the first private key found
 in \fBfile\fR to \fBssl\fR; \fISSL_use_RSAPrivateKey_file()\fR adds the first private
@@ -237,11 +246,11 @@ this \fBssl\fR, the last item added into \fBctx\fR will be checked.
 .IX Header "NOTES"
 The internal certificate store of OpenSSL can hold two private key/certificate
 pairs at a time: one key/certificate of type \s-1RSA\s0 and one key/certificate
-of type \s-1DSA\s0. The certificate used depends on the cipher select, see
+of type \s-1DSA.\s0 The certificate used depends on the cipher select, see
 also \fISSL_CTX_set_cipher_list\fR\|(3).
 .PP
 When reading certificates and private keys from file, files of type
-\&\s-1SSL_FILETYPE_ASN1\s0 (also known as \fB\s-1DER\s0\fR, binary encoding) can only contain
+\&\s-1SSL_FILETYPE_ASN1 \s0(also known as \fB\s-1DER\s0\fR, binary encoding) can only contain
 one certificate or private key, consequently 
 \&\fISSL_CTX_use_certificate_chain_file()\fR is only applicable to \s-1PEM\s0 formatting.
 Files of type \s-1SSL_FILETYPE_PEM\s0 can contain more than one item.
diff --git a/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
index 10c224eb6001..aa9124e1e513 100644
--- a/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
+++ b/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_use_psk_identity_hint 3"
-.TH SSL_CTX_use_psk_identity_hint 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_use_psk_identity_hint 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -190,9 +199,3 @@ completely.
 .IP "0" 4
 \&\s-1PSK\s0 identity was not found. An \*(L"unknown_psk_identity\*(R" alert message
 will be sent and the connection setup fails.
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 84:" 4
-.IX Item "Around line 84:"
-\&'=item' outside of any '=over'
diff --git a/secure/lib/libssl/man/SSL_SESSION_free.3 b/secure/lib/libssl/man/SSL_SESSION_free.3
index d1f0cbd76144..23b28fe5fd9e 100644
--- a/secure/lib/libssl/man/SSL_SESSION_free.3
+++ b/secure/lib/libssl/man/SSL_SESSION_free.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_free 3"
-.TH SSL_SESSION_free 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_SESSION_free 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
index 0fd8077fe1d7..5243729caf5f 100644
--- a/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
+++ b/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_get_ex_new_index 3"
-.TH SSL_SESSION_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_SESSION_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_SESSION_get_time.3 b/secure/lib/libssl/man/SSL_SESSION_get_time.3
index 0af793475385..b6df1f35accd 100644
--- a/secure/lib/libssl/man/SSL_SESSION_get_time.3
+++ b/secure/lib/libssl/man/SSL_SESSION_get_time.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_get_time 3"
-.TH SSL_SESSION_get_time 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_SESSION_get_time 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_accept.3 b/secure/lib/libssl/man/SSL_accept.3
index 77ac271f0722..454caea0c6a3 100644
--- a/secure/lib/libssl/man/SSL_accept.3
+++ b/secure/lib/libssl/man/SSL_accept.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_accept 3"
-.TH SSL_accept 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_accept 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,11 +154,11 @@ The communication channel must already have been set and assigned to the
 \&\fBssl\fR by setting an underlying \fB\s-1BIO\s0\fR.
 .SH "NOTES"
 .IX Header "NOTES"
-The behaviour of \fISSL_accept()\fR depends on the underlying \s-1BIO\s0.
+The behaviour of \fISSL_accept()\fR depends on the underlying \s-1BIO. \s0
 .PP
 If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_accept()\fR will only return once the
-handshake has been finished or an error occurred, except for \s-1SGC\s0 (Server
-Gated Cryptography). For \s-1SGC\s0, \fISSL_accept()\fR may return with \-1, but
+handshake has been finished or an error occurred, except for \s-1SGC \s0(Server
+Gated Cryptography). For \s-1SGC,\s0 \fISSL_accept()\fR may return with \-1, but
 \&\fISSL_get_error()\fR will yield \fB\s-1SSL_ERROR_WANT_READ/WRITE\s0\fR and \fISSL_accept()\fR
 should be called again.
 .PP
@@ -160,23 +169,23 @@ In this case a call to \fISSL_get_error()\fR with the
 return value of \fISSL_accept()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
 \&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fISSL_accept()\fR.
-The action depends on the underlying \s-1BIO\s0. When using a non-blocking socket,
+The action depends on the underlying \s-1BIO.\s0 When using a non-blocking socket,
 nothing is to be done, but \fIselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO\s0, like a \s-1BIO\s0 pair, data must be written
+condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
 into or retrieved out of the \s-1BIO\s0 before being able to continue.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "1." 4
-The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
-established.
-.IP "2." 4
+.IP "0" 4
 The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
 by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fISSL_get_error()\fR with the
 return value \fBret\fR to find out the reason.
-.IP "3." 4
-<0
-.Sp
+.IP "1" 4
+.IX Item "1"
+The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
+established.
+.IP "<0" 4
+.IX Item "<0"
 The \s-1TLS/SSL\s0 handshake was not successful because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was
 not clean. It can also occur of action is need to continue the operation
@@ -189,12 +198,3 @@ to find out the reason.
 \&\fISSL_set_connect_state\fR\|(3),
 \&\fISSL_do_handshake\fR\|(3),
 \&\fISSL_CTX_new\fR\|(3)
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 52:" 4
-.IX Item "Around line 52:"
-You have '=item 0' instead of the expected '=item 2'
-.IP "Around line 58:" 4
-.IX Item "Around line 58:"
-Expected '=item 3'
diff --git a/secure/lib/libssl/man/SSL_alert_type_string.3 b/secure/lib/libssl/man/SSL_alert_type_string.3
index c8072c9c201b..bdb3533719ff 100644
--- a/secure/lib/libssl/man/SSL_alert_type_string.3
+++ b/secure/lib/libssl/man/SSL_alert_type_string.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_alert_type_string 3"
-.TH SSL_alert_type_string 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_alert_type_string 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -171,7 +180,7 @@ receiving side may cancel the connection on reception of a warning
 alert on it discretion.
 .PP
 Several alert messages must be sent as fatal alert messages as specified
-by the \s-1TLS\s0 \s-1RFC\s0. A fatal alert always leads to a connection abort.
+by the \s-1TLS RFC. A\s0 fatal alert always leads to a connection abort.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following strings can occur for \fISSL_alert_type_string()\fR or
@@ -192,139 +201,139 @@ Probably \fBvalue\fR does not contain a correct alert message.
 .PP
 The following strings can occur for \fISSL_alert_desc_string()\fR or
 \&\fISSL_alert_desc_string_long()\fR:
-.ie n .IP """\s-1CN\s0""/""close notify""" 4
-.el .IP "``\s-1CN\s0''/``close notify''" 4
+.ie n .IP """\s-1CN""/\s0""close notify""" 4
+.el .IP "``\s-1CN''/\s0``close notify''" 4
 .IX Item "CN/close notify"
 The connection shall be closed. This is a warning alert.
-.ie n .IP """\s-1UM\s0""/""unexpected message""" 4
-.el .IP "``\s-1UM\s0''/``unexpected message''" 4
+.ie n .IP """\s-1UM""/\s0""unexpected message""" 4
+.el .IP "``\s-1UM''/\s0``unexpected message''" 4
 .IX Item "UM/unexpected message"
 An inappropriate message was received. This alert is always fatal
 and should never be observed in communication between proper
 implementations.
-.ie n .IP """\s-1BM\s0""/""bad record mac""" 4
-.el .IP "``\s-1BM\s0''/``bad record mac''" 4
+.ie n .IP """\s-1BM""/\s0""bad record mac""" 4
+.el .IP "``\s-1BM''/\s0``bad record mac''" 4
 .IX Item "BM/bad record mac"
 This alert is returned if a record is received with an incorrect
-\&\s-1MAC\s0. This message is always fatal.
-.ie n .IP """\s-1DF\s0""/""decompression failure""" 4
-.el .IP "``\s-1DF\s0''/``decompression failure''" 4
+\&\s-1MAC.\s0 This message is always fatal.
+.ie n .IP """\s-1DF""/\s0""decompression failure""" 4
+.el .IP "``\s-1DF''/\s0``decompression failure''" 4
 .IX Item "DF/decompression failure"
 The decompression function received improper input (e.g. data
 that would expand to excessive length). This message is always
 fatal.
-.ie n .IP """\s-1HF\s0""/""handshake failure""" 4
-.el .IP "``\s-1HF\s0''/``handshake failure''" 4
+.ie n .IP """\s-1HF""/\s0""handshake failure""" 4
+.el .IP "``\s-1HF''/\s0``handshake failure''" 4
 .IX Item "HF/handshake failure"
 Reception of a handshake_failure alert message indicates that the
 sender was unable to negotiate an acceptable set of security
 parameters given the options available. This is a fatal error.
-.ie n .IP """\s-1NC\s0""/""no certificate""" 4
-.el .IP "``\s-1NC\s0''/``no certificate''" 4
+.ie n .IP """\s-1NC""/\s0""no certificate""" 4
+.el .IP "``\s-1NC''/\s0``no certificate''" 4
 .IX Item "NC/no certificate"
 A client, that was asked to send a certificate, does not send a certificate
 (SSLv3 only).
-.ie n .IP """\s-1BC\s0""/""bad certificate""" 4
-.el .IP "``\s-1BC\s0''/``bad certificate''" 4
+.ie n .IP """\s-1BC""/\s0""bad certificate""" 4
+.el .IP "``\s-1BC''/\s0``bad certificate''" 4
 .IX Item "BC/bad certificate"
 A certificate was corrupt, contained signatures that did not
 verify correctly, etc
-.ie n .IP """\s-1UC\s0""/""unsupported certificate""" 4
-.el .IP "``\s-1UC\s0''/``unsupported certificate''" 4
+.ie n .IP """\s-1UC""/\s0""unsupported certificate""" 4
+.el .IP "``\s-1UC''/\s0``unsupported certificate''" 4
 .IX Item "UC/unsupported certificate"
 A certificate was of an unsupported type.
-.ie n .IP """\s-1CR\s0""/""certificate revoked""" 4
-.el .IP "``\s-1CR\s0''/``certificate revoked''" 4
+.ie n .IP """\s-1CR""/\s0""certificate revoked""" 4
+.el .IP "``\s-1CR''/\s0``certificate revoked''" 4
 .IX Item "CR/certificate revoked"
 A certificate was revoked by its signer.
-.ie n .IP """\s-1CE\s0""/""certificate expired""" 4
-.el .IP "``\s-1CE\s0''/``certificate expired''" 4
+.ie n .IP """\s-1CE""/\s0""certificate expired""" 4
+.el .IP "``\s-1CE''/\s0``certificate expired''" 4
 .IX Item "CE/certificate expired"
 A certificate has expired or is not currently valid.
-.ie n .IP """\s-1CU\s0""/""certificate unknown""" 4
-.el .IP "``\s-1CU\s0''/``certificate unknown''" 4
+.ie n .IP """\s-1CU""/\s0""certificate unknown""" 4
+.el .IP "``\s-1CU''/\s0``certificate unknown''" 4
 .IX Item "CU/certificate unknown"
 Some other (unspecified) issue arose in processing the
 certificate, rendering it unacceptable.
-.ie n .IP """\s-1IP\s0""/""illegal parameter""" 4
-.el .IP "``\s-1IP\s0''/``illegal parameter''" 4
+.ie n .IP """\s-1IP""/\s0""illegal parameter""" 4
+.el .IP "``\s-1IP''/\s0``illegal parameter''" 4
 .IX Item "IP/illegal parameter"
 A field in the handshake was out of range or inconsistent with
 other fields. This is always fatal.
-.ie n .IP """\s-1DC\s0""/""decryption failed""" 4
-.el .IP "``\s-1DC\s0''/``decryption failed''" 4
+.ie n .IP """\s-1DC""/\s0""decryption failed""" 4
+.el .IP "``\s-1DC''/\s0``decryption failed''" 4
 .IX Item "DC/decryption failed"
 A TLSCiphertext decrypted in an invalid way: either it wasn't an
 even multiple of the block length or its padding values, when
 checked, weren't correct. This message is always fatal.
-.ie n .IP """\s-1RO\s0""/""record overflow""" 4
-.el .IP "``\s-1RO\s0''/``record overflow''" 4
+.ie n .IP """\s-1RO""/\s0""record overflow""" 4
+.el .IP "``\s-1RO''/\s0``record overflow''" 4
 .IX Item "RO/record overflow"
 A TLSCiphertext record was received which had a length more than
 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
 with more than 2^14+1024 bytes. This message is always fatal.
-.ie n .IP """\s-1CA\s0""/""unknown \s-1CA\s0""" 4
-.el .IP "``\s-1CA\s0''/``unknown \s-1CA\s0''" 4
+.ie n .IP """\s-1CA""/\s0""unknown \s-1CA""\s0" 4
+.el .IP "``\s-1CA''/\s0``unknown \s-1CA''\s0" 4
 .IX Item "CA/unknown CA"
 A valid certificate chain or partial chain was received, but the
 certificate was not accepted because the \s-1CA\s0 certificate could not
-be located or couldn't be matched with a known, trusted \s-1CA\s0.  This
+be located or couldn't be matched with a known, trusted \s-1CA. \s0 This
 message is always fatal.
-.ie n .IP """\s-1AD\s0""/""access denied""" 4
-.el .IP "``\s-1AD\s0''/``access denied''" 4
+.ie n .IP """\s-1AD""/\s0""access denied""" 4
+.el .IP "``\s-1AD''/\s0``access denied''" 4
 .IX Item "AD/access denied"
 A valid certificate was received, but when access control was
 applied, the sender decided not to proceed with negotiation.
 This message is always fatal.
-.ie n .IP """\s-1DE\s0""/""decode error""" 4
-.el .IP "``\s-1DE\s0''/``decode error''" 4
+.ie n .IP """\s-1DE""/\s0""decode error""" 4
+.el .IP "``\s-1DE''/\s0``decode error''" 4
 .IX Item "DE/decode error"
 A message could not be decoded because some field was out of the
 specified range or the length of the message was incorrect. This
 message is always fatal.
-.ie n .IP """\s-1CY\s0""/""decrypt error""" 4
-.el .IP "``\s-1CY\s0''/``decrypt error''" 4
+.ie n .IP """\s-1CY""/\s0""decrypt error""" 4
+.el .IP "``\s-1CY''/\s0``decrypt error''" 4
 .IX Item "CY/decrypt error"
 A handshake cryptographic operation failed, including being
 unable to correctly verify a signature, decrypt a key exchange,
 or validate a finished message.
-.ie n .IP """\s-1ER\s0""/""export restriction""" 4
-.el .IP "``\s-1ER\s0''/``export restriction''" 4
+.ie n .IP """\s-1ER""/\s0""export restriction""" 4
+.el .IP "``\s-1ER''/\s0``export restriction''" 4
 .IX Item "ER/export restriction"
 A negotiation not in compliance with export restrictions was
 detected; for example, attempting to transfer a 1024 bit
 ephemeral \s-1RSA\s0 key for the \s-1RSA_EXPORT\s0 handshake method. This
 message is always fatal.
-.ie n .IP """\s-1PV\s0""/""protocol version""" 4
-.el .IP "``\s-1PV\s0''/``protocol version''" 4
+.ie n .IP """\s-1PV""/\s0""protocol version""" 4
+.el .IP "``\s-1PV''/\s0``protocol version''" 4
 .IX Item "PV/protocol version"
 The protocol version the client has attempted to negotiate is
 recognized, but not supported. (For example, old protocol
 versions might be avoided for security reasons). This message is
 always fatal.
-.ie n .IP """\s-1IS\s0""/""insufficient security""" 4
-.el .IP "``\s-1IS\s0''/``insufficient security''" 4
+.ie n .IP """\s-1IS""/\s0""insufficient security""" 4
+.el .IP "``\s-1IS''/\s0``insufficient security''" 4
 .IX Item "IS/insufficient security"
 Returned instead of handshake_failure when a negotiation has
 failed specifically because the server requires ciphers more
 secure than those supported by the client. This message is always
 fatal.
-.ie n .IP """\s-1IE\s0""/""internal error""" 4
-.el .IP "``\s-1IE\s0''/``internal error''" 4
+.ie n .IP """\s-1IE""/\s0""internal error""" 4
+.el .IP "``\s-1IE''/\s0``internal error''" 4
 .IX Item "IE/internal error"
 An internal error unrelated to the peer or the correctness of the
 protocol makes it impossible to continue (such as a memory
 allocation failure). This message is always fatal.
-.ie n .IP """\s-1US\s0""/""user canceled""" 4
-.el .IP "``\s-1US\s0''/``user canceled''" 4
+.ie n .IP """\s-1US""/\s0""user canceled""" 4
+.el .IP "``\s-1US''/\s0``user canceled''" 4
 .IX Item "US/user canceled"
 This handshake is being canceled for some reason unrelated to a
 protocol failure. If the user cancels an operation after the
 handshake is complete, just closing the connection by sending a
 close_notify is more appropriate. This alert should be followed
 by a close_notify. This message is generally a warning.
-.ie n .IP """\s-1NR\s0""/""no renegotiation""" 4
-.el .IP "``\s-1NR\s0''/``no renegotiation''" 4
+.ie n .IP """\s-1NR""/\s0""no renegotiation""" 4
+.el .IP "``\s-1NR''/\s0``no renegotiation''" 4
 .IX Item "NR/no renegotiation"
 Sent by the client in response to a hello request or by the
 server in response to a client hello after initial handshaking.
@@ -337,13 +346,13 @@ satisfy a request; the process might receive security parameters
 (key length, authentication, etc.) at startup and it might be
 difficult to communicate changes to these parameters after that
 point. This message is always a warning.
-.ie n .IP """\s-1UP\s0""/""unknown \s-1PSK\s0 identity""" 4
-.el .IP "``\s-1UP\s0''/``unknown \s-1PSK\s0 identity''" 4
+.ie n .IP """\s-1UP""/\s0""unknown \s-1PSK\s0 identity""" 4
+.el .IP "``\s-1UP''/\s0``unknown \s-1PSK\s0 identity''" 4
 .IX Item "UP/unknown PSK identity"
 Sent by the server to indicate that it does not recognize a \s-1PSK\s0
 identity or an \s-1SRP\s0 identity.
-.ie n .IP """\s-1UK\s0""/""unknown""" 4
-.el .IP "``\s-1UK\s0''/``unknown''" 4
+.ie n .IP """\s-1UK""/\s0""unknown""" 4
+.el .IP "``\s-1UK''/\s0``unknown''" 4
 .IX Item "UK/unknown"
 This indicates that no description is available for this alert type.
 Probably \fBvalue\fR does not contain a correct alert message.
diff --git a/secure/lib/libssl/man/SSL_clear.3 b/secure/lib/libssl/man/SSL_clear.3
index e6ad1cbe3543..6b59f78d10a8 100644
--- a/secure/lib/libssl/man/SSL_clear.3
+++ b/secure/lib/libssl/man/SSL_clear.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_clear 3"
-.TH SSL_clear 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_clear 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,7 +156,7 @@ BIOs) are kept.
 SSL_clear is used to prepare an \s-1SSL\s0 object for a new connection. While all
 settings are kept, a side effect is the handling of the current \s-1SSL\s0 session.
 If a session is still \fBopen\fR, it is considered bad and will be removed
-from the session cache, as required by \s-1RFC2246\s0. A session is considered open,
+from the session cache, as required by \s-1RFC2246. A\s0 session is considered open,
 if \fISSL_shutdown\fR\|(3) was not called for the connection
 or at least \fISSL_set_shutdown\fR\|(3) was used to
 set the \s-1SSL_SENT_SHUTDOWN\s0 state.
diff --git a/secure/lib/libssl/man/SSL_connect.3 b/secure/lib/libssl/man/SSL_connect.3
index c4a66646de6c..0cfe3d8201a6 100644
--- a/secure/lib/libssl/man/SSL_connect.3
+++ b/secure/lib/libssl/man/SSL_connect.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_connect 3"
-.TH SSL_connect 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_connect 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,7 +154,7 @@ channel must already have been set and assigned to the \fBssl\fR by setting an
 underlying \fB\s-1BIO\s0\fR.
 .SH "NOTES"
 .IX Header "NOTES"
-The behaviour of \fISSL_connect()\fR depends on the underlying \s-1BIO\s0.
+The behaviour of \fISSL_connect()\fR depends on the underlying \s-1BIO. \s0
 .PP
 If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_connect()\fR will only return once the
 handshake has been finished or an error occurred.
@@ -157,23 +166,23 @@ In this case a call to \fISSL_get_error()\fR with the
 return value of \fISSL_connect()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
 \&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fISSL_connect()\fR.
-The action depends on the underlying \s-1BIO\s0. When using a non-blocking socket,
+The action depends on the underlying \s-1BIO.\s0 When using a non-blocking socket,
 nothing is to be done, but \fIselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO\s0, like a \s-1BIO\s0 pair, data must be written
+condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
 into or retrieved out of the \s-1BIO\s0 before being able to continue.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "1." 4
-The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
-established.
-.IP "2." 4
+.IP "0" 4
 The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
 by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fISSL_get_error()\fR with the
 return value \fBret\fR to find out the reason.
-.IP "3." 4
-<0
-.Sp
+.IP "1" 4
+.IX Item "1"
+The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
+established.
+.IP "<0" 4
+.IX Item "<0"
 The \s-1TLS/SSL\s0 handshake was not successful, because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was
 not clean. It can also occur of action is need to continue the operation
@@ -186,12 +195,3 @@ to find out the reason.
 \&\fISSL_set_connect_state\fR\|(3),
 \&\fISSL_do_handshake\fR\|(3),
 \&\fISSL_CTX_new\fR\|(3)
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 49:" 4
-.IX Item "Around line 49:"
-You have '=item 0' instead of the expected '=item 2'
-.IP "Around line 55:" 4
-.IX Item "Around line 55:"
-Expected '=item 3'
diff --git a/secure/lib/libssl/man/SSL_do_handshake.3 b/secure/lib/libssl/man/SSL_do_handshake.3
index ca464dbaaea7..16e84ac227f6 100644
--- a/secure/lib/libssl/man/SSL_do_handshake.3
+++ b/secure/lib/libssl/man/SSL_do_handshake.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_do_handshake 3"
-.TH SSL_do_handshake 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_do_handshake 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -147,11 +156,11 @@ routines may have to be explicitly set in advance using either
 \&\fISSL_set_accept_state\fR\|(3).
 .SH "NOTES"
 .IX Header "NOTES"
-The behaviour of \fISSL_do_handshake()\fR depends on the underlying \s-1BIO\s0.
+The behaviour of \fISSL_do_handshake()\fR depends on the underlying \s-1BIO.\s0
 .PP
 If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_do_handshake()\fR will only return
-once the handshake has been finished or an error occurred, except for \s-1SGC\s0
-(Server Gated Cryptography). For \s-1SGC\s0, \fISSL_do_handshake()\fR may return with \-1,
+once the handshake has been finished or an error occurred, except for \s-1SGC
+\&\s0(Server Gated Cryptography). For \s-1SGC,\s0 \fISSL_do_handshake()\fR may return with \-1,
 but \fISSL_get_error()\fR will yield \fB\s-1SSL_ERROR_WANT_READ/WRITE\s0\fR and
 \&\fISSL_do_handshake()\fR should be called again.
 .PP
@@ -161,23 +170,23 @@ to continue the handshake. In this case a call to \fISSL_get_error()\fR with the
 return value of \fISSL_do_handshake()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
 \&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fISSL_do_handshake()\fR.
-The action depends on the underlying \s-1BIO\s0. When using a non-blocking socket,
+The action depends on the underlying \s-1BIO.\s0 When using a non-blocking socket,
 nothing is to be done, but \fIselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO\s0, like a \s-1BIO\s0 pair, data must be written
+condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
 into or retrieved out of the \s-1BIO\s0 before being able to continue.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "1." 4
-The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
-established.
-.IP "2." 4
+.IP "0" 4
 The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
 by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fISSL_get_error()\fR with the
 return value \fBret\fR to find out the reason.
-.IP "3." 4
-<0
-.Sp
+.IP "1" 4
+.IX Item "1"
+The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
+established.
+.IP "<0" 4
+.IX Item "<0"
 The \s-1TLS/SSL\s0 handshake was not successful because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was
 not clean. It can also occur of action is need to continue the operation
@@ -188,12 +197,3 @@ to find out the reason.
 \&\fISSL_get_error\fR\|(3), \fISSL_connect\fR\|(3),
 \&\fISSL_accept\fR\|(3), \fIssl\fR\|(3), \fIbio\fR\|(3),
 \&\fISSL_set_connect_state\fR\|(3)
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 53:" 4
-.IX Item "Around line 53:"
-You have '=item 0' instead of the expected '=item 2'
-.IP "Around line 59:" 4
-.IX Item "Around line 59:"
-Expected '=item 3'
diff --git a/secure/lib/libssl/man/SSL_free.3 b/secure/lib/libssl/man/SSL_free.3
index 8b51ccd2a135..88a75dc02208 100644
--- a/secure/lib/libssl/man/SSL_free.3
+++ b/secure/lib/libssl/man/SSL_free.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_free 3"
-.TH SSL_free 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_free 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,7 +155,7 @@ reference count has reached 0.
 .SH "NOTES"
 .IX Header "NOTES"
 \&\fISSL_free()\fR also calls the \fIfree()\fRing procedures for indirectly affected items, if
-applicable: the buffering \s-1BIO\s0, the read and write BIOs,
+applicable: the buffering \s-1BIO,\s0 the read and write BIOs,
 cipher lists specially created for this \fBssl\fR, the \fB\s-1SSL_SESSION\s0\fR.
 Do not explicitly free these indirectly freed up items before or after
 calling \fISSL_free()\fR, as trying to free things twice may lead to program
@@ -158,7 +167,7 @@ session cache. If the session is considered bad, because
 \&\fISSL_shutdown\fR\|(3) was not called for the connection
 and \fISSL_set_shutdown\fR\|(3) was not used to set the
 \&\s-1SSL_SENT_SHUTDOWN\s0 state, the session will also be removed
-from the session cache as required by \s-1RFC2246\s0.
+from the session cache as required by \s-1RFC2246.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fISSL_free()\fR does not provide diagnostic information.
diff --git a/secure/lib/libssl/man/SSL_get_SSL_CTX.3 b/secure/lib/libssl/man/SSL_get_SSL_CTX.3
index 87a8545c2b35..2718f81319db 100644
--- a/secure/lib/libssl/man/SSL_get_SSL_CTX.3
+++ b/secure/lib/libssl/man/SSL_get_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_SSL_CTX 3"
-.TH SSL_get_SSL_CTX 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_SSL_CTX 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_ciphers.3 b/secure/lib/libssl/man/SSL_get_ciphers.3
index 91a9110a696b..29357a22073e 100644
--- a/secure/lib/libssl/man/SSL_get_ciphers.3
+++ b/secure/lib/libssl/man/SSL_get_ciphers.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_ciphers 3"
-.TH SSL_get_ciphers 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_ciphers 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -146,7 +155,7 @@ sorted by preference. If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \
 is returned.
 .PP
 \&\fISSL_get_cipher_list()\fR returns a pointer to the name of the \s-1SSL_CIPHER\s0
-listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is \s-1NULL\s0, no ciphers are
+listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are
 available, or there are less ciphers than \fBpriority\fR available, \s-1NULL\s0
 is returned.
 .SH "NOTES"
diff --git a/secure/lib/libssl/man/SSL_get_client_CA_list.3 b/secure/lib/libssl/man/SSL_get_client_CA_list.3
index 8b3426efeec0..4cf2930472f1 100644
--- a/secure/lib/libssl/man/SSL_get_client_CA_list.3
+++ b/secure/lib/libssl/man/SSL_get_client_CA_list.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_client_CA_list 3"
-.TH SSL_get_client_CA_list 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_client_CA_list 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_current_cipher.3 b/secure/lib/libssl/man/SSL_get_current_cipher.3
index cf7cdb7cdb3a..111a1670a7a4 100644
--- a/secure/lib/libssl/man/SSL_get_current_cipher.3
+++ b/secure/lib/libssl/man/SSL_get_current_cipher.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_current_cipher 3"
-.TH SSL_get_current_cipher 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_current_cipher 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -160,7 +169,7 @@ macro to obtain the number of secret/algorithm bits used and
 See \fISSL_CIPHER_get_name\fR\|(3) for more details.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fISSL_get_current_cipher()\fR returns the cipher actually used or \s-1NULL\s0, when
+\&\fISSL_get_current_cipher()\fR returns the cipher actually used or \s-1NULL,\s0 when
 no session has been established.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
diff --git a/secure/lib/libssl/man/SSL_get_default_timeout.3 b/secure/lib/libssl/man/SSL_get_default_timeout.3
index 0867360da34e..c22b64e5f1b2 100644
--- a/secure/lib/libssl/man/SSL_get_default_timeout.3
+++ b/secure/lib/libssl/man/SSL_get_default_timeout.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_default_timeout 3"
-.TH SSL_get_default_timeout 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_default_timeout 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_error.3 b/secure/lib/libssl/man/SSL_get_error.3
index 31aa2f57b0e4..19ca75789d8f 100644
--- a/secure/lib/libssl/man/SSL_get_error.3
+++ b/secure/lib/libssl/man/SSL_get_error.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_error 3"
-.TH SSL_get_error 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_error 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,33 +152,33 @@ SSL_get_error \- obtain result code for TLS/SSL I/O operation
 \&\fISSL_get_error()\fR returns a result code (suitable for the C \*(L"switch\*(R"
 statement) for a preceding call to \fISSL_connect()\fR, \fISSL_accept()\fR, \fISSL_do_handshake()\fR,
 \&\fISSL_read()\fR, \fISSL_peek()\fR, or \fISSL_write()\fR on \fBssl\fR.  The value returned by
-that \s-1TLS/SSL\s0 I/O function must be passed to \fISSL_get_error()\fR in parameter
+that \s-1TLS/SSL I/O\s0 function must be passed to \fISSL_get_error()\fR in parameter
 \&\fBret\fR.
 .PP
 In addition to \fBssl\fR and \fBret\fR, \fISSL_get_error()\fR inspects the
 current thread's OpenSSL error queue.  Thus, \fISSL_get_error()\fR must be
-used in the same thread that performed the \s-1TLS/SSL\s0 I/O operation, and no
+used in the same thread that performed the \s-1TLS/SSL I/O\s0 operation, and no
 other OpenSSL function calls should appear in between.  The current
-thread's error queue must be empty before the \s-1TLS/SSL\s0 I/O operation is
+thread's error queue must be empty before the \s-1TLS/SSL I/O\s0 operation is
 attempted, or \fISSL_get_error()\fR will not work reliably.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can currently occur:
 .IP "\s-1SSL_ERROR_NONE\s0" 4
 .IX Item "SSL_ERROR_NONE"
-The \s-1TLS/SSL\s0 I/O operation completed.  This result code is returned
+The \s-1TLS/SSL I/O\s0 operation completed.  This result code is returned
 if and only if \fBret > 0\fR.
 .IP "\s-1SSL_ERROR_ZERO_RETURN\s0" 4
 .IX Item "SSL_ERROR_ZERO_RETURN"
-The \s-1TLS/SSL\s0 connection has been closed.  If the protocol version is \s-1SSL\s0 3.0
-or \s-1TLS\s0 1.0, this result code is returned only if a closure
+The \s-1TLS/SSL\s0 connection has been closed.  If the protocol version is \s-1SSL 3.0\s0
+or \s-1TLS 1.0,\s0 this result code is returned only if a closure
 alert has occurred in the protocol, i.e. if the connection has been
 closed cleanly. Note that in this case \fB\s-1SSL_ERROR_ZERO_RETURN\s0\fR
 does not necessarily indicate that the underlying transport
 has been closed.
-.IP "\s-1SSL_ERROR_WANT_READ\s0, \s-1SSL_ERROR_WANT_WRITE\s0" 4
+.IP "\s-1SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE\s0" 4
 .IX Item "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE"
-The operation did not complete; the same \s-1TLS/SSL\s0 I/O function should be
+The operation did not complete; the same \s-1TLS/SSL I/O\s0 function should be
 called again later.  If, by then, the underlying \fB\s-1BIO\s0\fR has data
 available for reading (if the result code is \fB\s-1SSL_ERROR_WANT_READ\s0\fR)
 or allows writing data (\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR), then some \s-1TLS/SSL\s0
@@ -182,21 +191,21 @@ protocol level.
 .Sp
 For socket \fB\s-1BIO\s0\fRs (e.g. when \fISSL_set_fd()\fR was used), \fIselect()\fR or
 \&\fIpoll()\fR on the underlying socket can be used to find out when the
-\&\s-1TLS/SSL\s0 I/O function should be retried.
+\&\s-1TLS/SSL I/O\s0 function should be retried.
 .Sp
-Caveat: Any \s-1TLS/SSL\s0 I/O function can lead to either of
+Caveat: Any \s-1TLS/SSL I/O\s0 function can lead to either of
 \&\fB\s-1SSL_ERROR_WANT_READ\s0\fR and \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR.  In particular,
 \&\fISSL_read()\fR or \fISSL_peek()\fR may want to write data and \fISSL_write()\fR may want
 to read data.  This is mainly because \s-1TLS/SSL\s0 handshakes may occur at any
 time during the protocol (initiated by either the client or the server);
 \&\fISSL_read()\fR, \fISSL_peek()\fR, and \fISSL_write()\fR will handle any pending handshakes.
-.IP "\s-1SSL_ERROR_WANT_CONNECT\s0, \s-1SSL_ERROR_WANT_ACCEPT\s0" 4
+.IP "\s-1SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT\s0" 4
 .IX Item "SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT"
-The operation did not complete; the same \s-1TLS/SSL\s0 I/O function should be
+The operation did not complete; the same \s-1TLS/SSL I/O\s0 function should be
 called again later. The underlying \s-1BIO\s0 was not connected yet to the peer
 and the call would block in \fIconnect()\fR/\fIaccept()\fR. The \s-1SSL\s0 function should be
 called again when the connection is established. These messages can only
-appear with a \fIBIO_s_connect()\fR or \fIBIO_s_accept()\fR \s-1BIO\s0, respectively.
+appear with a \fIBIO_s_connect()\fR or \fIBIO_s_accept()\fR \s-1BIO,\s0 respectively.
 In order to find out, when the connection has been successfully established,
 on many platforms \fIselect()\fR or \fIpoll()\fR for writing on the socket file descriptor
 can be used.
@@ -204,7 +213,7 @@ can be used.
 .IX Item "SSL_ERROR_WANT_X509_LOOKUP"
 The operation did not complete because an application callback set by
 \&\fISSL_CTX_set_client_cert_cb()\fR has asked to be called again.
-The \s-1TLS/SSL\s0 I/O function should be called again later.
+The \s-1TLS/SSL I/O\s0 function should be called again later.
 Details depend on the application.
 .IP "\s-1SSL_ERROR_SYSCALL\s0" 4
 .IX Item "SSL_ERROR_SYSCALL"
diff --git a/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
index 84e28a92f7a5..8c07fe3275e7 100644
--- a/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
+++ b/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_ex_data_X509_STORE_CTX_idx 3"
-.TH SSL_get_ex_data_X509_STORE_CTX_idx 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_ex_data_X509_STORE_CTX_idx 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_get_ex_new_index.3
index 8e468ca6b193..6c047e8f5150 100644
--- a/secure/lib/libssl/man/SSL_get_ex_new_index.3
+++ b/secure/lib/libssl/man/SSL_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_ex_new_index 3"
-.TH SSL_get_ex_new_index 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_ex_new_index 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_fd.3 b/secure/lib/libssl/man/SSL_get_fd.3
index e13b4aba433f..bdc348501d7a 100644
--- a/secure/lib/libssl/man/SSL_get_fd.3
+++ b/secure/lib/libssl/man/SSL_get_fd.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_fd 3"
-.TH SSL_get_fd 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_fd 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 b/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
index ea0d7a2e4c87..c7df20c823d1 100644
--- a/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
+++ b/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_peer_cert_chain 3"
-.TH SSL_get_peer_cert_chain 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_peer_cert_chain 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -136,11 +145,11 @@ SSL_get_peer_cert_chain \- get the X509 certificate chain of the peer
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
-\& STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
+\& STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fISSL_get_peer_cert_chain()\fR returns a pointer to \s-1STACKOF\s0(X509) certificates
+\&\fISSL_get_peer_cert_chain()\fR returns a pointer to \s-1STACK_OF\s0(X509) certificates
 forming the certificate chain of the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
 side, the peer's certificate must be obtained separately using
@@ -151,7 +160,7 @@ If the peer did not present a certificate, \s-1NULL\s0 is returned.
 The peer certificate chain is not necessarily available after reusing
 a session, in which case a \s-1NULL\s0 pointer is returned.
 .PP
-The reference count of the \s-1STACKOF\s0(X509) object is not incremented.
+The reference count of the \s-1STACK_OF\s0(X509) object is not incremented.
 If the corresponding session is freed, the pointer must not be used
 any longer.
 .SH "RETURN VALUES"
@@ -161,8 +170,8 @@ The following return values can occur:
 .IX Item "NULL"
 No certificate was presented by the peer or no connection was established
 or the certificate chain is no longer available when a session is reused.
-.IP "Pointer to a \s-1STACKOF\s0(X509)" 4
-.IX Item "Pointer to a STACKOF(X509)"
+.IP "Pointer to a \s-1STACK_OF\s0(X509)" 4
+.IX Item "Pointer to a STACK_OF(X509)"
 The return value points to the certificate chain presented by the peer.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
diff --git a/secure/lib/libssl/man/SSL_get_peer_certificate.3 b/secure/lib/libssl/man/SSL_get_peer_certificate.3
index 2591de4e72ac..a698c2f06749 100644
--- a/secure/lib/libssl/man/SSL_get_peer_certificate.3
+++ b/secure/lib/libssl/man/SSL_get_peer_certificate.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_peer_certificate 3"
-.TH SSL_get_peer_certificate 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_peer_certificate 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_psk_identity.3 b/secure/lib/libssl/man/SSL_get_psk_identity.3
index fdd289835601..921c43c0181d 100644
--- a/secure/lib/libssl/man/SSL_get_psk_identity.3
+++ b/secure/lib/libssl/man/SSL_get_psk_identity.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_psk_identity 3"
-.TH SSL_get_psk_identity 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_psk_identity 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_rbio.3 b/secure/lib/libssl/man/SSL_get_rbio.3
index 5e7a93189055..519d9b7ac872 100644
--- a/secure/lib/libssl/man/SSL_get_rbio.3
+++ b/secure/lib/libssl/man/SSL_get_rbio.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_rbio 3"
-.TH SSL_get_rbio 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_rbio 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_session.3 b/secure/lib/libssl/man/SSL_get_session.3
index 6e12f6ead9d7..0686c9c1a28c 100644
--- a/secure/lib/libssl/man/SSL_get_session.3
+++ b/secure/lib/libssl/man/SSL_get_session.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_session 3"
-.TH SSL_get_session 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_session 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_verify_result.3 b/secure/lib/libssl/man/SSL_get_verify_result.3
index 8d035598e9f7..33671e8245e7 100644
--- a/secure/lib/libssl/man/SSL_get_verify_result.3
+++ b/secure/lib/libssl/man/SSL_get_verify_result.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_verify_result 3"
-.TH SSL_get_verify_result 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_verify_result 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_get_version.3 b/secure/lib/libssl/man/SSL_get_version.3
index d13e69797490..a211e72e228f 100644
--- a/secure/lib/libssl/man/SSL_get_version.3
+++ b/secure/lib/libssl/man/SSL_get_version.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_get_version 3"
-.TH SSL_get_version 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_get_version 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -140,11 +149,11 @@ SSL_get_version \- get the protocol version of a connection.
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fISSL_get_cipher_version()\fR returns the name of the protocol used for the
+\&\fISSL_get_version()\fR returns the name of the protocol used for the
 connection \fBssl\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The following strings can occur:
+The following strings can be returned:
 .IP "SSLv2" 4
 .IX Item "SSLv2"
 The connection uses the SSLv2 protocol.
@@ -153,7 +162,13 @@ The connection uses the SSLv2 protocol.
 The connection uses the SSLv3 protocol.
 .IP "TLSv1" 4
 .IX Item "TLSv1"
-The connection uses the TLSv1 protocol.
+The connection uses the TLSv1.0 protocol.
+.IP "TLSv1.1" 4
+.IX Item "TLSv1.1"
+The connection uses the TLSv1.1 protocol.
+.IP "TLSv1.2" 4
+.IX Item "TLSv1.2"
+The connection uses the TLSv1.2 protocol.
 .IP "unknown" 4
 .IX Item "unknown"
 This indicates that no version has been set (no connection established).
diff --git a/secure/lib/libssl/man/SSL_library_init.3 b/secure/lib/libssl/man/SSL_library_init.3
index c78aaacd4474..fc1296906fc6 100644
--- a/secure/lib/libssl/man/SSL_library_init.3
+++ b/secure/lib/libssl/man/SSL_library_init.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_library_init 3"
-.TH SSL_library_init 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_library_init 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -154,7 +163,7 @@ for \fISSL_library_init()\fR.
 .SH "WARNING"
 .IX Header "WARNING"
 \&\fISSL_library_init()\fR adds ciphers and digests used directly and indirectly by
-\&\s-1SSL/TLS\s0.
+\&\s-1SSL/TLS.\s0
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 A typical \s-1TLS/SSL\s0 application will start with the library initialization,
diff --git a/secure/lib/libssl/man/SSL_load_client_CA_file.3 b/secure/lib/libssl/man/SSL_load_client_CA_file.3
index a2eb349eea9c..550de3221fa8 100644
--- a/secure/lib/libssl/man/SSL_load_client_CA_file.3
+++ b/secure/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_load_client_CA_file 3"
-.TH SSL_load_client_CA_file 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_load_client_CA_file 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_new.3 b/secure/lib/libssl/man/SSL_new.3
index 84e7d0557631..8c2f80b00850 100644
--- a/secure/lib/libssl/man/SSL_new.3
+++ b/secure/lib/libssl/man/SSL_new.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_new 3"
-.TH SSL_new 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_new 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_pending.3 b/secure/lib/libssl/man/SSL_pending.3
index 0295bd7c6e0f..15c27d7ae961 100644
--- a/secure/lib/libssl/man/SSL_pending.3
+++ b/secure/lib/libssl/man/SSL_pending.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_pending 3"
-.TH SSL_pending 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_pending 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_read.3 b/secure/lib/libssl/man/SSL_read.3
index db39b21b09d5..e30ee8de4ba7 100644
--- a/secure/lib/libssl/man/SSL_read.3
+++ b/secure/lib/libssl/man/SSL_read.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_read 3"
-.TH SSL_read 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_read 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,7 +158,7 @@ not already explicitly performed by \fISSL_connect\fR\|(3) or
 \&\fISSL_accept\fR\|(3). If the
 peer requests a re-negotiation, it will be performed transparently during
 the \fISSL_read()\fR operation. The behaviour of \fISSL_read()\fR depends on the
-underlying \s-1BIO\s0.
+underlying \s-1BIO. \s0
 .PP
 For the transparent negotiation to succeed, the \fBssl\fR must have been
 initialized to client or server mode. This is being done by calling
@@ -186,9 +195,9 @@ return value of \fISSL_read()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
 \&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a
 call to \fISSL_read()\fR can also cause write operations! The calling process
 then must repeat the call after taking appropriate action to satisfy the
-needs of \fISSL_read()\fR. The action depends on the underlying \s-1BIO\s0. When using a
+needs of \fISSL_read()\fR. The action depends on the underlying \s-1BIO.\s0 When using a
 non-blocking socket, nothing is to be done, but \fIselect()\fR can be used to check
-for the required condition. When using a buffering \s-1BIO\s0, like a \s-1BIO\s0 pair, data
+for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data
 must be written into or retrieved out of the \s-1BIO\s0 before being able to continue.
 .PP
 \&\fISSL_pending\fR\|(3) can be used to find out whether there
diff --git a/secure/lib/libssl/man/SSL_rstate_string.3 b/secure/lib/libssl/man/SSL_rstate_string.3
index 69fd23922169..7ca905888150 100644
--- a/secure/lib/libssl/man/SSL_rstate_string.3
+++ b/secure/lib/libssl/man/SSL_rstate_string.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_rstate_string 3"
-.TH SSL_rstate_string 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_rstate_string 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,23 +159,23 @@ the \s-1SSL\s0 object \fBssl\fR.
 .IX Header "NOTES"
 When performing a read operation, the \s-1SSL/TLS\s0 engine must parse the record,
 consisting of header and body. When working in a blocking environment,
-SSL_rstate_string[_long]() should always return \*(L"\s-1RD\s0\*(R"/\*(L"read done\*(R".
+SSL_rstate_string[_long]() should always return \*(L"\s-1RD\*(R"/\s0\*(L"read done\*(R".
 .PP
 This function should only seldom be needed in applications.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fISSL_rstate_string()\fR and \fISSL_rstate_string_long()\fR can return the following
 values:
-.ie n .IP """\s-1RH\s0""/""read header""" 4
-.el .IP "``\s-1RH\s0''/``read header''" 4
+.ie n .IP """\s-1RH""/\s0""read header""" 4
+.el .IP "``\s-1RH''/\s0``read header''" 4
 .IX Item "RH/read header"
 The header of the record is being evaluated.
-.ie n .IP """\s-1RB\s0""/""read body""" 4
-.el .IP "``\s-1RB\s0''/``read body''" 4
+.ie n .IP """\s-1RB""/\s0""read body""" 4
+.el .IP "``\s-1RB''/\s0``read body''" 4
 .IX Item "RB/read body"
 The body of the record is being evaluated.
-.ie n .IP """\s-1RD\s0""/""read done""" 4
-.el .IP "``\s-1RD\s0''/``read done''" 4
+.ie n .IP """\s-1RD""/\s0""read done""" 4
+.el .IP "``\s-1RD''/\s0``read done''" 4
 .IX Item "RD/read done"
 The record has been completely processed.
 .ie n .IP """unknown""/""unknown""" 4
diff --git a/secure/lib/libssl/man/SSL_session_reused.3 b/secure/lib/libssl/man/SSL_session_reused.3
index b14d7f8203f1..423654b9a04c 100644
--- a/secure/lib/libssl/man/SSL_session_reused.3
+++ b/secure/lib/libssl/man/SSL_session_reused.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_session_reused 3"
-.TH SSL_session_reused 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_session_reused 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_set_bio.3 b/secure/lib/libssl/man/SSL_set_bio.3
index b2d91bc7ab29..db6a0227f2a3 100644
--- a/secure/lib/libssl/man/SSL_set_bio.3
+++ b/secure/lib/libssl/man/SSL_set_bio.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_set_bio 3"
-.TH SSL_set_bio 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_set_bio 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -141,7 +150,7 @@ SSL_set_bio \- connect the SSL object with a BIO
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fISSL_set_bio()\fR connects the BIOs \fBrbio\fR and \fBwbio\fR for the read and write
-operations of the \s-1TLS/SSL\s0 (encrypted) side of \fBssl\fR.
+operations of the \s-1TLS/SSL \s0(encrypted) side of \fBssl\fR.
 .PP
 The \s-1SSL\s0 engine inherits the behaviour of \fBrbio\fR and \fBwbio\fR, respectively.
 If a \s-1BIO\s0 is non-blocking, the \fBssl\fR will also have non-blocking behaviour.
diff --git a/secure/lib/libssl/man/SSL_set_connect_state.3 b/secure/lib/libssl/man/SSL_set_connect_state.3
index 795c2ec2dcfd..6a39bd068962 100644
--- a/secure/lib/libssl/man/SSL_set_connect_state.3
+++ b/secure/lib/libssl/man/SSL_set_connect_state.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_set_connect_state 3"
-.TH SSL_set_connect_state 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_set_connect_state 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_set_fd.3 b/secure/lib/libssl/man/SSL_set_fd.3
index 545e0cfe68ca..75234ef3384f 100644
--- a/secure/lib/libssl/man/SSL_set_fd.3
+++ b/secure/lib/libssl/man/SSL_set_fd.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_set_fd 3"
-.TH SSL_set_fd 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_set_fd 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,7 +152,7 @@ SSL_set_fd \- connect the SSL object with a file descriptor
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 \&\fISSL_set_fd()\fR sets the file descriptor \fBfd\fR as the input/output facility
-for the \s-1TLS/SSL\s0 (encrypted) side of \fBssl\fR. \fBfd\fR will typically be the
+for the \s-1TLS/SSL \s0(encrypted) side of \fBssl\fR. \fBfd\fR will typically be the
 socket file descriptor of a network connection.
 .PP
 When performing the operation, a \fBsocket \s-1BIO\s0\fR is automatically created to
diff --git a/secure/lib/libssl/man/SSL_set_session.3 b/secure/lib/libssl/man/SSL_set_session.3
index cd651a7843e1..e890f363b333 100644
--- a/secure/lib/libssl/man/SSL_set_session.3
+++ b/secure/lib/libssl/man/SSL_set_session.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_set_session 3"
-.TH SSL_set_session 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_set_session 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_set_shutdown.3 b/secure/lib/libssl/man/SSL_set_shutdown.3
index 9f4af468f3fe..ba0ef99fcdd4 100644
--- a/secure/lib/libssl/man/SSL_set_shutdown.3
+++ b/secure/lib/libssl/man/SSL_set_shutdown.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_set_shutdown 3"
-.TH SSL_set_shutdown 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_set_shutdown 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -164,9 +173,9 @@ or a fatal error.
 The shutdown state of the connection is used to determine the state of
 the ssl session. If the session is still open, when
 \&\fISSL_clear\fR\|(3) or \fISSL_free\fR\|(3) is called,
-it is considered bad and removed according to \s-1RFC2246\s0.
-The actual condition for a correctly closed session is \s-1SSL_SENT_SHUTDOWN\s0
-(according to the \s-1TLS\s0 \s-1RFC\s0, it is acceptable to only send the \*(L"close notify\*(R"
+it is considered bad and removed according to \s-1RFC2246.\s0
+The actual condition for a correctly closed session is \s-1SSL_SENT_SHUTDOWN
+\&\s0(according to the \s-1TLS RFC,\s0 it is acceptable to only send the \*(L"close notify\*(R"
 alert but to not wait for the peer's answer, when the underlying connection
 is closed).
 \&\fISSL_set_shutdown()\fR can be used to set this state without sending a
diff --git a/secure/lib/libssl/man/SSL_set_verify_result.3 b/secure/lib/libssl/man/SSL_set_verify_result.3
index 0f0c46ac6b7d..1e756041cd0b 100644
--- a/secure/lib/libssl/man/SSL_set_verify_result.3
+++ b/secure/lib/libssl/man/SSL_set_verify_result.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_set_verify_result 3"
-.TH SSL_set_verify_result 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_set_verify_result 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_shutdown.3 b/secure/lib/libssl/man/SSL_shutdown.3
index 7e7e32c351c0..fff9a6e6395d 100644
--- a/secure/lib/libssl/man/SSL_shutdown.3
+++ b/secure/lib/libssl/man/SSL_shutdown.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_shutdown 3"
-.TH SSL_shutdown 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_shutdown 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -176,7 +185,7 @@ complete (return value of the first call is 0). As the shutdown is not
 specially handled in the SSLv2 protocol, \fISSL_shutdown()\fR will succeed on
 the first call.
 .PP
-The behaviour of \fISSL_shutdown()\fR additionally depends on the underlying \s-1BIO\s0.
+The behaviour of \fISSL_shutdown()\fR additionally depends on the underlying \s-1BIO. \s0
 .PP
 If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_shutdown()\fR will only return once the
 handshake step has been finished or an error occurred.
@@ -187,9 +196,9 @@ to continue the handshake. In this case a call to \fISSL_get_error()\fR with the
 return value of \fISSL_shutdown()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
 \&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fISSL_shutdown()\fR.
-The action depends on the underlying \s-1BIO\s0. When using a non-blocking socket,
+The action depends on the underlying \s-1BIO.\s0 When using a non-blocking socket,
 nothing is to be done, but \fIselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO\s0, like a \s-1BIO\s0 pair, data must be written
+condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
 into or retrieved out of the \s-1BIO\s0 before being able to continue.
 .PP
 \&\fISSL_shutdown()\fR can be modified to only set the connection to \*(L"shutdown\*(R"
@@ -200,17 +209,17 @@ and return 1.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "1." 4
-The shutdown was successfully completed. The \*(L"close notify\*(R" alert was sent
-and the peer's \*(L"close notify\*(R" alert was received.
-.IP "2." 4
+.IP "0" 4
 The shutdown is not yet finished. Call \fISSL_shutdown()\fR for a second time,
 if a bidirectional shutdown shall be performed.
 The output of \fISSL_get_error\fR\|(3) may be misleading, as an
 erroneous \s-1SSL_ERROR_SYSCALL\s0 may be flagged even though no error occurred.
-.IP "3." 4
-\&\-1
-.Sp
+.IP "1" 4
+.IX Item "1"
+The shutdown was successfully completed. The \*(L"close notify\*(R" alert was sent
+and the peer's \*(L"close notify\*(R" alert was received.
+.IP "\-1" 4
+.IX Item "-1"
 The shutdown was not successful because a fatal error occurred either
 at the protocol level or a connection failure occurred. It can also occur if
 action is need to continue the operation for non-blocking BIOs.
@@ -223,12 +232,3 @@ to find out the reason.
 \&\fISSL_CTX_set_quiet_shutdown\fR\|(3),
 \&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3),
 \&\fIssl\fR\|(3), \fIbio\fR\|(3)
-.SH "POD ERRORS"
-.IX Header "POD ERRORS"
-Hey! \fBThe above document had some coding errors, which are explained below:\fR
-.IP "Around line 100:" 4
-.IX Item "Around line 100:"
-You have '=item 0' instead of the expected '=item 2'
-.IP "Around line 107:" 4
-.IX Item "Around line 107:"
-Expected '=item 3'
diff --git a/secure/lib/libssl/man/SSL_state_string.3 b/secure/lib/libssl/man/SSL_state_string.3
index d0da2b323b56..5bfb39d17be7 100644
--- a/secure/lib/libssl/man/SSL_state_string.3
+++ b/secure/lib/libssl/man/SSL_state_string.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_state_string 3"
-.TH SSL_state_string 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_state_string 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/lib/libssl/man/SSL_want.3 b/secure/lib/libssl/man/SSL_want.3
index 63fa25844d9f..3ef2db0c03fb 100644
--- a/secure/lib/libssl/man/SSL_want.3
+++ b/secure/lib/libssl/man/SSL_want.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_want 3"
-.TH SSL_want 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_want 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -171,19 +180,19 @@ There is no data to be written or to be read.
 There are data in the \s-1SSL\s0 buffer that must be written to the underlying
 \&\fB\s-1BIO\s0\fR layer in order to complete the actual SSL_*() operation.
 A call to \fISSL_get_error\fR\|(3) should return
-\&\s-1SSL_ERROR_WANT_WRITE\s0.
+\&\s-1SSL_ERROR_WANT_WRITE.\s0
 .IP "\s-1SSL_READING\s0" 4
 .IX Item "SSL_READING"
 More data must be read from the underlying \fB\s-1BIO\s0\fR layer in order to
 complete the actual SSL_*() operation.
 A call to \fISSL_get_error\fR\|(3) should return
-\&\s-1SSL_ERROR_WANT_READ\s0.
+\&\s-1SSL_ERROR_WANT_READ.\s0
 .IP "\s-1SSL_X509_LOOKUP\s0" 4
 .IX Item "SSL_X509_LOOKUP"
 The operation did not complete because an application callback set by
 \&\fISSL_CTX_set_client_cert_cb()\fR has asked to be called again.
 A call to \fISSL_get_error\fR\|(3) should return
-\&\s-1SSL_ERROR_WANT_X509_LOOKUP\s0.
+\&\s-1SSL_ERROR_WANT_X509_LOOKUP.\s0
 .PP
 \&\fISSL_want_nothing()\fR, \fISSL_want_read()\fR, \fISSL_want_write()\fR, \fISSL_want_x509_lookup()\fR
 return 1, when the corresponding condition is true or 0 otherwise.
diff --git a/secure/lib/libssl/man/SSL_write.3 b/secure/lib/libssl/man/SSL_write.3
index e406f8534a62..d83ada787ce5 100644
--- a/secure/lib/libssl/man/SSL_write.3
+++ b/secure/lib/libssl/man/SSL_write.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_write 3"
-.TH SSL_write 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_write 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,7 +158,7 @@ not already explicitly performed by \fISSL_connect\fR\|(3) or
 \&\fISSL_accept\fR\|(3). If the
 peer requests a re-negotiation, it will be performed transparently during
 the \fISSL_write()\fR operation. The behaviour of \fISSL_write()\fR depends on the
-underlying \s-1BIO\s0.
+underlying \s-1BIO. \s0
 .PP
 For the transparent negotiation to succeed, the \fBssl\fR must have been
 initialized to client or server mode. This is being done by calling
@@ -170,9 +179,9 @@ return value of \fISSL_write()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
 \&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a
 call to \fISSL_write()\fR can also cause read operations! The calling process
 then must repeat the call after taking appropriate action to satisfy the
-needs of \fISSL_write()\fR. The action depends on the underlying \s-1BIO\s0. When using a
+needs of \fISSL_write()\fR. The action depends on the underlying \s-1BIO.\s0 When using a
 non-blocking socket, nothing is to be done, but \fIselect()\fR can be used to check
-for the required condition. When using a buffering \s-1BIO\s0, like a \s-1BIO\s0 pair, data
+for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data
 must be written into or retrieved out of the \s-1BIO\s0 before being able to continue.
 .PP
 \&\fISSL_write()\fR will only return with success, when the complete contents
diff --git a/secure/lib/libssl/man/d2i_SSL_SESSION.3 b/secure/lib/libssl/man/d2i_SSL_SESSION.3
index bd49fe539386..815ac8612a88 100644
--- a/secure/lib/libssl/man/d2i_SSL_SESSION.3
+++ b/secure/lib/libssl/man/d2i_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "d2i_SSL_SESSION 3"
-.TH d2i_SSL_SESSION 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH d2i_SSL_SESSION 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -175,6 +184,16 @@ known limit on the size of the created \s-1ASN1\s0 representation, so the necess
 amount of space should be obtained by first calling \fIi2d_SSL_SESSION()\fR with
 \&\fBpp=NULL\fR, and obtain the size needed, then allocate the memory and
 call \fIi2d_SSL_SESSION()\fR again.
+Note that this will advance the value contained in \fB*pp\fR so it is necessary
+to save a copy of the original allocation.
+For example:
+ int i,j;
+ char *p, *temp;
+ i = i2d_SSL_SESSION(sess, \s-1NULL\s0);
+ p = temp = malloc(i);
+ j = i2d_SSL_SESSION(sess, &temp);
+ assert(i == j);
+ assert(p+i == temp);
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fId2i_SSL_SESSION()\fR returns a pointer to the newly allocated \s-1SSL_SESSION\s0
diff --git a/secure/lib/libssl/man/ssl.3 b/secure/lib/libssl/man/ssl.3
index 6eb6e801adc9..6da98de12822 100644
--- a/secure/lib/libssl/man/ssl.3
+++ b/secure/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ssl 3"
-.TH ssl 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ssl 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -187,7 +196,7 @@ connection: \fB\s-1SSL_CIPHER\s0\fRs, client and server certificates, keys, etc.
 .IP "\fB\s-1SSL\s0\fR (\s-1SSL\s0 Connection)" 4
 .IX Item "SSL (SSL Connection)"
 That's the main \s-1SSL/TLS\s0 structure which is created by a server or client per
-established connection. This actually is the core structure in the \s-1SSL\s0 \s-1API\s0.
+established connection. This actually is the core structure in the \s-1SSL API.\s0
 Under run-time the application usually deals with this structure which has
 links to mostly all other structures.
 .SH "HEADER FILES"
@@ -196,10 +205,10 @@ Currently the OpenSSL \fBssl\fR library provides the following C header files
 containing the prototypes for the data structures and and functions:
 .IP "\fBssl.h\fR" 4
 .IX Item "ssl.h"
-That's the common header file for the \s-1SSL/TLS\s0 \s-1API\s0.  Include it into your
+That's the common header file for the \s-1SSL/TLS API. \s0 Include it into your
 program to make the \s-1API\s0 of the \fBssl\fR library available. It internally
 includes both more private \s-1SSL\s0 headers and headers from the \fBcrypto\fR library.
-Whenever you need hard-core details on the internals of the \s-1SSL\s0 \s-1API\s0, look
+Whenever you need hard-core details on the internals of the \s-1SSL API,\s0 look
 inside this header file.
 .IP "\fBssl2.h\fR" 4
 .IX Item "ssl2.h"
@@ -226,7 +235,7 @@ it's already included by ssl.h\fR.
 .IX Header "API FUNCTIONS"
 Currently the OpenSSL \fBssl\fR library exports 214 \s-1API\s0 functions.
 They are documented in the following:
-.SS "\s-1DEALING\s0 \s-1WITH\s0 \s-1PROTOCOL\s0 \s-1METHODS\s0"
+.SS "\s-1DEALING WITH PROTOCOL METHODS\s0"
 .IX Subsection "DEALING WITH PROTOCOL METHODS"
 Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
 protocol methods defined in \fB\s-1SSL_METHOD\s0\fR structures.
@@ -257,7 +266,7 @@ Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for a dedicated server.
 .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_method\fR(void);" 4
 .IX Item "const SSL_METHOD *TLSv1_method(void);"
 Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for combined client and server.
-.SS "\s-1DEALING\s0 \s-1WITH\s0 \s-1CIPHERS\s0"
+.SS "\s-1DEALING WITH CIPHERS\s0"
 .IX Subsection "DEALING WITH CIPHERS"
 Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
 ciphers defined in \fB\s-1SSL_CIPHER\s0\fR structures.
@@ -280,7 +289,7 @@ definitions in the header files.
 Returns a string like "\f(CW\*(C`TLSv1/SSLv3\*(C'\fR\*(L" or \*(R"\f(CW\*(C`SSLv2\*(C'\fR" which indicates the
 \&\s-1SSL/TLS\s0 protocol version to which \fIcipher\fR belongs (i.e. where it was defined
 in the specification the first time).
-.SS "\s-1DEALING\s0 \s-1WITH\s0 \s-1PROTOCOL\s0 \s-1CONTEXTS\s0"
+.SS "\s-1DEALING WITH PROTOCOL CONTEXTS\s0"
 .IX Subsection "DEALING WITH PROTOCOL CONTEXTS"
 Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
 protocol context defined in the \fB\s-1SSL_CTX\s0\fR structure.
@@ -459,7 +468,7 @@ session instead of a context.
 .IP "void \fBSSL_CTX_set_psk_server_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4
 .IX Item "void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));"
 .PD
-.SS "\s-1DEALING\s0 \s-1WITH\s0 \s-1SESSIONS\s0"
+.SS "\s-1DEALING WITH SESSIONS\s0"
 .IX Subsection "DEALING WITH SESSIONS"
 Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
 sessions defined in the \fB\s-1SSL_SESSION\s0\fR structures.
@@ -495,7 +504,7 @@ sessions defined in the \fB\s-1SSL_SESSION\s0\fR structures.
 .IP "long \fBSSL_SESSION_set_timeout\fR(\s-1SSL_SESSION\s0 *s, long t);" 4
 .IX Item "long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);"
 .PD
-.SS "\s-1DEALING\s0 \s-1WITH\s0 \s-1CONNECTIONS\s0"
+.SS "\s-1DEALING WITH CONNECTIONS\s0"
 .IX Subsection "DEALING WITH CONNECTIONS"
 Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
 connection defined in the \fB\s-1SSL\s0\fR structure.
diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man
index 5903f664ba07..a7b249c9872d 100644
--- a/secure/usr.bin/openssl/Makefile.man
+++ b/secure/usr.bin/openssl/Makefile.man
@@ -2,6 +2,7 @@
 # DO NOT EDIT: generated from man-makefile-update target
 MAN+= CA.pl.1
 MAN+= asn1parse.1
+MAN+= c_rehash.1
 MAN+= ca.1
 MAN+= ciphers.1
 MAN+= cms.1
@@ -45,10 +46,15 @@ MAN+= verify.1
 MAN+= version.1
 MAN+= x509.1
 MAN+= x509v3_config.1
-MLINKS+= dgst.1 md5.1
-MLINKS+= dgst.1 md4.1
-MLINKS+= dgst.1 md2.1
-MLINKS+= dgst.1 sha1.1
 MLINKS+= dgst.1 sha.1
+MLINKS+= dgst.1 sha1.1
 MLINKS+= dgst.1 mdc2.1
 MLINKS+= dgst.1 ripemd160.1
+MLINKS+= dgst.1 sha224.1
+MLINKS+= dgst.1 sha256.1
+MLINKS+= dgst.1 sha384.1
+MLINKS+= dgst.1 sha512.1
+MLINKS+= dgst.1 md2.1
+MLINKS+= dgst.1 md4.1
+MLINKS+= dgst.1 md5.1
+MLINKS+= dgst.1 dss1.1
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index 86c446e8c41a..1c616130656e 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CA.PL 1"
-.TH CA.PL 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CA.PL 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -196,7 +205,7 @@ to standard output.
 .IX Item "-signCA"
 this option is the same as the \fB\-signreq\fR option except it uses the configuration
 file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This
-is useful when creating intermediate \s-1CA\s0 from a root \s-1CA\s0.
+is useful when creating intermediate \s-1CA\s0 from a root \s-1CA.\s0
 .IP "\fB\-signcert\fR" 4
 .IX Item "-signcert"
 this option is the same as \fB\-sign\fR except it expects a self signed certificate
@@ -216,7 +225,7 @@ Create a \s-1CA\s0 hierarchy:
 \& CA.pl \-newca
 .Ve
 .PP
-Complete certificate creation example: create a \s-1CA\s0, create a request, sign
+Complete certificate creation example: create a \s-1CA,\s0 create a request, sign
 the request and finally create a PKCS#12 file containing it.
 .PP
 .Vb 4
@@ -237,7 +246,7 @@ Create some \s-1DSA\s0 parameters:
 \& openssl dsaparam \-out dsap.pem 1024
 .Ve
 .PP
-Create a \s-1DSA\s0 \s-1CA\s0 certificate and private key:
+Create a \s-1DSA CA\s0 certificate and private key:
 .PP
 .Vb 1
 \& openssl req \-x509 \-newkey dsa:dsap.pem \-keyout cacert.pem \-out cacert.pem
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
index f5810dcf3497..55dcd0283938 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ASN1PARSE 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -142,13 +151,15 @@ asn1parse \- ASN.1 parsing tool
 [\fB\-length number\fR]
 [\fB\-i\fR]
 [\fB\-oid filename\fR]
+[\fB\-dump\fR]
+[\fB\-dlimit num\fR]
 [\fB\-strparse offset\fR]
 [\fB\-genstr string\fR]
 [\fB\-genconf file\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN\s0.1
-structures. It can also be used to extract data from \s-1ASN\s0.1 formatted data.
+The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN.1\s0
+structures. It can also be used to extract data from \s-1ASN.1\s0 formatted data.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-inform\fR \fBDER|PEM\fR" 4
@@ -179,9 +190,15 @@ indents the output according to the \*(L"depth\*(R" of the structures.
 .IX Item "-oid filename"
 a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this
 file is described in the \s-1NOTES\s0 section below.
+.IP "\fB\-dump\fR" 4
+.IX Item "-dump"
+dump unknown data in hex format.
+.IP "\fB\-dlimit num\fR" 4
+.IX Item "-dlimit num"
+like \fB\-dump\fR, but only the first \fBnum\fR bytes are output.
 .IP "\fB\-strparse offset\fR" 4
 .IX Item "-strparse offset"
-parse the contents octets of the \s-1ASN\s0.1 object starting at \fBoffset\fR. This
+parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This
 option can be used multiple times to \*(L"drill down\*(R" into a nested structure.
 .IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4
 .IX Item "-genstr string, -genconf file"
@@ -218,15 +235,15 @@ The output will typically contain lines like this:
 .PP
 This example is part of a self signed certificate. Each line starts with the
 offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased
-within the scope of any \s-1SET\s0 or \s-1SEQUENCE\s0. \fBhl=XX\fR gives the header length
+within the scope of any \s-1SET\s0 or \s-1SEQUENCE. \s0\fBhl=XX\fR gives the header length
 (tag and length octets) of the current type. \fBl=XX\fR gives the length of
 the contents octets.
 .PP
 The \fB\-i\fR option can be used to make the output more readable.
 .PP
-Some knowledge of the \s-1ASN\s0.1 structure is needed to interpret the output.
+Some knowledge of the \s-1ASN.1\s0 structure is needed to interpret the output.
 .PP
-In this example the \s-1BIT\s0 \s-1STRING\s0 at offset 229 is the certificate public key.
+In this example the \s-1BIT STRING\s0 at offset 229 is the certificate public key.
 The contents octets of this will contain the public key information. This can
 be examined using the option \fB\-strparse 229\fR to yield:
 .PP
@@ -291,7 +308,7 @@ Example config file:
 .SH "BUGS"
 .IX Header "BUGS"
 There should be options to change the format of output lines. The output of some
-\&\s-1ASN\s0.1 types is not well handled (if at all).
+\&\s-1ASN.1\s0 types is not well handled (if at all).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIASN1_generate_nconf\fR\|(3)
diff --git a/secure/usr.bin/openssl/man/c_rehash.1 b/secure/usr.bin/openssl/man/c_rehash.1
new file mode 100644
index 000000000000..1d5a1bfc8f45
--- /dev/null
+++ b/secure/usr.bin/openssl/man/c_rehash.1
@@ -0,0 +1,208 @@
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "C_REHASH 1"
+.TH C_REHASH 1 "2015-01-15" "1.0.1l" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+c_rehash \- Create symbolic links to files named by the hash values
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBc_rehash\fR
+[ \fIdirectory\fR...]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBc_rehash\fR scans directories and calculates a hash value of each \f(CW\*(C`.pem\*(C'\fR
+file in the specified directory list and creates symbolic links
+for each file, where the name of the link is the hash value.
+This utility is useful as many programs that use OpenSSL require
+directories to be set up like this in order to find certificates.
+.PP
+If any directories are named on the command line, then those are
+processed in turn. If not, then the \fB\s-1SSL_CERT_DIR\s0\fR environment variable
+is consulted; this shold be a colon-separated list of directories,
+like the Unix \fB\s-1PATH\s0\fR variable.
+If that is not set then the default directory (installation-specific
+but often \fB/usr/local/ssl/certs\fR) is processed.
+.PP
+In order for a directory to be processed, the user must have write
+permissions on that directory, otherwise it will be skipped.
+The links created are of the form \f(CW\*(C`HHHHHHHH.D\*(C'\fR, where each \fBH\fR
+is a hexadecimal character and \fBD\fR is a single decimal digit.
+When processing a directory, \fBc_rehash\fR will first remove all links
+that have a name in that syntax. If you have links in that format
+used for other purposes, they will be removed.
+Hashes for \s-1CRL\s0's look similar except the letter \fBr\fR appears after
+the period, like this: \f(CW\*(C`HHHHHHHH.rD\*(C'\fR.
+.PP
+Multiple objects may have the same hash; they will be indicated by
+incrementing the \fBD\fR value. Duplicates are found by comparing the
+full \s-1SHA\-1\s0 fingerprint. A warning will be displayed if a duplicate
+is found.
+.PP
+A warning will also be displayed if there are \fB.pem\fR files that
+cannot be parsed as either a certificate or a \s-1CRL.\s0
+.PP
+The program uses the \fBopenssl\fR program to compute the hashes and
+fingerprints. If not found in the user's \fB\s-1PATH\s0\fR, then set the
+\&\fB\s-1OPENSSL\s0\fR environment variable to the full pathname.
+Any program can be used, it will be invoked as follows for either
+a certificate or \s-1CRL:\s0
+.PP
+.Vb 2
+\&  $OPENSSL x509 \-hash \-fingerprint \-noout \-in FFFFFF
+\&  $OPENSSL crl \-hash \-fingerprint \-noout \-in FFFFFF
+.Ve
+.PP
+where \fB\s-1FFFFFF\s0\fR is the filename. It must output the hash of the
+file on the first line, and the fingerprint on the second,
+optionally prefixed with some text and an equals sign.
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+.IP "\fB\s-1OPENSSL\s0\fR" 4
+.IX Item "OPENSSL"
+The path to an executable to use to generate hashes and
+fingerprints (see above).
+.IP "\fB\s-1SSL_CERT_DIR\s0\fR" 4
+.IX Item "SSL_CERT_DIR"
+Colon separated list of directories to operate on.
+Ignored if directories are listed on the command line.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIopenssl\fR\|(1),
+\&\fIcrl\fR\|(1).
+\&\fIx509\fR\|(1).
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index 90878dbea0e1..223f46464c37 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CA 1"
-.TH CA 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CA 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -139,6 +148,8 @@ ca \- sample minimal CA application
 [\fB\-name section\fR]
 [\fB\-gencrl\fR]
 [\fB\-revoke file\fR]
+[\fB\-status serial\fR]
+[\fB\-updatedb\fR]
 [\fB\-crl_reason reason\fR]
 [\fB\-crl_hold instruction\fR]
 [\fB\-crl_compromise time\fR]
@@ -152,6 +163,7 @@ ca \- sample minimal CA application
 [\fB\-md arg\fR]
 [\fB\-policy arg\fR]
 [\fB\-keyfile arg\fR]
+[\fB\-keyform PEM|DER\fR]
 [\fB\-key arg\fR]
 [\fB\-passin arg\fR]
 [\fB\-cert file\fR]
@@ -193,15 +205,15 @@ specifies the configuration file section to use (overrides
 .IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 an input filename containing a single certificate request to be
-signed by the \s-1CA\s0.
+signed by the \s-1CA.\s0
 .IP "\fB\-ss_cert filename\fR" 4
 .IX Item "-ss_cert filename"
-a single self signed certificate to be signed by the \s-1CA\s0.
+a single self signed certificate to be signed by the \s-1CA.\s0
 .IP "\fB\-spkac filename\fR" 4
 .IX Item "-spkac filename"
 a file containing a single Netscape signed public key and challenge
-and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR
-section for information on the required format.
+and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR
+section for information on the required input and output format.
 .IP "\fB\-infiles\fR" 4
 .IX Item "-infiles"
 if present this should be the last option, all subsequent arguments
@@ -210,7 +222,7 @@ are assumed to be the names of files containing certificate requests.
 .IX Item "-out filename"
 the output file to output certificates to. The default is standard
 output. The certificate details will also be printed out to this
-file.
+file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format).
 .IP "\fB\-outdir directory\fR" 4
 .IX Item "-outdir directory"
 the directory to output certificates to. The certificate will be
@@ -222,6 +234,10 @@ the \s-1CA\s0 certificate file.
 .IP "\fB\-keyfile filename\fR" 4
 .IX Item "-keyfile filename"
 the private key to sign requests with.
+.IP "\fB\-keyform PEM|DER\fR" 4
+.IX Item "-keyform PEM|DER"
+the format of the data in the private key file.
+The default is \s-1PEM.\s0
 .IP "\fB\-key password\fR" 4
 .IX Item "-key password"
 the password used to encrypt the private key. Since on some
@@ -243,7 +259,7 @@ self-signed certificate.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-verbose\fR" 4
 .IX Item "-verbose"
 this prints extra details about the operations being performed.
@@ -253,11 +269,11 @@ don't output the text form of a certificate to the output file.
 .IP "\fB\-startdate date\fR" 4
 .IX Item "-startdate date"
 this allows the start date to be explicitly set. The format of the
-date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
+date is \s-1YYMMDDHHMMSSZ \s0(the same as an \s-1ASN1\s0 UTCTime structure).
 .IP "\fB\-enddate date\fR" 4
 .IX Item "-enddate date"
 this allows the expiry date to be explicitly set. The format of the
-date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
+date is \s-1YYMMDDHHMMSSZ \s0(the same as an \s-1ASN1\s0 UTCTime structure).
 .IP "\fB\-days arg\fR" 4
 .IX Item "-days arg"
 the number of days to certify the certificate for.
@@ -267,9 +283,9 @@ the message digest to use. Possible values include md5, sha1 and mdc2.
 This option also applies to CRLs.
 .IP "\fB\-policy arg\fR" 4
 .IX Item "-policy arg"
-this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
+this option defines the \s-1CA \s0\*(L"policy\*(R" to use. This is a section in
 the configuration file which decides which fields should be mandatory
-or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
+or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section
 for more information.
 .IP "\fB\-msie_hack\fR" 4
 .IX Item "-msie_hack"
@@ -288,7 +304,7 @@ DNs match the order of the request. This is not needed for Xenroll.
 .IP "\fB\-noemailDN\fR" 4
 .IX Item "-noemailDN"
 The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
-request \s-1DN\s0, however it is good policy just having the e\-mail set into
+request \s-1DN,\s0 however it is good policy just having the e\-mail set into
 the altName extension of the certificate. When this option is set the
 \&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
 the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be
@@ -325,7 +341,7 @@ characters may be escaped by \e (backslash), no spaces are skipped.
 .IP "\fB\-utf8\fR" 4
 .IX Item "-utf8"
 this option causes field values to be interpreted as \s-1UTF8\s0 strings, by 
-default they are interpreted as \s-1ASCII\s0. This means that the field
+default they are interpreted as \s-1ASCII.\s0 This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid \s-1UTF8\s0 strings.
 .IP "\fB\-multivalue\-rdn\fR" 4
@@ -351,6 +367,13 @@ the number of hours before the next \s-1CRL\s0 is due.
 .IP "\fB\-revoke filename\fR" 4
 .IX Item "-revoke filename"
 a filename containing a certificate to revoke.
+.IP "\fB\-status serial\fR" 4
+.IX Item "-status serial"
+displays the revocation status of the certificate with the specified
+serial number and exits.
+.IP "\fB\-updatedb\fR" 4
+.IX Item "-updatedb"
+Updates the database index to purge expired certificates.
 .IP "\fB\-crl_reason reason\fR" 4
 .IX Item "-crl_reason reason"
 revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
@@ -363,7 +386,7 @@ in delta CRLs which are not currently implemented.
 .IP "\fB\-crl_hold instruction\fR" 4
 .IX Item "-crl_hold instruction"
 This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
-instruction to \fBinstruction\fR which must be an \s-1OID\s0. Although any \s-1OID\s0 can be
+instruction to \fBinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
 used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
 \&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
 .IP "\fB\-crl_compromise time\fR" 4
@@ -393,8 +416,8 @@ be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
 of the configuration file (or in the default section of the
 configuration file). Besides \fBdefault_ca\fR, the following options are
 read directly from the \fBca\fR section:
- \s-1RANDFILE\s0
- preserve
+ \s-1RANDFILE
+\&\s0 preserve
  msie_hack
 With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
 change in future releases.
@@ -407,7 +430,7 @@ the configuration file or the command line equivalent (if
 any) used.
 .IP "\fBoid_file\fR" 4
 .IX Item "oid_file"
-This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
+This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
 by white space and finally the long name.
@@ -450,7 +473,7 @@ present.
 .IX Item "default_crl_hours default_crl_days"
 the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
 will only be used if neither command line option is present. At
-least one of these must be present to generate a \s-1CRL\s0.
+least one of these must be present to generate a \s-1CRL.\s0
 .IP "\fBdefault_md\fR" 4
 .IX Item "default_md"
 the same as the \fB\-md\fR option. The message digest to use. Mandatory.
@@ -489,13 +512,13 @@ the same as \fB\-preserveDN\fR
 .IX Item "email_in_dn"
 the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
 from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
-the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN\s0.
+the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0
 .IP "\fBmsie_hack\fR" 4
 .IX Item "msie_hack"
 the same as \fB\-msie_hack\fR
 .IP "\fBpolicy\fR" 4
 .IX Item "policy"
-the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
+the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section
 for more information.
 .IP "\fBname_opt\fR, \fBcert_opt\fR" 4
 .IX Item "name_opt, cert_opt"
@@ -546,6 +569,10 @@ The file should contain the variable \s-1SPKAC\s0 set to the value of
 the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
 If you need to include the same component twice then it can be
 preceded by a number and a '.'.
+.PP
+When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR
+flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR
+flag is used.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 Note: these examples assume that the \fBca\fR directory structure is
@@ -683,7 +710,7 @@ exposed at either a command or interface level so a more friendly utility
 .PP
 Any fields in a request that are not present in a policy are silently
 deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
-enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN\s0, as suggested by
+enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by
 RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
 option can be used. The behaviour should be more friendly and
 configurable.
@@ -695,7 +722,7 @@ create an empty file.
 The \fBca\fR command is quirky and at times downright unfriendly.
 .PP
 The \fBca\fR utility was originally meant as an example of how to do things
-in a \s-1CA\s0. It was not supposed to be used as a full blown \s-1CA\s0 itself:
+in a \s-1CA.\s0 It was not supposed to be used as a full blown \s-1CA\s0 itself:
 nevertheless some people are using it for this purpose.
 .PP
 The \fBca\fR command is effectively a single user command: no locking is
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index 9124ed3310bd..1ab01ba81755 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CIPHERS 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -158,7 +167,7 @@ in a cipher list; this is when similar ciphers are available for
 \&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1.
 .IP "\fB\-V\fR" 4
 .IX Item "-V"
-Like \fB\-V\fR, but include cipher suite codes in output (hex format).
+Like \fB\-v\fR, but include cipher suite codes in output (hex format).
 .IP "\fB\-ssl3\fR" 4
 .IX Item "-ssl3"
 only include \s-1SSL\s0 v3 ciphers.
@@ -191,7 +200,7 @@ algorithms.
 .PP
 Lists of cipher suites can be combined in a single cipher string using the
 \&\fB+\fR character. This is used as a logical \fBand\fR operation. For example
-\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0
+\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1 \s0\fBand\fR the \s-1DES\s0
 algorithms.
 .PP
 Each cipher string can be optionally preceded by the characters \fB!\fR,
@@ -225,8 +234,8 @@ specified.
 .IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
 .IX Item "COMPLEMENTOFDEFAULT"
 the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
-this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is
-not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
+this is \fB\s-1ADH\s0\fR and \fB\s-1AECDH\s0\fR. Note that this rule does not cover \fBeNULL\fR,
+which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
 .IP "\fB\s-1ALL\s0\fR" 4
 .IX Item "ALL"
 all cipher suites except the \fBeNULL\fR ciphers which must be explicitly enabled;
@@ -258,24 +267,53 @@ export encryption algorithms. Including 40 and 56 bits algorithms.
 with support for experimental ciphers.
 .IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
 .IX Item "eNULL, NULL"
-the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no
+the \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
 encryption at all and are a security risk they are disabled unless explicitly
 included.
 .IP "\fBaNULL\fR" 4
 .IX Item "aNULL"
 the cipher suites offering no authentication. This is currently the anonymous
-\&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R"
-attack and so their use is normally discouraged.
+\&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable
+to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged.
 .IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
 .IX Item "kRSA, RSA"
 cipher suites using \s-1RSA\s0 key exchange.
+.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4
+.IX Item "kDHr, kDHd, kDH"
+cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
+and \s-1DSS\s0 keys or either respectively. Not implemented.
 .IP "\fBkEDH\fR" 4
 .IX Item "kEDH"
-cipher suites using ephemeral \s-1DH\s0 key agreement.
-.IP "\fBkDHr\fR, \fBkDHd\fR" 4
-.IX Item "kDHr, kDHd"
-cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
-and \s-1DSS\s0 keys respectively. Not implemented.
+cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher
+suites.
+.IP "\fB\s-1EDH\s0\fR" 4
+.IX Item "EDH"
+cipher suites using authenticated ephemeral \s-1DH\s0 key agreement.
+.IP "\fB\s-1ADH\s0\fR" 4
+.IX Item "ADH"
+anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic
+Curve \s-1DH \s0(\s-1ECDH\s0) cipher suites.
+.IP "\fB\s-1DH\s0\fR" 4
+.IX Item "DH"
+cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s0 and fixed \s-1DH.\s0
+.IP "\fBkECDHr\fR, \fBkECDHe\fR, \fBkECDH\fR" 4
+.IX Item "kECDHr, kECDHe, kECDH"
+cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0
+keys or either respectively.
+.IP "\fBkEECDH\fR" 4
+.IX Item "kEECDH"
+cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous
+cipher suites.
+.IP "\fB\s-1EECDHE\s0\fR" 4
+.IX Item "EECDHE"
+cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement.
+.IP "\fB\s-1AECDH\s0\fR" 4
+.IX Item "AECDH"
+anonymous Elliptic Curve Diffie Hellman cipher suites.
+.IP "\fB\s-1ECDH\s0\fR" 4
+.IX Item "ECDH"
+cipher suites using \s-1ECDH\s0 key exchange, including anonymous, ephemeral and
+fixed \s-1ECDH.\s0
 .IP "\fBaRSA\fR" 4
 .IX Item "aRSA"
 cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys.
@@ -286,75 +324,89 @@ cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1D
 .IX Item "aDH"
 cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
 \&\s-1DH\s0 keys.  Not implemented.
+.IP "\fBaECDH\fR" 4
+.IX Item "aECDH"
+cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates
+carry \s-1ECDH\s0 keys.
+.IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4
+.IX Item "aECDSA, ECDSA"
+cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0
+keys.
 .IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
 .IX Item "kFZA, aFZA, eFZA, FZA"
 ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all
 \&\s-1FORTEZZA\s0 algorithms. Not implemented.
-.IP "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
-.IX Item "TLSv1, SSLv3, SSLv2"
-\&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively.
-.IP "\fB\s-1DH\s0\fR" 4
-.IX Item "DH"
-cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0.
-.IP "\fB\s-1ADH\s0\fR" 4
-.IX Item "ADH"
-anonymous \s-1DH\s0 cipher suites.
-.IP "\fB\s-1AES\s0\fR" 4
-.IX Item "AES"
-cipher suites using \s-1AES\s0.
-.IP "\fB\s-1CAMELLIA\s0\fR" 4
-.IX Item "CAMELLIA"
-cipher suites using Camellia.
+.IP "\fBTLSv1.2\fR, \fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
+.IX Item "TLSv1.2, TLSv1, SSLv3, SSLv2"
+\&\s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. Note:
+there are no ciphersuites specific to \s-1TLS\s0 v1.1.
+.IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4
+.IX Item "AES128, AES256, AES"
+cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0
+.IP "\fB\s-1AESGCM\s0\fR" 4
+.IX Item "AESGCM"
+\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these ciphersuites are only supported
+in \s-1TLS\s0 v1.2.
+.IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4
+.IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA"
+cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit
+\&\s-1CAMELLIA.\s0
 .IP "\fB3DES\fR" 4
 .IX Item "3DES"
-cipher suites using triple \s-1DES\s0.
+cipher suites using triple \s-1DES.\s0
 .IP "\fB\s-1DES\s0\fR" 4
 .IX Item "DES"
-cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
+cipher suites using \s-1DES \s0(not triple \s-1DES\s0).
 .IP "\fB\s-1RC4\s0\fR" 4
 .IX Item "RC4"
-cipher suites using \s-1RC4\s0.
+cipher suites using \s-1RC4.\s0
 .IP "\fB\s-1RC2\s0\fR" 4
 .IX Item "RC2"
-cipher suites using \s-1RC2\s0.
+cipher suites using \s-1RC2.\s0
 .IP "\fB\s-1IDEA\s0\fR" 4
 .IX Item "IDEA"
-cipher suites using \s-1IDEA\s0.
+cipher suites using \s-1IDEA.\s0
 .IP "\fB\s-1SEED\s0\fR" 4
 .IX Item "SEED"
-cipher suites using \s-1SEED\s0.
+cipher suites using \s-1SEED.\s0
 .IP "\fB\s-1MD5\s0\fR" 4
 .IX Item "MD5"
-cipher suites using \s-1MD5\s0.
+cipher suites using \s-1MD5.\s0
 .IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
 .IX Item "SHA1, SHA"
-cipher suites using \s-1SHA1\s0.
+cipher suites using \s-1SHA1.\s0
+.IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4
+.IX Item "SHA256, SHA384"
+ciphersuites using \s-1SHA256\s0 or \s-1SHA384.\s0
 .IP "\fBaGOST\fR" 4
 .IX Item "aGOST"
-cipher suites using \s-1GOST\s0 R 34.10 (either 2001 or 94) for authenticaction
+cipher suites using \s-1GOST R 34.10 \s0(either 2001 or 94) for authenticaction
 (needs an engine supporting \s-1GOST\s0 algorithms).
 .IP "\fBaGOST01\fR" 4
 .IX Item "aGOST01"
-cipher suites using \s-1GOST\s0 R 34.10\-2001 authentication.
+cipher suites using \s-1GOST R 34.10\-2001\s0 authentication.
 .IP "\fBaGOST94\fR" 4
 .IX Item "aGOST94"
-cipher suites using \s-1GOST\s0 R 34.10\-94 authentication (note that R 34.10\-94
-standard has been expired so use \s-1GOST\s0 R 34.10\-2001)
+cipher suites using \s-1GOST R 34.10\-94\s0 authentication (note that R 34.10\-94
+standard has been expired so use \s-1GOST R 34.10\-2001\s0)
 .IP "\fBkGOST\fR" 4
 .IX Item "kGOST"
-cipher suites, using \s-1VKO\s0 34.10 key exchange, specified in the \s-1RFC\s0 4357.
+cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0
 .IP "\fB\s-1GOST94\s0\fR" 4
 .IX Item "GOST94"
-cipher suites, using \s-1HMAC\s0 based on \s-1GOST\s0 R 34.11\-94.
+cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0
 .IP "\fB\s-1GOST89MAC\s0\fR" 4
 .IX Item "GOST89MAC"
-cipher suites using \s-1GOST\s0 28147\-89 \s-1MAC\s0 \fBinstead of\fR \s-1HMAC\s0.
+cipher suites using \s-1GOST 28147\-89 MAC \s0\fBinstead of\fR \s-1HMAC.\s0
+.IP "\fB\s-1PSK\s0\fR" 4
+.IX Item "PSK"
+cipher suites using pre-shared keys (\s-1PSK\s0).
 .SH "CIPHER SUITE NAMES"
 .IX Header "CIPHER SUITE NAMES"
 The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
 relevant specification and their OpenSSL equivalents. It should be noted,
 that several cipher suite names do not include the authentication used,
-e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
+e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
 .SS "\s-1SSL\s0 v3.0 cipher suites."
 .IX Subsection "SSL v3.0 cipher suites."
 .Vb 10
@@ -425,7 +477,7 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_DH_anon_WITH_DES_CBC_SHA            ADH\-DES\-CBC\-SHA
 \& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH\-DES\-CBC3\-SHA
 .Ve
-.SS "\s-1AES\s0 ciphersuites from \s-1RFC3268\s0, extending \s-1TLS\s0 v1.0"
+.SS "\s-1AES\s0 ciphersuites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0"
 .IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0"
 .Vb 2
 \& TLS_RSA_WITH_AES_128_CBC_SHA            AES128\-SHA
@@ -444,7 +496,7 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH\-AES128\-SHA
 \& TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH\-AES256\-SHA
 .Ve
-.SS "Camellia ciphersuites from \s-1RFC4132\s0, extending \s-1TLS\s0 v1.0"
+.SS "Camellia ciphersuites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0"
 .IX Subsection "Camellia ciphersuites from RFC4132, extending TLS v1.0"
 .Vb 2
 \& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      CAMELLIA128\-SHA
@@ -463,7 +515,7 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  ADH\-CAMELLIA128\-SHA
 \& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  ADH\-CAMELLIA256\-SHA
 .Ve
-.SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162\s0, extending \s-1TLS\s0 v1.0"
+.SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0"
 .IX Subsection "SEED ciphersuites from RFC4162, extending TLS v1.0"
 .Vb 1
 \& TLS_RSA_WITH_SEED_CBC_SHA              SEED\-SHA
@@ -498,8 +550,104 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3.
 \& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024\-DHE\-DSS\-RC4\-SHA
 \& TLS_DHE_DSS_WITH_RC4_128_SHA            DHE\-DSS\-RC4\-SHA
 .Ve
-.SS "\s-1SSL\s0 v2.0 cipher suites."
-.IX Subsection "SSL v2.0 cipher suites."
+.SS "Elliptic curve cipher suites."
+.IX Subsection "Elliptic curve cipher suites."
+.Vb 5
+\& TLS_ECDH_RSA_WITH_NULL_SHA              ECDH\-RSA\-NULL\-SHA
+\& TLS_ECDH_RSA_WITH_RC4_128_SHA           ECDH\-RSA\-RC4\-SHA
+\& TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      ECDH\-RSA\-DES\-CBC3\-SHA
+\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       ECDH\-RSA\-AES128\-SHA
+\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       ECDH\-RSA\-AES256\-SHA
+\&
+\& TLS_ECDH_ECDSA_WITH_NULL_SHA            ECDH\-ECDSA\-NULL\-SHA
+\& TLS_ECDH_ECDSA_WITH_RC4_128_SHA         ECDH\-ECDSA\-RC4\-SHA
+\& TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    ECDH\-ECDSA\-DES\-CBC3\-SHA
+\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     ECDH\-ECDSA\-AES128\-SHA
+\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     ECDH\-ECDSA\-AES256\-SHA
+\&
+\& TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE\-RSA\-NULL\-SHA
+\& TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE\-RSA\-RC4\-SHA
+\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE\-RSA\-DES\-CBC3\-SHA
+\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE\-RSA\-AES128\-SHA
+\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE\-RSA\-AES256\-SHA
+\&
+\& TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE\-ECDSA\-NULL\-SHA
+\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE\-ECDSA\-RC4\-SHA
+\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE\-ECDSA\-DES\-CBC3\-SHA
+\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE\-ECDSA\-AES128\-SHA
+\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE\-ECDSA\-AES256\-SHA
+\&
+\& TLS_ECDH_anon_WITH_NULL_SHA             AECDH\-NULL\-SHA
+\& TLS_ECDH_anon_WITH_RC4_128_SHA          AECDH\-RC4\-SHA
+\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     AECDH\-DES\-CBC3\-SHA
+\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA      AECDH\-AES128\-SHA
+\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA      AECDH\-AES256\-SHA
+.Ve
+.SS "\s-1TLS\s0 v1.2 cipher suites"
+.IX Subsection "TLS v1.2 cipher suites"
+.Vb 1
+\& TLS_RSA_WITH_NULL_SHA256                  NULL\-SHA256
+\&
+\& TLS_RSA_WITH_AES_128_CBC_SHA256           AES128\-SHA256
+\& TLS_RSA_WITH_AES_256_CBC_SHA256           AES256\-SHA256
+\& TLS_RSA_WITH_AES_128_GCM_SHA256           AES128\-GCM\-SHA256
+\& TLS_RSA_WITH_AES_256_GCM_SHA384           AES256\-GCM\-SHA384
+\&
+\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256        Not implemented.
+\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256        Not implemented.
+\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256        Not implemented.
+\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384        Not implemented.
+\&
+\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256        Not implemented.
+\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256        Not implemented.
+\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256        Not implemented.
+\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384        Not implemented.
+\&
+\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE\-RSA\-AES128\-SHA256
+\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE\-RSA\-AES256\-SHA256
+\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE\-RSA\-AES128\-GCM\-SHA256
+\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE\-RSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE\-DSS\-AES128\-SHA256
+\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE\-DSS\-AES256\-SHA256
+\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE\-DSS\-AES128\-GCM\-SHA256
+\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE\-DSS\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256      ECDH\-RSA\-AES128\-SHA256
+\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384      ECDH\-RSA\-AES256\-SHA384
+\& TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256      ECDH\-RSA\-AES128\-GCM\-SHA256
+\& TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384      ECDH\-RSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256    ECDH\-ECDSA\-AES128\-SHA256
+\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384    ECDH\-ECDSA\-AES256\-SHA384
+\& TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256    ECDH\-ECDSA\-AES128\-GCM\-SHA256
+\& TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384    ECDH\-ECDSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE\-RSA\-AES128\-SHA256
+\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE\-RSA\-AES256\-SHA384
+\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE\-RSA\-AES128\-GCM\-SHA256
+\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE\-RSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE\-ECDSA\-AES128\-SHA256
+\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE\-ECDSA\-AES256\-SHA384
+\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE\-ECDSA\-AES128\-GCM\-SHA256
+\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE\-ECDSA\-AES256\-GCM\-SHA384
+\&
+\& TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH\-AES128\-SHA256
+\& TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH\-AES256\-SHA256
+\& TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH\-AES128\-GCM\-SHA256
+\& TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH\-AES256\-GCM\-SHA384
+.Ve
+.SS "Pre shared keying (\s-1PSK\s0) cipheruites"
+.IX Subsection "Pre shared keying (PSK) cipheruites"
+.Vb 4
+\& TLS_PSK_WITH_RC4_128_SHA                  PSK\-RC4\-SHA
+\& TLS_PSK_WITH_3DES_EDE_CBC_SHA             PSK\-3DES\-EDE\-CBC\-SHA
+\& TLS_PSK_WITH_AES_128_CBC_SHA              PSK\-AES128\-CBC\-SHA
+\& TLS_PSK_WITH_AES_256_CBC_SHA              PSK\-AES256\-CBC\-SHA
+.Ve
+.SS "Deprecated \s-1SSL\s0 v2.0 cipher suites."
+.IX Subsection "Deprecated SSL v2.0 cipher suites."
 .Vb 7
 \& SSL_CK_RC4_128_WITH_MD5                 RC4\-MD5
 \& SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP\-RC4\-MD5
@@ -531,6 +679,13 @@ strength:
 \& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq
 .Ve
 .PP
+Include all ciphers except ones with no encryption (eNULL) or no
+authentication (aNULL):
+.PP
+.Vb 1
+\& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq
+.Ve
+.PP
 Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
 .PP
 .Vb 1
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1
index 0f70b9dbd4ff..862a569925a9 100644
--- a/secure/usr.bin/openssl/man/cms.1
+++ b/secure/usr.bin/openssl/man/cms.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS 1"
-.TH CMS 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CMS 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -210,6 +219,10 @@ actual \s-1CMS\s0 type is <B>EnvelopedData<B>.
 decrypt mail using the supplied certificate and private key. Expects an
 encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
 is written to the output file.
+.IP "\fB\-debug_decrypt\fR" 4
+.IX Item "-debug_decrypt"
+this option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used
+with caution: see the notes section below.
 .IP "\fB\-sign\fR" 4
 .IX Item "-sign"
 sign mail using the supplied certificate and private key. Input file is
@@ -227,29 +240,29 @@ takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
 resign a message: take an existing message and one or more new signers.
 .IP "\fB\-data_create\fR" 4
 .IX Item "-data_create"
-Create a \s-1CMS\s0 \fBData\fR type.
+Create a \s-1CMS \s0\fBData\fR type.
 .IP "\fB\-data_out\fR" 4
 .IX Item "-data_out"
 \&\fBData\fR type and output the content.
 .IP "\fB\-digest_create\fR" 4
 .IX Item "-digest_create"
-Create a \s-1CMS\s0 \fBDigestedData\fR type.
+Create a \s-1CMS \s0\fBDigestedData\fR type.
 .IP "\fB\-digest_verify\fR" 4
 .IX Item "-digest_verify"
-Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content.
+Verify a \s-1CMS \s0\fBDigestedData\fR type and output the content.
 .IP "\fB\-compress\fR" 4
 .IX Item "-compress"
-Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
+Create a \s-1CMS \s0\fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
 support for this option to work, otherwise it will output an error.
 .IP "\fB\-uncompress\fR" 4
 .IX Item "-uncompress"
-Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be
+Uncompress a \s-1CMS \s0\fBCompressedData\fR type and output the content. OpenSSL must be
 compiled with \fBzlib\fR support for this option to work, otherwise it will
 output an error.
 .IP "\fB\-EncryptedData_encrypt\fR" 4
 .IX Item "-EncryptedData_encrypt"
-Encrypt suppled content using supplied symmetric key and algorithm using a \s-1CMS\s0
-\&\fBEncrytedData\fR type and output the content.
+Encrypt content using supplied symmetric key and algorithm using a \s-1CMS
+\&\s0\fBEncrytedData\fR type and output the content.
 .IP "\fB\-sign_receipt\fR" 4
 .IX Item "-sign_receipt"
 Generate and output a signed receipt for the supplied message. The input 
@@ -312,7 +325,7 @@ is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
 .IX Item "-text"
 this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of \s-1MIME\s0 
+off text headers: if the decrypted or verified message is not of \s-1MIME \s0
 type text/plain then an error occurs.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
@@ -338,8 +351,8 @@ digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
 .IP "\fB\-[cipher]\fR" 4
 .IX Item "-[cipher]"
-the encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
-or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
+the encryption algorithm to use. For example triple \s-1DES \s0(168 bits) \- \fB\-des3\fR
+or 256 bit \s-1AES \- \s0\fB\-aes256\fR. Any standard algorithm name (as used by the
 \&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for 
 example \fB\-aes_128_cbc\fR. See \fBenc\fR for a list of ciphers
 supported by your version of OpenSSL.
@@ -451,7 +464,7 @@ multiple times to specify successive keys.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-rand file(s)\fR" 4
 .IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
@@ -504,12 +517,22 @@ signer using the same message digest or this operation will fail.
 .PP
 The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support.
 As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
-and no longer \s-1DER\s0. Streaming is supported for the \fB\-encrypt\fR operation and the
+and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
 \&\fB\-sign\fR operation if the content is not detached.
 .PP
 Streaming is always used for the \fB\-sign\fR operation with detached data but
 since the content is no longer part of the \s-1CMS\s0 structure the encoding
-remains \s-1DER\s0.
+remains \s-1DER.\s0
+.PP
+If the \fB\-decrypt\fR option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the \s-1MMA\s0 attack
+(Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is \*(L"decrypted\*(R" using a random key which will typically output garbage. 
+The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see \fICMS_decrypt\fR\|(3)).
 .SH "EXIT CODES"
 .IX Header "EXIT CODES"
 .IP "0" 4
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
index b68bb75570ff..7ac529748d3a 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRL 1"
-.TH CRL 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CRL 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -139,6 +148,7 @@ crl \- CRL utility
 [\fB\-text\fR]
 [\fB\-in filename\fR]
 [\fB\-out filename\fR]
+[\fB\-nameopt option\fR]
 [\fB\-noout\fR]
 [\fB\-hash\fR]
 [\fB\-issuer\fR]
@@ -171,13 +181,21 @@ default.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 print out the \s-1CRL\s0 in text form.
+.IP "\fB\-nameopt option\fR" 4
+.IX Item "-nameopt option"
+option which determines how the subject or issuer names are displayed. See
+the description of \fB\-nameopt\fR in \fIx509\fR\|(1).
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
-don't output the encoded version of the \s-1CRL\s0.
+don't output the encoded version of the \s-1CRL.\s0
 .IP "\fB\-hash\fR" 4
 .IX Item "-hash"
 output a hash of the issuer name. This can be use to lookup CRLs in
 a directory by issuer name.
+.IP "\fB\-hash_old\fR" 4
+.IX Item "-hash_old"
+outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
 .IP "\fB\-issuer\fR" 4
 .IX Item "-issuer"
 output the issuer name.
@@ -199,7 +217,7 @@ is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
 to each certificate.
 .SH "NOTES"
 .IX Header "NOTES"
-The \s-1PEM\s0 \s-1CRL\s0 format uses the header and footer lines:
+The \s-1PEM CRL\s0 format uses the header and footer lines:
 .PP
 .Vb 2
 \& \-\-\-\-\-BEGIN X509 CRL\-\-\-\-\-
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
index ff7b9895c8e1..28fa0f304b41 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH CRL2PKCS7 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -193,7 +202,7 @@ different certificates:
 .SH "NOTES"
 .IX Header "NOTES"
 The output file is a PKCS#7 signed data structure containing no signers and
-just certificates and an optional \s-1CRL\s0.
+just certificates and an optional \s-1CRL.\s0
 .PP
 This utility can be used to send certificates and CAs to Netscape as part of
 the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
index 5b5478e23ac3..f1695403b960 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,21 +133,24 @@
 .\" ========================================================================
 .\"
 .IX Title "DGST 1"
-.TH DGST 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DGST 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests
+dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 \- message digests
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBdgst\fR 
-[\fB\-md5|\-md4|\-md2|\-sha1|\-sha|\-mdc2|\-ripemd160|\-dss1\fR]
+[\fB\-sha|\-sha1|\-mdc2|\-ripemd160|\-sha224|\-sha256|\-sha384|\-sha512|\-md2|\-md4|\-md5|\-dss1\fR]
 [\fB\-c\fR]
 [\fB\-d\fR]
 [\fB\-hex\fR]
 [\fB\-binary\fR]
+[\fB\-r\fR]
+[\fB\-hmac arg\fR]
+[\fB\-non\-fips\-allow\fR]
 [\fB\-out filename\fR]
 [\fB\-sign filename\fR]
 [\fB\-keyform arg\fR]
@@ -147,16 +159,18 @@ dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests
 [\fB\-prverify filename\fR]
 [\fB\-signature filename\fR]
 [\fB\-hmac key\fR]
+[\fB\-non\-fips\-allow\fR]
+[\fB\-fips\-fingerprint\fR]
 [\fBfile...\fR]
 .PP
-[\fBmd5|md4|md2|sha1|sha|mdc2|ripemd160\fR]
-[\fB\-c\fR]
-[\fB\-d\fR]
-[\fBfile...\fR]
+\&\fBopenssl\fR
+[\fIdigest\fR]
+[\fB...\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The digest functions output the message digest of a supplied file or files
-in hexadecimal form. They can also be used for digital signing and verification.
+in hexadecimal.  The digest functions also generate and verify digital
+signatures using message digests.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-c\fR" 4
@@ -169,10 +183,21 @@ print out \s-1BIO\s0 debugging information.
 .IP "\fB\-hex\fR" 4
 .IX Item "-hex"
 digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R"
-digest as opposed to a digital signature.
+digest as opposed to a digital signature.  See \s-1NOTES\s0 below for digital
+signatures using \fB\-hex\fR.
 .IP "\fB\-binary\fR" 4
 .IX Item "-binary"
 output the digest or signature in binary form.
+.IP "\fB\-r\fR" 4
+.IX Item "-r"
+output the digest in the \*(L"coreutils\*(R" format used by programs like \fBsha1sum\fR.
+.IP "\fB\-hmac arg\fR" 4
+.IX Item "-hmac arg"
+set the \s-1HMAC\s0 key to \*(L"arg\*(R".
+.IP "\fB\-non\-fips\-allow\fR" 4
+.IX Item "-non-fips-allow"
+Allow use of non \s-1FIPS\s0 digest when in \s-1FIPS\s0 mode.  This has no effect when not in
+\&\s-1FIPS\s0 mode.
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 filename to output to, or standard output by default.
@@ -181,8 +206,8 @@ filename to output to, or standard output by default.
 digitally sign the digest using the private key in \*(L"filename\*(R".
 .IP "\fB\-keyform arg\fR" 4
 .IX Item "-keyform arg"
-Specifies the key format to sign digest with. Only \s-1PEM\s0 and \s-1ENGINE\s0
-formats are supported by the \fBdgst\fR command.
+Specifies the key format to sign digest with. The \s-1DER, PEM, P12,\s0
+and \s-1ENGINE\s0 formats are supported.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 Use engine \fBid\fR for operations (including private key storage).
@@ -195,11 +220,11 @@ Names and values of these options are algorithm-specific.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-verify filename\fR" 4
 .IX Item "-verify filename"
 verify the signature using the public key in \*(L"filename\*(R".
-The output is either \*(L"Verification \s-1OK\s0\*(R" or \*(L"Verification Failure\*(R".
+The output is either \*(L"Verification \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R".
 .IP "\fB\-prverify filename\fR" 4
 .IX Item "-prverify filename"
 verify the signature using the private key in \*(L"filename\*(R".
@@ -211,8 +236,8 @@ the actual signature to verify.
 create a hashed \s-1MAC\s0 using \*(L"key\*(R".
 .IP "\fB\-mac alg\fR" 4
 .IX Item "-mac alg"
-create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0
-algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
+create \s-1MAC \s0(keyed Message Authentication Code). The most popular \s-1MAC\s0
+algorithm is \s-1HMAC \s0(hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
 which are not based on hash, for instance \fBgost-mac\fR algorithm,
 supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set
 via \fB\-macopt\fR parameter.
@@ -241,20 +266,46 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
+.IP "\fB\-non\-fips\-allow\fR" 4
+.IX Item "-non-fips-allow"
+enable use of non-FIPS algorithms such as \s-1MD5\s0 even in \s-1FIPS\s0 mode.
+.IP "\fB\-fips\-fingerprint\fR" 4
+.IX Item "-fips-fingerprint"
+compute \s-1HMAC\s0 using a specific key
+for certain OpenSSL-FIPS operations.
 .IP "\fBfile...\fR" 4
 .IX Item "file..."
 file or files to digest. If no files are specified then standard input is
 used.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+To create a hex-encoded message digest of a file:
+ openssl dgst \-md5 \-hex file.txt
+.PP
+To sign a file using \s-1SHA\-256\s0 with binary file output:
+ openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt
+.PP
+To verify a signature:
+ openssl dgst \-sha256 \-verify publickey.pem \e
+ \-signature signature.sign \e
+ file.txt
 .SH "NOTES"
 .IX Header "NOTES"
-The digest of choice for all new applications is \s-1SHA1\s0. Other digests are
+The digest of choice for all new applications is \s-1SHA1.\s0 Other digests are
 however still widely used.
 .PP
-If you wish to sign or verify data using the \s-1DSA\s0 algorithm then the dss1
-digest must be used.
+When signing a file, \fBdgst\fR will automatically determine the algorithm
+(\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info.
+When verifying signatures, it only handles the \s-1RSA, DSA,\s0 or \s-1ECDSA\s0 signature
+itself, not the related data to identify the signer and algorithm used in
+formats such as x.509, \s-1CMS,\s0 and S/MIME.
 .PP
 A source of random numbers is required for certain signing algorithms, in
-particular \s-1DSA\s0.
+particular \s-1ECDSA\s0 and \s-1DSA.\s0
 .PP
 The signing and verify options should only be used if a single file is
 being signed or verified.
+.PP
+Hex signatures cannot be verified using \fBopenssl\fR.  Instead, use \*(L"xxd \-r\*(R"
+or similar program to transform the hex signature into a binary signature
+prior to verification.
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
index 690303b178f0..e905034bd8ba 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DHPARAM 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -139,6 +148,7 @@ dhparam \- DH parameter manipulation and generation
 [\fB\-in\fR \fIfilename\fR]
 [\fB\-out\fR \fIfilename\fR]
 [\fB\-dsaparam\fR]
+[\fB\-check\fR]
 [\fB\-noout\fR]
 [\fB\-text\fR]
 [\fB\-C\fR]
@@ -154,7 +164,7 @@ This command is used to manipulate \s-1DH\s0 parameter files.
 .IX Header "OPTIONS"
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
 form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the
 default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with
 additional header and footer lines.
@@ -182,6 +192,9 @@ and the recommended exponent length is shorter, which makes \s-1DH\s0 key
 exchange more efficient.  Beware that with such DSA-style \s-1DH\s0
 parameters, a fresh \s-1DH\s0 key should be created for each use to
 avoid small-subgroup attacks that may be possible otherwise.
+.IP "\fB\-check\fR" 4
+.IX Item "-check"
+check if the parameters are valid primes and generator.
 .IP "\fB\-2\fR, \fB\-5\fR" 4
 .IX Item "-2, -5"
 The generator to use, either 2 or 5. 2 is the default. If present then the
@@ -230,8 +243,8 @@ versions of OpenSSL.
 \& \-\-\-\-\-END DH PARAMETERS\-\-\-\-\-
 .Ve
 .PP
-OpenSSL currently only supports the older PKCS#3 \s-1DH\s0, not the newer X9.42
-\&\s-1DH\s0.
+OpenSSL currently only supports the older PKCS#3 \s-1DH,\s0 not the newer X9.42
+\&\s-1DH.\s0
 .PP
 This program manipulates \s-1DH\s0 parameters not keys.
 .SH "BUGS"
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
index 1421c9e49357..c47b3256645f 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA 1"
-.TH DSA 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSA 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -140,6 +149,12 @@ dsa \- DSA key processing
 [\fB\-passin arg\fR]
 [\fB\-out filename\fR]
 [\fB\-passout arg\fR]
+[\fB\-aes128\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
+[\fB\-camellia128\fR]
+[\fB\-camellia192\fR]
+[\fB\-camellia256\fR]
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
@@ -160,10 +175,10 @@ applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
-an \s-1ASN1\s0 \s-1DER\s0 encoded form of an \s-1ASN\s0.1 \s-1SEQUENCE\s0 consisting of the values of
+an \s-1ASN1 DER\s0 encoded form of an \s-1ASN.1 SEQUENCE\s0 consisting of the values of
 version (currently zero), p, q, g, the public and private key components
-respectively as \s-1ASN\s0.1 INTEGERs. When used with a public key it uses a
-SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA\s0.
+respectively as \s-1ASN.1\s0 INTEGERs. When used with a public key it uses a
+SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA.\s0
 .Sp
 The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
 encoded with additional header and footer lines. In the case of a private key
@@ -180,7 +195,7 @@ prompted for.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
@@ -190,11 +205,11 @@ filename.
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
-.IP "\fB\-des|\-des3|\-idea\fR" 4
-.IX Item "-des|-des3|-idea"
-These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
-\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4
+.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea"
+These options encrypt the private key with the specified
+cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
 means that using the \fBdsa\fR utility to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
index 0e5b93b49649..724a71bc58ea 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH DSAPARAM 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -152,8 +161,8 @@ This command is used to manipulate or generate \s-1DSA\s0 parameter files.
 .IX Header "OPTIONS"
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
-form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
+form compatible with \s-1RFC2459 \s0(\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
 of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists
 of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines.
 .IP "\fB\-outform DER|PEM\fR" 4
diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1
index 8ccddf619992..dda724dc8fd7 100644
--- a/secure/usr.bin/openssl/man/ec.1
+++ b/secure/usr.bin/openssl/man/ec.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EC 1"
-.TH EC 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH EC 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -155,7 +164,7 @@ ec \- EC key processing
 .IX Header "DESCRIPTION"
 The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various
 forms and their components printed out. \fBNote\fR OpenSSL uses the 
-private key format specified in '\s-1SEC\s0 1: Elliptic Curve Cryptography'
+private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography'
 (http://www.secg.org/). To convert a OpenSSL \s-1EC\s0 private key into the
 PKCS#8 private key format use the \fBpkcs8\fR command.
 .SH "COMMAND OPTIONS"
@@ -163,8 +172,8 @@ PKCS#8 private key format use the \fBpkcs8\fR command.
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
-an \s-1ASN\s0.1 \s-1DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structur as specified in \s-1RFC\s0 3280.
+an \s-1ASN.1 DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it
+uses the SubjectPublicKeyInfo structure as specified in \s-1RFC 3280.\s0
 The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
 encoded with additional header and footer lines. In the case of a private key
 PKCS#8 format is also accepted.
@@ -180,7 +189,7 @@ prompted for.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
@@ -190,10 +199,10 @@ filename.
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-des|\-des3|\-idea\fR" 4
 .IX Item "-des|-des3|-idea"
-These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, \s-1IDEA\s0 or 
+These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or 
 any other cipher supported by OpenSSL before outputting it. A pass phrase is
 prompted for.
 If none of these options is specified the key is written in plain text. This
@@ -232,10 +241,10 @@ the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
 .IX Item "-param_enc arg"
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
-specified by a \s-1OID\s0, or \fBexplicit\fR where the ec parameters are
-explicitly given (see \s-1RFC\s0 3279 for the definition of the 
+specified by a \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
+explicitly given (see \s-1RFC 3279\s0 for the definition of the 
 \&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
-\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC\s0 3279,
+\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC 3279,\s0
 is currently not implemented in OpenSSL.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1
index e55eda52fd0c..1d6fc818fb90 100644
--- a/secure/usr.bin/openssl/man/ecparam.1
+++ b/secure/usr.bin/openssl/man/ecparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ECPARAM 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -143,7 +152,7 @@ ecparam \- EC parameter manipulation and generation
 [\fB\-C\fR]
 [\fB\-check\fR]
 [\fB\-name arg\fR]
-[\fB\-list_curve\fR]
+[\fB\-list_curves\fR]
 [\fB\-conv_form arg\fR]
 [\fB\-param_enc arg\fR]
 [\fB\-no_seed\fR]
@@ -157,8 +166,8 @@ This command is used to manipulate or generate \s-1EC\s0 parameter files.
 .IX Header "OPTIONS"
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN\s0.1 \s-1DER\s0 encoded
-form compatible with \s-1RFC\s0 3279 EcpkParameters. The \s-1PEM\s0 form is the default
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN.1 DER\s0 encoded
+form compatible with \s-1RFC 3279\s0 EcpkParameters. The \s-1PEM\s0 form is the default
 format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional 
 header and footer lines.
 .IP "\fB\-outform DER|PEM\fR" 4
@@ -208,15 +217,15 @@ the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
 .IX Item "-param_enc arg"
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
-specified by a \s-1OID\s0, or \fBexplicit\fR where the ec parameters are
-explicitly given (see \s-1RFC\s0 3279 for the definition of the 
+specified by a \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
+explicitly given (see \s-1RFC 3279\s0 for the definition of the 
 \&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
-\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC\s0 3279,
+\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC 3279,\s0
 is currently not implemented in OpenSSL.
 .IP "\fB\-no_seed\fR" 4
 .IX Item "-no_seed"
 This option inhibits that the 'seed' for the parameter generation
-is included in the ECParameters structure (see \s-1RFC\s0 3279).
+is included in the ECParameters structure (see \s-1RFC 3279\s0).
 .IP "\fB\-genkey\fR" 4
 .IX Item "-genkey"
 This option will generate a \s-1EC\s0 private key using the specified parameters.
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
index 09ee9e10a70b..ec31b47101d5 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ENC 1"
-.TH ENC 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ENC 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -174,13 +183,13 @@ the output filename, standard output by default.
 .IP "\fB\-pass arg\fR" 4
 .IX Item "-pass arg"
 the password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-salt\fR" 4
 .IX Item "-salt"
 use a salt in the key derivation routines. This is the default.
 .IP "\fB\-nosalt\fR" 4
 .IX Item "-nosalt"
-don't use a salt in the key derivation routines. This option \fB\s-1SHOULD\s0 \s-1NOT\s0\fR be
+don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be
 used except for test purposes or compatibility with ancient versions of OpenSSL
 and SSLeay.
 .IP "\fB\-e\fR" 4
@@ -311,6 +320,10 @@ unsupported options (for example \fBopenssl enc \-help\fR) includes a
 list of ciphers, supported by your versesion of OpenSSL, including
 ones provided by configured engines.
 .PP
+The \fBenc\fR program does not support authenticated encryption modes
+like \s-1CCM\s0 and \s-1GCM.\s0 The utility does not store or retrieve the
+authentication tag.
+.PP
 .Vb 1
 \& base64             Base 64
 \&
diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1
index 42601405ff7d..742e7d54c50e 100644
--- a/secure/usr.bin/openssl/man/errstr.1
+++ b/secure/usr.bin/openssl/man/errstr.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH ERRSTR 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
index 60ceaeb60461..cfeb4292059d 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENDSA 1"
-.TH GENDSA 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH GENDSA 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -135,6 +144,12 @@ gendsa \- generate a DSA private key from a set of parameters
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBgendsa\fR
 [\fB\-out filename\fR]
+[\fB\-aes128\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
+[\fB\-camellia128\fR]
+[\fB\-camellia192\fR]
+[\fB\-camellia256\fR]
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
@@ -147,10 +162,10 @@ The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 pa
 (which will be typically generated by the \fBopenssl dsaparam\fR command).
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.IP "\fB\-des|\-des3|\-idea\fR" 4
-.IX Item "-des|-des3|-idea"
-These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
-\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
+.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4
+.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea"
+These options encrypt the private key with specified
+cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified no encryption is used.
 .IP "\fB\-rand file(s)\fR" 4
 .IX Item "-rand file(s)"
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1
index 6cad13cd75db..6a808d0aab0f 100644
--- a/secure/usr.bin/openssl/man/genpkey.1
+++ b/secure/usr.bin/openssl/man/genpkey.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENPKEY 1"
-.TH GENPKEY 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH GENPKEY 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -155,11 +164,11 @@ the output filename. If this argument is not specified then standard output is
 used.
 .IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
-This specifies the output format \s-1DER\s0 or \s-1PEM\s0.
+This specifies the output format \s-1DER\s0 or \s-1PEM.\s0
 .IP "\fB\-pass arg\fR" 4
 .IX Item "-pass arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-cipher\fR" 4
 .IX Item "-cipher"
 This option encrypts the private key with the supplied cipher. Any algorithm
@@ -173,14 +182,14 @@ for all available algorithms. If used this option should precede all other
 options.
 .IP "\fB\-algorithm alg\fR" 4
 .IX Item "-algorithm alg"
-public key algorithm to use such as \s-1RSA\s0, \s-1DSA\s0 or \s-1DH\s0. If used this option must
+public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
 precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
 are mutually exclusive.
 .IP "\fB\-pkeyopt opt:value\fR" 4
 .IX Item "-pkeyopt opt:value"
 set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
 options supported depends on the public key algorithm used and its
-implementation. See \fB\s-1KEY\s0 \s-1GENERATION\s0 \s-1OPTIONS\s0\fR below for more details.
+implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR below for more details.
 .IP "\fB\-genparam\fR" 4
 .IX Item "-genparam"
 generate a set of parameters instead of a private key. If used this option must
@@ -235,14 +244,14 @@ one should load the ccgost engine in the OpenSSL configuration file.
 See \s-1README\s0.gost file in the engines/ccgost directiry of the source
 distribution for more details.
 .PP
-Use of a parameter file for the \s-1GOST\s0 R 34.10 algorithm is optional.
+Use of a parameter file for the \s-1GOST R 34.10\s0 algorithm is optional.
 Parameters can be specified during key generation directly as well as
 during generation of parameter file.
 .IP "\fBparamset:name\fR" 4
 .IX Item "paramset:name"
-Specifies \s-1GOST\s0 R 34.10\-2001 parameter set according to \s-1RFC\s0 4357.
+Specifies \s-1GOST R 34.10\-2001\s0 parameter set according to \s-1RFC 4357.\s0
 Parameter set can be specified using abbreviated name, object short name or
-numeric \s-1OID\s0. Following parameter sets are supported:
+numeric \s-1OID.\s0 Following parameter sets are supported:
 .Sp
 .Vb 7
 \&  paramset   OID               Usage
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
index c60e4d29801d..c37f2d832ed0 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENRSA 1"
-.TH GENRSA 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH GENRSA 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -136,6 +145,18 @@ genrsa \- generate an RSA private key
 \&\fBopenssl\fR \fBgenrsa\fR
 [\fB\-out filename\fR]
 [\fB\-passout arg\fR]
+[\fB\-aes128\fR]
+[\fB\-aes128\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
+[\fB\-camellia128\fR]
+[\fB\-camellia192\fR]
+[\fB\-camellia256\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
+[\fB\-camellia128\fR]
+[\fB\-camellia192\fR]
+[\fB\-camellia256\fR]
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
@@ -156,11 +177,11 @@ used.
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
-.IP "\fB\-des|\-des3|\-idea\fR" 4
-.IX Item "-des|-des3|-idea"
-These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
-\&\s-1IDEA\s0 ciphers respectively before outputting it. If none of these options is
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4
+.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea"
+These options encrypt the private key with specified
+cipher before outputting it. If none of these options is
 specified no encryption is used. If encryption is used a pass phrase is prompted
 for if it is not supplied via the \fB\-passout\fR argument.
 .IP "\fB\-F4|\-3\fR" 4
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
index 9375584a8494..c9576279ff5b 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "NSEQ 1"
-.TH NSEQ 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH NSEQ 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
index 775a7273bb39..9af6e38ebdcc 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OCSP 1"
-.TH OCSP 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OCSP 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -182,7 +191,7 @@ ocsp \- Online Certificate Status Protocol utility
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
-determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560).
+determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0).
 .PP
 The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used
 to print out requests and responses, create requests and send queries
@@ -238,12 +247,15 @@ if \s-1OCSP\s0 request or response creation is implied by other options (for exa
 with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
 .IP "\fB\-url responder_url\fR" 4
 .IX Item "-url responder_url"
-specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
+specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS \s0(\s-1SSL/TLS\s0) URLs can be specified.
 .IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
 .IX Item "-host hostname:port, -path pathname"
 if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
 \&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use
 or \*(L"/\*(R" by default.
+.IP "\fB\-timeout seconds\fR" 4
+.IX Item "-timeout seconds"
+connection timeout to the \s-1OCSP\s0 responder in seconds
 .IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
 .IX Item "-CAfile file, -CApath pathname"
 file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
@@ -339,7 +351,7 @@ Additional certificates to include in the \s-1OCSP\s0 response.
 Don't include any certificates in the \s-1OCSP\s0 response.
 .IP "\fB\-resp_key_id\fR" 4
 .IX Item "-resp_key_id"
-Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name.
+Identify the signer certificate using the key \s-1ID,\s0 default is to use the subject name.
 .IP "\fB\-rkey file\fR" 4
 .IX Item "-rkey file"
 The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the
@@ -358,7 +370,7 @@ Number of minutes or days when fresh revocation information is available: used i
 omitted meaning fresh revocation information is immediately available.
 .SH "OCSP Response verification."
 .IX Header "OCSP Response verification."
-\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0.
+\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0
 .PP
 Initially the \s-1OCSP\s0 responder certificate is located and the signature on
 the \s-1OCSP\s0 request checked using the responder certificate's public key.
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index 6372c8e687c1..f182b3fbd026 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH OPENSSL 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -192,11 +201,11 @@ same name, this provides an easy way for shell scripts to test for the
 availability of ciphers in the \fBopenssl\fR program.  (\fBno\-\fR\fI\s-1XXX\s0\fR is
 not able to detect pseudo-commands such as \fBquit\fR,
 \&\fBlist\-\fR\fI...\fR\fB\-commands\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.)
-.SS "\s-1STANDARD\s0 \s-1COMMANDS\s0"
+.SS "\s-1STANDARD COMMANDS\s0"
 .IX Subsection "STANDARD COMMANDS"
 .IP "\fBasn1parse\fR" 10
 .IX Item "asn1parse"
-Parse an \s-1ASN\s0.1 sequence.
+Parse an \s-1ASN.1\s0 sequence.
 .IP "\fBca\fR" 10
 .IX Item "ca"
 Certificate Authority (\s-1CA\s0) Management.
@@ -205,7 +214,7 @@ Certificate Authority (\s-1CA\s0) Management.
 Cipher Suite Description Determination.
 .IP "\fBcms\fR" 10
 .IX Item "cms"
-\&\s-1CMS\s0 (Cryptographic Message Syntax) utility
+\&\s-1CMS \s0(Cryptographic Message Syntax) utility
 .IP "\fBcrl\fR" 10
 .IX Item "crl"
 Certificate Revocation List (\s-1CRL\s0) Management.
@@ -232,7 +241,7 @@ Generation and Management of Diffie-Hellman Parameters. Superseded by
 \&\fBgenpkey\fR and \fBpkeyparam\fR
 .IP "\fBec\fR" 10
 .IX Item "ec"
-\&\s-1EC\s0 (Elliptic curve) key processing
+\&\s-1EC \s0(Elliptic curve) key processing
 .IP "\fBecparam\fR" 10
 .IX Item "ecparam"
 \&\s-1EC\s0 parameter manipulation and generation
@@ -299,13 +308,13 @@ by  \fBpkeyutl\fR
 .IP "\fBs_client\fR" 10
 .IX Item "s_client"
 This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
-connection to a remote server speaking \s-1SSL/TLS\s0. It's intended for testing
+connection to a remote server speaking \s-1SSL/TLS.\s0 It's intended for testing
 purposes only and provides only rudimentary interface functionality but
 internally uses mostly all functionality of the OpenSSL \fBssl\fR library.
 .IP "\fBs_server\fR" 10
 .IX Item "s_server"
 This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote
-clients speaking \s-1SSL/TLS\s0. It's intended for testing purposes only and provides
+clients speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides
 only rudimentary interface functionality but internally uses mostly all
 functionality of the OpenSSL \fBssl\fR library.  It provides both an own command
 line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response
@@ -337,7 +346,7 @@ OpenSSL Version Information.
 .IP "\fBx509\fR" 10
 .IX Item "x509"
 X.509 Certificate Data Management.
-.SS "\s-1MESSAGE\s0 \s-1DIGEST\s0 \s-1COMMANDS\s0"
+.SS "\s-1MESSAGE DIGEST COMMANDS\s0"
 .IX Subsection "MESSAGE DIGEST COMMANDS"
 .IP "\fBmd2\fR" 10
 .IX Item "md2"
@@ -369,7 +378,7 @@ X.509 Certificate Data Management.
 .IP "\fBsha512\fR" 10
 .IX Item "sha512"
 \&\s-1SHA\-512\s0 Digest
-.SS "\s-1ENCODING\s0 \s-1AND\s0 \s-1CIPHER\s0 \s-1COMMANDS\s0"
+.SS "\s-1ENCODING AND CIPHER COMMANDS\s0"
 .IX Subsection "ENCODING AND CIPHER COMMANDS"
 .IP "\fBbase64\fR" 10
 .IX Item "base64"
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
index 9a3fbd2340c5..9494bb05984a 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PASSWD 1"
-.TH PASSWD 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PASSWD 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
index ded4636099fe..c8786ba2bc71 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS12 1"
-.TH PKCS12 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS12 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -186,16 +195,20 @@ by default.
 .IX Item "-out filename"
 The filename to write certificates and private keys to, standard output by
 default.  They are all written in \s-1PEM\s0 format.
-.IP "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
-.IX Item "-pass arg, -passin arg"
+.IP "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
 the PKCS#12 file (i.e. input file) password source. For more information about
-the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in
 \&\fIopenssl\fR\|(1).
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
-pass phrase source to encrypt any outputed private keys with. For more
-information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section
+pass phrase source to encrypt any outputted private keys with. For more
+information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section
 in \fIopenssl\fR\|(1).
+.IP "\fB\-password arg\fR" 4
+.IX Item "-password arg"
+With \-export, \-password is equivalent to \-passout.
+Otherwise, \-password is equivalent to \-passin.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option inhibits output of the keys and certificates to the output file
@@ -278,12 +291,12 @@ displays them.
 .IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
 .IX Item "-pass arg, -passout arg"
 the PKCS#12 file (i.e. output file) password source. For more information about
-the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in
 \&\fIopenssl\fR\|(1).
 .IP "\fB\-passin password\fR" 4
 .IX Item "-passin password"
 pass phrase source to decrypt any input private keys with. For more information
-about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in
 \&\fIopenssl\fR\|(1).
 .IP "\fB\-chain\fR" 4
 .IX Item "-chain"
@@ -292,9 +305,9 @@ certificate chain of the user certificate. The standard \s-1CA\s0 store is used
 for this search. If the search fails it is considered a fatal error.
 .IP "\fB\-descert\fR" 4
 .IX Item "-descert"
-encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12
+encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12
 file unreadable by some \*(L"export grade\*(R" software. By default the private
-key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0.
+key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2.\s0
 .IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
 .IX Item "-keypbe alg, -certpbe alg"
 these options allow the algorithm used to encrypt the private key and
@@ -311,7 +324,7 @@ This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. N
 encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
 option marks the key for signing only. Signing only keys can be used for
 S/MIME signing, authenticode (ActiveX control signing)  and \s-1SSL\s0 client
-authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support
+authentication, however due to a bug only \s-1MSIE 5.0\s0 and later support
 the use of signing only keys for \s-1SSL\s0 client authentication.
 .IP "\fB\-macalg digest\fR" 4
 .IX Item "-macalg digest"
@@ -319,7 +332,7 @@ specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will b
 .IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
 .IX Item "-nomaciter, -noiter"
 these options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
-Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave
+Unless you wish to produce files compatible with \s-1MSIE 4.0\s0 you should leave
 these options alone.
 .Sp
 To discourage attacks by using large dictionaries of common passwords the
@@ -331,7 +344,7 @@ By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, usin
 these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
 this reduces the file security you should not use these options unless you
 really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
-\&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
+\&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
 option.
 .IP "\fB\-maciter\fR" 4
 .IX Item "-maciter"
@@ -379,7 +392,7 @@ The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
 algorithms for private keys and certificates to be specified. Normally
 the defaults are fine but occasionally software can't handle triple \s-1DES\s0
 encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can
-be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete
+be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete
 description of all algorithms is contained in the \fBpkcs8\fR manual page.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
index b85e8b23b46f..bdb01c524394 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7 1"
-.TH PKCS7 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS7 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -215,7 +224,7 @@ For compatibility with some CAs it will also accept:
 There is no option to print out all the fields of a PKCS#7 file.
 .PP
 This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they 
-cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630\s0.
+cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630.\s0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIcrl2pkcs7\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
index 7d09594b4a03..0965b4e2fdaf 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS8 1"
-.TH PKCS8 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKCS8 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -180,7 +189,7 @@ prompted for.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
@@ -190,7 +199,7 @@ filename.
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-nocrypt\fR" 4
 .IX Item "-nocrypt"
 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
@@ -202,15 +211,15 @@ code signing software used unencrypted private keys.
 .IP "\fB\-nooct\fR" 4
 .IX Item "-nooct"
 This option generates \s-1RSA\s0 private keys in a broken format that some software
-uses. Specifically the private key should be enclosed in a \s-1OCTET\s0 \s-1STRING\s0
+uses. Specifically the private key should be enclosed in a \s-1OCTET STRING\s0
 but some software just includes the structure itself without the
-surrounding \s-1OCTET\s0 \s-1STRING\s0.
+surrounding \s-1OCTET STRING.\s0
 .IP "\fB\-embed\fR" 4
 .IX Item "-embed"
 This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are
-embedded inside the PrivateKey structure. In this form the \s-1OCTET\s0 \s-1STRING\s0
-contains an \s-1ASN1\s0 \s-1SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing
-the parameters and an \s-1ASN1\s0 \s-1INTEGER\s0 containing the private key.
+embedded inside the PrivateKey structure. In this form the \s-1OCTET STRING\s0
+contains an \s-1ASN1 SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing
+the parameters and an \s-1ASN1 INTEGER\s0 containing the private key.
 .IP "\fB\-nsdb\fR" 4
 .IX Item "-nsdb"
 This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape
@@ -276,17 +285,17 @@ level whereas the traditional format includes them at a \s-1PEM\s0 level.
 Various algorithms can be used with the \fB\-v1\fR command line option,
 including PKCS#5 v1.5 and PKCS#12. These are described in more detail
 below.
-.IP "\fB\s-1PBE\-MD2\-DES\s0 \s-1PBE\-MD5\-DES\s0\fR" 4
+.IP "\fB\s-1PBE\-MD2\-DES PBE\-MD5\-DES\s0\fR" 4
 .IX Item "PBE-MD2-DES PBE-MD5-DES"
 These algorithms were included in the original PKCS#5 v1.5 specification.
-They only offer 56 bits of protection since they both use \s-1DES\s0.
-.IP "\fB\s-1PBE\-SHA1\-RC2\-64\s0 \s-1PBE\-MD2\-RC2\-64\s0 \s-1PBE\-MD5\-RC2\-64\s0 \s-1PBE\-SHA1\-DES\s0\fR" 4
+They only offer 56 bits of protection since they both use \s-1DES.\s0
+.IP "\fB\s-1PBE\-SHA1\-RC2\-64 PBE\-MD2\-RC2\-64 PBE\-MD5\-RC2\-64 PBE\-SHA1\-DES\s0\fR" 4
 .IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES"
 These algorithms are not mentioned in the original PKCS#5 v1.5 specification
 but they use the same key derivation algorithm and are supported by some
 software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or
-56 bit \s-1DES\s0.
-.IP "\fB\s-1PBE\-SHA1\-RC4\-128\s0 \s-1PBE\-SHA1\-RC4\-40\s0 \s-1PBE\-SHA1\-3DES\s0 \s-1PBE\-SHA1\-2DES\s0 \s-1PBE\-SHA1\-RC2\-128\s0 \s-1PBE\-SHA1\-RC2\-40\s0\fR" 4
+56 bit \s-1DES.\s0
+.IP "\fB\s-1PBE\-SHA1\-RC4\-128 PBE\-SHA1\-RC4\-40 PBE\-SHA1\-3DES PBE\-SHA1\-2DES PBE\-SHA1\-RC2\-128 PBE\-SHA1\-RC2\-40\s0\fR" 4
 .IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40"
 These algorithms use the PKCS#12 password based encryption algorithm and
 allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used.
@@ -327,13 +336,13 @@ Convert a private key from any PKCS#8 format to traditional format:
 .SH "STANDARDS"
 .IX Header "STANDARDS"
 Test vectors from this PKCS#5 v2.0 implementation were posted to the
-pkcs-tng mailing list using triple \s-1DES\s0, \s-1DES\s0 and \s-1RC2\s0 with high iteration
+pkcs-tng mailing list using triple \s-1DES, DES\s0 and \s-1RC2\s0 with high iteration
 counts, several people confirmed that they could decrypt the private
 keys produced and Therefore it can be assumed that the PKCS#5 v2.0
 implementation is reasonably accurate at least as far as these
 algorithms are concerned.
 .PP
-The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented:
+The format of PKCS#8 \s-1DSA \s0(and other) private keys is not well documented:
 it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0
 PKCS#8 private key format complies with this standard.
 .SH "BUGS"
diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1
index da704091d5b6..987d640915bc 100644
--- a/secure/usr.bin/openssl/man/pkey.1
+++ b/secure/usr.bin/openssl/man/pkey.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKEY 1"
-.TH PKEY 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKEY 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -155,7 +164,7 @@ between various forms and their components printed out.
 .IX Header "COMMAND OPTIONS"
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format \s-1DER\s0 or \s-1PEM\s0.
+This specifies the input format \s-1DER\s0 or \s-1PEM.\s0
 .IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
@@ -168,7 +177,7 @@ prompted for.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output if this
@@ -178,7 +187,7 @@ filename.
 .IP "\fB\-passout password\fR" 4
 .IX Item "-passout password"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-cipher\fR" 4
 .IX Item "-cipher"
 These options encrypt the private key with the supplied cipher. Any algorithm
diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1
index f2c1a9350487..a975ff27bada 100644
--- a/secure/usr.bin/openssl/man/pkeyparam.1
+++ b/secure/usr.bin/openssl/man/pkeyparam.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKEYPARAM 1"
-.TH PKEYPARAM 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKEYPARAM 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1
index 73b167041b45..feebdefefda8 100644
--- a/secure/usr.bin/openssl/man/pkeyutl.1
+++ b/secure/usr.bin/openssl/man/pkeyutl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKEYUTL 1"
-.TH PKEYUTL 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH PKEYUTL 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -174,17 +183,17 @@ default.
 the input key file, by default it should be a private key.
 .IP "\fB\-keyform PEM|DER\fR" 4
 .IX Item "-keyform PEM|DER"
-the key format \s-1PEM\s0, \s-1DER\s0 or \s-1ENGINE\s0.
+the key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-peerkey file\fR" 4
 .IX Item "-peerkey file"
 the peer key file, used by key derivation (agreement) operations.
 .IP "\fB\-peerform PEM|DER\fR" 4
 .IX Item "-peerform PEM|DER"
-the peer key format \s-1PEM\s0, \s-1DER\s0 or \s-1ENGINE\s0.
+the peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR
@@ -246,7 +255,7 @@ operations however.
 .IX Item "-rsa_padding_mode:mode"
 This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for
 PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR
-for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS\s0.
+for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0
 .Sp
 In PKCS#1 padding if the message digest is not set then the supplied data is 
 signed or verified directly instead of using a \fBDigestInfo\fR structure. If a
@@ -256,7 +265,7 @@ must correspond to the digest type.
 For \fBoeap\fR mode only encryption and decryption is supported.
 .Sp
 For \fBx931\fR if the digest type is set it is used to format the block data
-otherwise the first byte is used to specify the X9.31 digest \s-1ID\s0. Sign,
+otherwise the first byte is used to specify the X9.31 digest \s-1ID.\s0 Sign,
 verify and verifyrecover are can be performed in this mode.
 .Sp
 For \fBpss\fR mode only sign and verify are supported and the digest type must be
@@ -280,7 +289,7 @@ options.
 .SH "EC ALGORITHM"
 .IX Header "EC ALGORITHM"
 The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and
-verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH\s0. Currently there are no
+verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH.\s0 Currently there are no
 additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 digest can be used and
 this digest is assumed by default.
 .SH "EXAMPLES"
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
index 598ad00dec27..db973d643b7f 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND 1"
-.TH RAND 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RAND 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
index 84bc6f07af88..3e24f621a8a9 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/req.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "REQ 1"
-.TH REQ 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH REQ 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -183,7 +192,7 @@ for use as root CAs for example.
 .IX Header "COMMAND OPTIONS"
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
 form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it
 consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and
 footer lines.
@@ -199,7 +208,7 @@ options (\fB\-new\fR and \fB\-newkey\fR) are not specified.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write to or standard output by
@@ -207,7 +216,7 @@ default.
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the certificate request in text form.
@@ -270,15 +279,15 @@ if neccessary should be specified via \fB\-pkeyopt\fR parameter.
 .Sp
 \&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
 in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with
-\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST\s0 R
-34.10\-2001 key (requires \fBccgost\fR engine configured in the configuration
+\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST R
+34.10\-2001\s0 key (requires \fBccgost\fR engine configured in the configuration
 file). If just \fBgost2001\fR is specified a parameter set should be
 specified by \fB\-pkeyopt paramset:X\fR
 .IP "\fB\-pkeyopt opt:value\fR" 4
 .IX Item "-pkeyopt opt:value"
 set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
 options supported depends on the public key algorithm used and its
-implementation. See \fB\s-1KEY\s0 \s-1GENERATION\s0 \s-1OPTIONS\s0\fR in the \fBgenpkey\fR manual page
+implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR in the \fBgenpkey\fR manual page
 for more details.
 .IP "\fB\-key filename\fR" 4
 .IX Item "-key filename"
@@ -304,8 +313,8 @@ this specifies the message digest to sign the request with (such as
 the configuration file.
 .Sp
 Some public key algorithms may override this choice. For instance, \s-1DSA\s0
-signatures always use \s-1SHA1\s0, \s-1GOST\s0 R 34.10 signatures always use
-\&\s-1GOST\s0 R 34.11\-94 (\fB\-md_gost94\fR).
+signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use
+\&\s-1GOST R 34.11\-94 \s0(\fB\-md_gost94\fR).
 .IP "\fB\-config filename\fR" 4
 .IX Item "-config filename"
 this allows an alternative configuration file to be specified,
@@ -329,7 +338,7 @@ If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\f
 .IX Item "-x509"
 this option outputs a self signed certificate instead of a certificate
 request. This is typically used to generate a test certificate or
-a self signed root \s-1CA\s0. The extensions added to the certificate
+a self signed root \s-1CA.\s0 The extensions added to the certificate
 (if any) are specified in the configuration file. Unless specified
 using the \fBset_serial\fR option \fB0\fR will be used for the serial
 number.
@@ -356,7 +365,7 @@ a variety of purposes.
 .IP "\fB\-utf8\fR" 4
 .IX Item "-utf8"
 this option causes field values to be interpreted as \s-1UTF8\s0 strings, by 
-default they are interpreted as \s-1ASCII\s0. This means that the field
+default they are interpreted as \s-1ASCII.\s0 This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid \s-1UTF8\s0 strings.
 .IP "\fB\-nameopt option\fR" 4
@@ -380,10 +389,10 @@ accept requests containing no attributes in an invalid form: this
 option produces this invalid format.
 .Sp
 More precisely the \fBAttributes\fR in a PKCS#10 certificate request
-are defined as a \fB\s-1SET\s0 \s-1OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so
+are defined as a \fB\s-1SET OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so
 if no attributes are present then they should be encoded as an
-empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty
-\&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does.
+empty \fB\s-1SET OF\s0\fR. The invalid form does not include the empty
+\&\fB\s-1SET OF\s0\fR whereas the correct form does.
 .Sp
 It should be noted that very few CAs still require the use of this option.
 .IP "\fB\-no\-asn1\-kludge\fR" 4
@@ -391,7 +400,7 @@ It should be noted that very few CAs still require the use of this option.
 Reverses effect of \fB\-asn1\-kludge\fR
 .IP "\fB\-newhdr\fR" 4
 .IX Item "-newhdr"
-Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed
+Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted
 request. Some software (Netscape certificate server) and some CAs need this.
 .IP "\fB\-batch\fR" 4
 .IX Item "-batch"
@@ -435,7 +444,7 @@ specified the key is written to standard output. This can be
 overridden by the \fB\-keyout\fR option.
 .IP "\fBoid_file\fR" 4
 .IX Item "oid_file"
-This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
+This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
 by white space and finally the long name.
@@ -468,7 +477,7 @@ fields. Most users will not need to change this option.
 It can be set to several values \fBdefault\fR which is also the default
 option uses PrintableStrings, T61Strings and BMPStrings if the 
 \&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will
-be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the
+be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459.\s0 If the
 \&\fButf8only\fR option is used then only UTF8Strings will be used: this
 is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR
 option just uses PrintableStrings and T61Strings: certain software has
@@ -493,7 +502,7 @@ expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections.
 .IP "\fButf8\fR" 4
 .IX Item "utf8"
 if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0
-strings, by default they are interpreted as \s-1ASCII\s0. This means that
+strings, by default they are interpreted as \s-1ASCII.\s0 This means that
 the field values, whether prompted from a terminal or obtained from a
 configuration file, must be valid \s-1UTF8\s0 strings.
 .IP "\fBattributes\fR" 4
@@ -546,7 +555,7 @@ on the field being used (for example countryName can only ever be
 two characters long and must fit in a PrintableString).
 .PP
 Some fields (such as organizationName) can be used more than once
-in a \s-1DN\s0. This presents a problem because configuration files will
+in a \s-1DN.\s0 This presents a problem because configuration files will
 not recognize the same name occurring twice. To avoid this problem
 if the fieldName contains some characters followed by a full stop
 they will be ignored. So for example a second organizationName can
@@ -721,14 +730,14 @@ Another puzzling message is this:
 .Ve
 .PP
 this is displayed when no attributes are present and the request includes
-the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
+the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
 0x00). If you just see:
 .PP
 .Vb 1
 \&        Attributes:
 .Ve
 .PP
-then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but
+then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but
 it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR
 for more information.
 .SH "ENVIRONMENT VARIABLES"
@@ -740,7 +749,7 @@ environment variable serves the same purpose but its use is discouraged.
 .SH "BUGS"
 .IX Header "BUGS"
 OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
-treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
+treats them as \s-1ISO\-8859\-1 \s0(Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
 This can cause problems if you need characters that aren't available in
 PrintableStrings and you don't want to or can't use BMPStrings.
 .PP
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
index 72757fb7af81..cd6ae99eb12e 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA 1"
-.TH RSA 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSA 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -141,6 +150,12 @@ rsa \- RSA key processing tool
 [\fB\-out filename\fR]
 [\fB\-passout arg\fR]
 [\fB\-sgckey\fR]
+[\fB\-aes128\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
+[\fB\-camellia128\fR]
+[\fB\-camellia192\fR]
+[\fB\-camellia256\fR]
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
@@ -150,6 +165,8 @@ rsa \- RSA key processing tool
 [\fB\-check\fR]
 [\fB\-pubin\fR]
 [\fB\-pubout\fR]
+[\fB\-RSAPublicKey_in\fR]
+[\fB\-RSAPublicKey_out\fR]
 [\fB\-engine id\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -162,7 +179,7 @@ utility.
 .IX Header "COMMAND OPTIONS"
 .IP "\fB\-inform DER|NET|PEM\fR" 4
 .IX Item "-inform DER|NET|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
 form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
 The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
 encoded with additional header and footer lines. On input PKCS#8 format private
@@ -180,7 +197,7 @@ prompted for.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output if this
@@ -190,15 +207,15 @@ filename.
 .IP "\fB\-passout password\fR" 4
 .IX Item "-passout password"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-sgckey\fR" 4
 .IX Item "-sgckey"
 use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0
 keys.
-.IP "\fB\-des|\-des3|\-idea\fR" 4
-.IX Item "-des|-des3|-idea"
-These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
-\&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
+.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4
+.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea"
+These options encrypt the private key with the specified
+cipher before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
 means that using the \fBrsa\fR utility to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
@@ -226,6 +243,9 @@ option a public key is read instead.
 by default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
+.IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4
+.IX Item "-RSAPublicKey_in, -RSAPublicKey_out"
+like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR
@@ -248,14 +268,21 @@ The \s-1PEM\s0 public key format uses the header and footer lines:
 \& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
 .Ve
 .PP
+The \s-1PEM \s0\fBRSAPublicKey\fR format uses the header and footer lines:
+.PP
+.Vb 2
+\& \-\-\-\-\-BEGIN RSA PUBLIC KEY\-\-\-\-\-
+\& \-\-\-\-\-END RSA PUBLIC KEY\-\-\-\-\-
+.Ve
+.PP
 The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers
-and Microsoft \s-1IIS\s0 .key files, this uses unsalted \s-1RC4\s0 for its encryption.
+and Microsoft \s-1IIS \s0.key files, this uses unsalted \s-1RC4\s0 for its encryption.
 It is not very secure and so should only be used when necessary.
 .PP
 Some newer version of \s-1IIS\s0 have additional data in the exported .key
 files. To use these with the utility, view the file with a binary editor
 and look for the string \*(L"private-key\*(R", then trace back to the byte
-sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data
+sequence 0x30, 0x82 (this is an \s-1ASN1 SEQUENCE\s0). Copy all the data
 from this point onwards to another file and use that as the input
 to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get
 an error after entering the password try the \fB\-sgckey\fR option.
@@ -290,6 +317,12 @@ To just output the public part of a private key:
 .Vb 1
 \& openssl rsa \-in key.pem \-pubout \-out pubkey.pem
 .Ve
+.PP
+Output the public part of a private key in \fBRSAPublicKey\fR format:
+.PP
+.Vb 1
+\& openssl rsa \-in key.pem \-RSAPublicKey_out \-out pubkey.pem
+.Ve
 .SH "BUGS"
 .IX Header "BUGS"
 The command line password arguments don't currently work with
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
index 7275bf10a261..e9d389545511 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH RSAUTL 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -186,7 +195,7 @@ encrypt the input data using an \s-1RSA\s0 public key.
 decrypt the input data using an \s-1RSA\s0 private key.
 .IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
 .IX Item "-pkcs, -oaep, -ssl, -raw"
-the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP\s0,
+the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0
 special padding used in \s-1SSL\s0 v2 backwards compatible handshakes,
 or no padding, respectively.
 For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
@@ -261,7 +270,7 @@ example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields:
 \&  614:d=1  hl=3 l= 129 prim:  BIT STRING
 .Ve
 .PP
-The final \s-1BIT\s0 \s-1STRING\s0 contains the actual signature. It can be extracted with:
+The final \s-1BIT STRING\s0 contains the actual signature. It can be extracted with:
 .PP
 .Vb 1
 \& openssl asn1parse \-in pca\-cert.pem \-out sig \-noout \-strparse 614
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 19db4773d26d..5349a741b40a 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH S_CLIENT 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -135,7 +144,9 @@ s_client \- SSL/TLS client program
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBs_client\fR
 [\fB\-connect host:port\fR]
+[\fB\-servername name\fR]
 [\fB\-verify depth\fR]
+[\fB\-verify_return_error\fR]
 [\fB\-cert filename\fR]
 [\fB\-certform DER|PEM\fR]
 [\fB\-key filename\fR]
@@ -153,6 +164,7 @@ s_client \- SSL/TLS client program
 [\fB\-nbio\fR]
 [\fB\-crlf\fR]
 [\fB\-ign_eof\fR]
+[\fB\-no_ign_eof\fR]
 [\fB\-quiet\fR]
 [\fB\-ssl2\fR]
 [\fB\-ssl3\fR]
@@ -162,6 +174,7 @@ s_client \- SSL/TLS client program
 [\fB\-no_tls1\fR]
 [\fB\-bugs\fR]
 [\fB\-cipher cipherlist\fR]
+[\fB\-serverpref\fR]
 [\fB\-starttls protocol\fR]
 [\fB\-engine id\fR]
 [\fB\-tlsextdebug\fR]
@@ -169,10 +182,12 @@ s_client \- SSL/TLS client program
 [\fB\-sess_out filename\fR]
 [\fB\-sess_in filename\fR]
 [\fB\-rand file(s)\fR]
+[\fB\-status\fR]
+[\fB\-nextprotoneg protocols\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
-to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for
+to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool for
 \&\s-1SSL\s0 servers.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
@@ -180,24 +195,27 @@ to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool
 .IX Item "-connect host:port"
 This specifies the host and optional port to connect to. If not specified
 then an attempt is made to connect to the local host on port 4433.
+.IP "\fB\-servername name\fR" 4
+.IX Item "-servername name"
+Set the \s-1TLS SNI \s0(Server Name Indication) extension in the ClientHello message.
 .IP "\fB\-cert certname\fR" 4
 .IX Item "-cert certname"
 The certificate to use, if one is requested by the server. The default is
 not to use a certificate.
 .IP "\fB\-certform format\fR" 4
 .IX Item "-certform format"
-The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
+The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
 .IP "\fB\-key keyfile\fR" 4
 .IX Item "-key keyfile"
 The private key to use. If not specified then the certificate file will
 be used.
 .IP "\fB\-keyform format\fR" 4
 .IX Item "-keyform format"
-The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
+The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
 .IP "\fB\-pass arg\fR" 4
 .IX Item "-pass arg"
 the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-verify depth\fR" 4
 .IX Item "-verify depth"
 The verify depth to use. This specifies the maximum length of the
@@ -205,6 +223,10 @@ server certificate chain and turns on server certificate verification.
 Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
+.IP "\fB\-verify_return_error\fR" 4
+.IX Item "-verify_return_error"
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
 .IP "\fB\-CApath directory\fR" 4
 .IX Item "-CApath directory"
 The directory to use for server certificate verification. This directory
@@ -220,7 +242,7 @@ Set various certificate chain valiadition option. See the
 \&\fBverify\fR manual page for details.
 .IP "\fB\-reconnect\fR" 4
 .IX Item "-reconnect"
-reconnects to the same server 5 times using the same session \s-1ID\s0, this can
+reconnects to the same server 5 times using the same session \s-1ID,\s0 this can
 be used as a test that session caching is working.
 .IP "\fB\-pause\fR" 4
 .IX Item "-pause"
@@ -236,7 +258,7 @@ to print out information even if the connection fails. Normally information
 will only be printed out once if the connection succeeds. This option is useful
 because the cipher in use may be renegotiated or the connection may fail
 because a client certificate is required or is requested only after an
-attempt is made to access a certain \s-1URL\s0. Note: the output produced by this
+attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this
 option is not always accurate because a connection might never have been
 established.
 .IP "\fB\-state\fR" 4
@@ -266,6 +288,10 @@ input.
 .IX Item "-quiet"
 inhibit printing of session and certificate information.  This implicitly
 turns on \fB\-ign_eof\fR as well.
+.IP "\fB\-no_ign_eof\fR" 4
+.IX Item "-no_ign_eof"
+shut down the connection when end of file is reached in the input.
+Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
 .IP "\fB\-psk_identity identity\fR" 4
 .IX Item "-psk_identity identity"
 Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
@@ -294,6 +320,9 @@ this allows the cipher list sent by the client to be modified. Although
 the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the \fBciphers\fR
 command for more information.
+.IP "\fB\-serverpref\fR" 4
+.IX Item "-serverpref"
+use the server's cipher preferences; only used for \s-1SSLV2.\s0
 .IP "\fB\-starttls protocol\fR" 4
 .IX Item "-starttls protocol"
 send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
@@ -325,6 +354,20 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
+.IP "\fB\-status\fR" 4
+.IX Item "-status"
+sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
+response (if any) is printed out.
+.IP "\fB\-nextprotoneg protocols\fR" 4
+.IX Item "-nextprotoneg protocols"
+enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a list of
+comma-separated protocol names that the client should advertise
+support for. The list should contain most wanted protocols first.
+Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
+\&\*(L"spdy/3\*(R".
+Empty list of protocols is treated specially and will cause the client to
+advertise support for the \s-1TLS\s0 extension but disconnect just after
+reciving ServerHello with a list of server supported protocols.
 .SH "CONNECTED COMMANDS"
 .IX Header "CONNECTED COMMANDS"
 If a connection is established with an \s-1SSL\s0 server then any data received
@@ -335,7 +378,7 @@ have been given), the session will be renegotiated if the line begins with an
 connection will be closed down.
 .SH "NOTES"
 .IX Header "NOTES"
-\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0
+\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0
 server the command:
 .PP
 .Vb 1
@@ -343,7 +386,7 @@ server the command:
 .Ve
 .PP
 would typically be used (https uses port 443). If the connection succeeds
-then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page.
+then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page.
 .PP
 If the handshake fails then there are several possible causes, if it is
 nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
@@ -372,6 +415,13 @@ If there are problems verifying a server certificate then the
 Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the
 \&\fB\-no_sslv2\fR option.
+.PP
+The \fBs_client\fR utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0
+attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
+option: any verify errors are then returned aborting the handshake.
 .SH "BUGS"
 .IX Header "BUGS"
 Because this program has a lot of options and also because some of
@@ -379,9 +429,6 @@ the techniques used are rather old, the C source of s_client is rather
 hard to read and not a model of how things should be done. A typical
 \&\s-1SSL\s0 client program would be much simpler.
 .PP
-The \fB\-verify\fR option should really exit if the server verification
-fails.
-.PP
 The \fB\-prexit\fR option is a bit of a hack. We should really report
 information whenever a session is renegotiated.
 .SH "SEE ALSO"
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
index 4f23b0c090b4..a2cb5e326866 100644
--- a/secure/usr.bin/openssl/man/s_server.1
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH S_SERVER 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -161,6 +170,7 @@ s_server \- SSL/TLS server program
 [\fB\-CAfile filename\fR]
 [\fB\-nocert\fR]
 [\fB\-cipher cipherlist\fR]
+[\fB\-serverpref\fR]
 [\fB\-quiet\fR]
 [\fB\-no_tmp_rsa\fR]
 [\fB\-ssl2\fR]
@@ -170,6 +180,7 @@ s_server \- SSL/TLS server program
 [\fB\-no_ssl3\fR]
 [\fB\-no_tls1\fR]
 [\fB\-no_dhe\fR]
+[\fB\-no_ecdhe\fR]
 [\fB\-bugs\fR]
 [\fB\-hack\fR]
 [\fB\-www\fR]
@@ -180,10 +191,15 @@ s_server \- SSL/TLS server program
 [\fB\-no_ticket\fR]
 [\fB\-id_prefix arg\fR]
 [\fB\-rand file(s)\fR]
+[\fB\-status\fR]
+[\fB\-status_verbose\fR]
+[\fB\-status_timeout nsec\fR]
+[\fB\-status_url url\fR]
+[\fB\-nextprotoneg protocols\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens
-for connections on a given port using \s-1SSL/TLS\s0.
+for connections on a given port using \s-1SSL/TLS.\s0
 .SH "OPTIONS"
 .IX Header "OPTIONS"
 .IP "\fB\-accept port\fR" 4
@@ -197,22 +213,22 @@ is not present a default value will be used.
 .IX Item "-cert certname"
 The certificate to use, most servers cipher suites require the use of a
 certificate and some require a certificate with a certain public key type:
-for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
-(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
+for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS
+\&\s0(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
 .IP "\fB\-certform format\fR" 4
 .IX Item "-certform format"
-The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
+The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
 .IP "\fB\-key keyfile\fR" 4
 .IX Item "-key keyfile"
 The private key to use. If not specified then the certificate file will
 be used.
 .IP "\fB\-keyform format\fR" 4
 .IX Item "-keyform format"
-The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
+The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
 .IP "\fB\-pass arg\fR" 4
 .IX Item "-pass arg"
 the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4
 .IX Item "-dcert filename, -dkey keyname"
 specify an additional certificate and private key, these behave in the
@@ -220,12 +236,12 @@ same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no defau
 if they are not specified (no additional certificate and key is used). As
 noted above some cipher suites require a certificate containing a key of
 a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
-and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
+and some a \s-1DSS \s0(\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
 a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
 by using an appropriate certificate.
 .IP "\fB\-dcertform format\fR, \fB\-dkeyform format\fR, \fB\-dpass arg\fR" 4
 .IX Item "-dcertform format, -dkeyform format, -dpass arg"
-addtional certificate and private key format and passphrase respectively.
+additional certificate and private key format and passphrase respectively.
 .IP "\fB\-nocert\fR" 4
 .IX Item "-nocert"
 if this option is set then no certificate is used. This restricts the
@@ -241,6 +257,10 @@ a static set of parameters hard coded into the s_server program will be used.
 .IX Item "-no_dhe"
 if this option is set then no \s-1DH\s0 parameters will be loaded effectively
 disabling the ephemeral \s-1DH\s0 cipher suites.
+.IP "\fB\-no_ecdhe\fR" 4
+.IX Item "-no_ecdhe"
+if this option is set then no \s-1ECDH\s0 parameters will be loaded effectively
+disabling the ephemeral \s-1ECDH\s0 cipher suites.
 .IP "\fB\-no_tmp_rsa\fR" 4
 .IX Item "-no_tmp_rsa"
 certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option
@@ -252,9 +272,12 @@ client certificate chain and makes the server request a certificate from
 the client. With the \fB\-verify\fR option a certificate is requested but the
 client does not have to send one, with the \fB\-Verify\fR option the client
 must supply a certificate or an error occurs.
+.Sp
+If the ciphersuite cannot request a client certificate (for example an
+anonymous ciphersuite or \s-1PSK\s0) this option has no effect.
 .IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4
 .IX Item "-crl_check, -crl_check_all"
-Check the peer certificate has not been revoked by its \s-1CA\s0.
+Check the peer certificate has not been revoked by its \s-1CA.\s0
 The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR
 option all CRLs of all CAs in the chain are checked.
 .IP "\fB\-CApath directory\fR" 4
@@ -285,7 +308,7 @@ tests non blocking I/O
 turns on non blocking I/O
 .IP "\fB\-crlf\fR" 4
 .IX Item "-crlf"
-this option translated a line feed from the terminal into \s-1CR+LF\s0.
+this option translated a line feed from the terminal into \s-1CR+LF.\s0
 .IP "\fB\-quiet\fR" 4
 .IX Item "-quiet"
 inhibit printing of session and certificate information.
@@ -317,6 +340,9 @@ the client sends a list of supported ciphers the first client cipher
 also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist irrelevant. See
 the \fBciphers\fR command for more information.
+.IP "\fB\-serverpref\fR" 4
+.IX Item "-serverpref"
+use the server's cipher preferences, rather than the client's preferences.
 .IP "\fB\-tlsextdebug\fR" 4
 .IX Item "-tlsextdebug"
 print out a hex dump of any \s-1TLS\s0 extensions received from the server.
@@ -360,6 +386,28 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
+.IP "\fB\-status\fR" 4
+.IX Item "-status"
+enables certificate status request support (aka \s-1OCSP\s0 stapling).
+.IP "\fB\-status_verbose\fR" 4
+.IX Item "-status_verbose"
+enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives
+a verbose printout of the \s-1OCSP\s0 response.
+.IP "\fB\-status_timeout nsec\fR" 4
+.IX Item "-status_timeout nsec"
+sets the timeout for \s-1OCSP\s0 response to \fBnsec\fR seconds.
+.IP "\fB\-status_url url\fR" 4
+.IX Item "-status_url url"
+sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
+server certificate. Without this option an error is returned if the server
+certificate does not contain a responder address.
+.IP "\fB\-nextprotoneg protocols\fR" 4
+.IX Item "-nextprotoneg protocols"
+enable Next Protocol Negotiation \s-1TLS\s0 extension and provide a
+comma-separated list of supported protocol names.
+The list should contain most wanted protocols first.
+Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
+\&\*(L"spdy/3\*(R".
 .SH "CONNECTED COMMANDS"
 .IX Header "CONNECTED COMMANDS"
 If a connection request is established with an \s-1SSL\s0 client and neither the
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1
index 9bf931bc1af6..f07d22dfc793 100644
--- a/secure/usr.bin/openssl/man/s_time.1
+++ b/secure/usr.bin/openssl/man/s_time.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_TIME 1"
-.TH S_TIME 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH S_TIME 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -152,7 +161,7 @@ s_time \- SSL/TLS performance timing program
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a
-remote host using \s-1SSL/TLS\s0. It can request a page from the server and includes
+remote host using \s-1SSL/TLS.\s0 It can request a page from the server and includes
 the time to transfer the payload data in its timing measurements. It measures
 the number of connections within a given timeframe, the amount of data
 transferred (if any), and calculates the average time spent for one connection.
@@ -234,7 +243,7 @@ and the link speed determine how many connections \fBs_time\fR can establish.
 .SH "NOTES"
 .IX Header "NOTES"
 \&\fBs_client\fR can be used to measure the performance of an \s-1SSL\s0 connection.
-To connect to an \s-1SSL\s0 \s-1HTTP\s0 server and get the default page the command
+To connect to an \s-1SSL HTTP\s0 server and get the default page the command
 .PP
 .Vb 1
 \& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3]
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
index a7bfc6fa83ad..e117fdafd93d 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SESS_ID 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,7 +159,7 @@ needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will
 not need to use it.
 .IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
-This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
+This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
 format containing session details. The precise format can vary from one version
 to the next.  The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR
 format base64 encoded with additional header and footer lines.
@@ -180,7 +189,7 @@ this option prevents output of the encoded version of the session.
 .IP "\fB\-context \s-1ID\s0\fR" 4
 .IX Item "-context ID"
 this option can set the session id so the output session information uses the
-supplied \s-1ID\s0. The \s-1ID\s0 can be any string of characters. This option wont normally
+supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option wont normally
 be used.
 .SH "OUTPUT"
 .IX Header "OUTPUT"
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
index d4e9ac343f1d..18f943aa73ce 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME 1"
-.TH SMIME 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SMIME 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -241,7 +250,7 @@ is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
 .IX Item "-text"
 this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of \s-1MIME\s0 
+off text headers: if the decrypted or verified message is not of \s-1MIME \s0
 type text/plain then an error occurs.
 .IP "\fB\-CAfile file\fR" 4
 .IX Item "-CAfile file"
@@ -258,13 +267,13 @@ digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
 .IP "\fB\-[cipher]\fR" 4
 .IX Item "-[cipher]"
-the encryption algorithm to use. For example \s-1DES\s0  (56 bits) \- \fB\-des\fR,
-triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR,
+the encryption algorithm to use. For example \s-1DES  \s0(56 bits) \- \fB\-des\fR,
+triple \s-1DES \s0(168 bits) \- \fB\-des3\fR,
 \&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for 
 example \fB\-aes_128_cbc\fR. See \fBenc\fR for list of ciphers
 supported by your version of OpenSSL.
 .Sp
-If not specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
+If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR.
 .IP "\fB\-nointern\fR" 4
 .IX Item "-nointern"
 when verifying a message normally certificates (if any) included in
@@ -329,7 +338,7 @@ multiple times to specify successive keys.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-rand file(s)\fR" 4
 .IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
@@ -382,12 +391,12 @@ signer using the same message digest or this operation will fail.
 .PP
 The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support.
 As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
-and no longer \s-1DER\s0. Streaming is supported for the \fB\-encrypt\fR operation and the
+and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
 \&\fB\-sign\fR operation if the content is not detached.
 .PP
 Streaming is always used for the \fB\-sign\fR operation with detached data but
 since the content is no longer part of the PKCS#7 structure the encoding
-remains \s-1DER\s0.
+remains \s-1DER.\s0
 .SH "EXIT CODES"
 .IX Header "EXIT CODES"
 .IP "0" 4
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
index b8e78800f859..e39c927c8199 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SPEED 1"
-.TH SPEED 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SPEED 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
index 58469e523485..d324689af639 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SPKAC 1"
-.TH SPKAC 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SPKAC 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -168,30 +177,30 @@ present.
 .IP "\fB\-passin password\fR" 4
 .IX Item "-passin password"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-challenge string\fR" 4
 .IX Item "-challenge string"
 specifies the challenge string if an \s-1SPKAC\s0 is being created.
 .IP "\fB\-spkac spkacname\fR" 4
 .IX Item "-spkac spkacname"
 allows an alternative name form the variable containing the
-\&\s-1SPKAC\s0. The default is \*(L"\s-1SPKAC\s0\*(R". This option affects both
+\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
 generated and input \s-1SPKAC\s0 files.
 .IP "\fB\-spksect section\fR" 4
 .IX Item "-spksect section"
 allows an alternative name form the section containing the
-\&\s-1SPKAC\s0. The default is the default section.
+\&\s-1SPKAC.\s0 The default is the default section.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
-don't output the text version of the \s-1SPKAC\s0 (not used if an
+don't output the text version of the \s-1SPKAC \s0(not used if an
 \&\s-1SPKAC\s0 is being created).
 .IP "\fB\-pubkey\fR" 4
 .IX Item "-pubkey"
-output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is
+output the public key of an \s-1SPKAC \s0(not used if an \s-1SPKAC\s0 is
 being created).
 .IP "\fB\-verify\fR" 4
 .IX Item "-verify"
-verifies the digital signature on the supplied \s-1SPKAC\s0.
+verifies the digital signature on the supplied \s-1SPKAC.\s0
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
@@ -218,7 +227,7 @@ Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
 \& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
 .Ve
 .PP
-Example of an \s-1SPKAC\s0, (long lines split up for clarity):
+Example of an \s-1SPKAC, \s0(long lines split up for clarity):
 .PP
 .Vb 5
 \& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1
index 6ffa749653cb..a1010924ad43 100644
--- a/secure/usr.bin/openssl/man/ts.1
+++ b/secure/usr.bin/openssl/man/ts.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "TS 1"
-.TH TS 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH TS 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -177,13 +186,13 @@ ts \- Time Stamping Authority tool (client/server)
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server
-application as specified in \s-1RFC\s0 3161 (Time-Stamp Protocol, \s-1TSP\s0). A
+application as specified in \s-1RFC 3161 \s0(Time-Stamp Protocol, \s-1TSP\s0). A
 \&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
 term proof of the existence of a certain datum before a particular
 time. Here is a brief description of the protocol:
 .IP "1." 4
 The \s-1TSA\s0 client computes a one-way hash value for a data file and sends
-the hash to the \s-1TSA\s0.
+the hash to the \s-1TSA.\s0
 .IP "2." 4
 The \s-1TSA\s0 attaches the current date and time to the received hash value,
 signs them and sends the time stamp token back to the client. By
@@ -192,7 +201,7 @@ data file at the time of response generation.
 .IP "3." 4
 The \s-1TSA\s0 client receives the time stamp token and verifies the
 signature on it. It also checks if the token contains the same hash
-value that it had sent to the \s-1TSA\s0.
+value that it had sent to the \s-1TSA.\s0
 .PP
 There is one \s-1DER\s0 encoded protocol data unit defined for transporting a time
 stamp request to the \s-1TSA\s0 and one for sending the time stamp response
@@ -202,7 +211,7 @@ creating a time stamp response based on a request, verifying if a
 response corresponds to a particular request or a data file.
 .PP
 There is no support for sending the requests/responses automatically
-over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC\s0 3161. The users must send the
+over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the
 requests either by ftp or e\-mail.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
@@ -236,7 +245,7 @@ in use. (Optional)
 .IX Item "-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160|..."
 The message digest to apply to the data file, it supports all the message
 digest algorithms that are supported by the openssl \fBdgst\fR command.
-The default is \s-1SHA\-1\s0. (Optional)
+The default is \s-1SHA\-1. \s0(Optional)
 .IP "\fB\-policy\fR object_id" 4
 .IX Item "-policy object_id"
 The policy that the client expects the \s-1TSA\s0 to use for creating the
@@ -267,7 +276,7 @@ is stdout. (Optional)
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 If this option is specified the output is human-readable text format
-instead of \s-1DER\s0. (Optional)
+instead of \s-1DER. \s0(Optional)
 .SS "Time Stamp Response generation"
 .IX Subsection "Time Stamp Response generation"
 A time stamp response (TimeStampResp) consists of a response status
@@ -280,20 +289,20 @@ otherwise it is a time stamp token (ContentInfo).
 .IP "\fB\-config\fR configfile" 4
 .IX Item "-config configfile"
 The configuration file to use, this option overrides the
-\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fB\s-1CONFIGURATION\s0 \s-1FILE\s0
-\&\s-1OPTIONS\s0\fR for configurable variables. (Optional)
+\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fB\s-1CONFIGURATION FILE
+OPTIONS\s0\fR for configurable variables. (Optional)
 .IP "\fB\-section\fR tsa_section" 4
 .IX Item "-section tsa_section"
 The name of the config file section conatining the settings for the
 response generation. If not specified the default \s-1TSA\s0 section is
-used, see \fB\s-1CONFIGURATION\s0 \s-1FILE\s0 \s-1OPTIONS\s0\fR for details. (Optional)
+used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional)
 .IP "\fB\-queryfile\fR request.tsq" 4
 .IX Item "-queryfile request.tsq"
 The name of the file containing a \s-1DER\s0 encoded time stamp request. (Optional)
 .IP "\fB\-passin\fR password_src" 4
 .IX Item "-passin password_src"
-Specifies the password source for the private key of the \s-1TSA\s0. See
-\&\fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR in \fIopenssl\fR\|(1). (Optional)
+Specifies the password source for the private key of the \s-1TSA.\s0 See
+\&\fB\s-1PASS PHRASE ARGUMENTS\s0\fR in \fIopenssl\fR\|(1). (Optional)
 .IP "\fB\-signer\fR tsa_cert.pem" 4
 .IX Item "-signer tsa_cert.pem"
 The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing
@@ -345,7 +354,7 @@ response (TimeStampResp). (Optional)
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 If this option is specified the output is human-readable text format
-instead of \s-1DER\s0. (Optional)
+instead of \s-1DER. \s0(Optional)
 .IP "\fB\-engine\fR id" 4
 .IX Item "-engine id"
 Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR
@@ -388,7 +397,7 @@ client. See the similar option of \fIverify\fR\|(1) for additional
 details. Either this option or \fB\-CAfile\fR must be specified. (Optional)
 .IP "\fB\-CAfile\fR trusted_certs.pem" 4
 .IX Item "-CAfile trusted_certs.pem"
-The name of the file containing a set of trusted self-signed \s-1CA\s0 
+The name of the file containing a set of trusted self-signed \s-1CA \s0
 certificates in \s-1PEM\s0 format. See the similar option of 
 \&\fIverify\fR\|(1) for additional details. Either this option 
 or \fB\-CApath\fR must be specified.
@@ -415,7 +424,7 @@ switch always overrides the settings in the config file.
 .IX Item "tsa section, default_tsa"
 This is the main section and it specifies the name of another section
 that contains all the options for the \fB\-reply\fR command. This default
-section can be overriden with the \fB\-section\fR command line switch. (Optional)
+section can be overridden with the \fB\-section\fR command line switch. (Optional)
 .IP "\fBoid_file\fR" 4
 .IX Item "oid_file"
 See \fIca\fR\|(1) for description. (Optional)
@@ -488,7 +497,7 @@ the \s-1TSA\s0 name field of the response. Default is no. (Optional)
 .IX Item "ess_cert_id_chain"
 The SignedData objects created by the \s-1TSA\s0 always contain the
 certificate identifier of the signing certificate in a signed
-attribute (see \s-1RFC\s0 2634, Enhanced Security Services). If this option
+attribute (see \s-1RFC 2634,\s0 Enhanced Security Services). If this option
 is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option
 is specified then the certificate identifiers of the chain will also
 be included in the SigningCertificate signed attribute. If this
@@ -497,7 +506,7 @@ included. Default is no. (Optional)
 .SH "ENVIRONMENT VARIABLES"
 .IX Header "ENVIRONMENT VARIABLES"
 \&\fB\s-1OPENSSL_CONF\s0\fR contains the path of the configuration file and can be
-overriden by the \fB\-config\fR command line option.
+overridden by the \fB\-config\fR command line option.
 .SH "EXAMPLES"
 .IX Header "EXAMPLES"
 All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper
@@ -505,7 +514,7 @@ configuration file, e.g. the example configuration file
 openssl/apps/openssl.cnf will do.
 .SS "Time Stamp Request"
 .IX Subsection "Time Stamp Request"
-To create a time stamp request for design1.txt with \s-1SHA\-1\s0 
+To create a time stamp request for design1.txt with \s-1SHA\-1 \s0
 without nonce and policy and no certificate is required in the response:
 .PP
 .Vb 2
@@ -544,9 +553,9 @@ without any other key usage extensions. You can add the
 \&'extendedKeyUsage = critical,timeStamping' line to the user certificate section
 of the config file to generate a proper certificate. See \fIreq\fR\|(1),
 \&\fIca\fR\|(1), \fIx509\fR\|(1) for instructions. The examples
-below assume that cacert.pem contains the certificate of the \s-1CA\s0,
+below assume that cacert.pem contains the certificate of the \s-1CA,\s0
 tsacert.pem is the signing certificate issued by cacert.pem and
-tsakey.pem is the private key of the \s-1TSA\s0.
+tsakey.pem is the private key of the \s-1TSA.\s0
 .PP
 To create a time stamp response for a request:
 .PP
@@ -621,7 +630,7 @@ You could also look at the 'test' directory for more examples.
 If you find any bugs or you have suggestions please write to
 Zoltan Glozik <zglozik@opentsa.org>. Known issues:
 .IP "\(bu" 4
-No support for time stamps over \s-1SMTP\s0, though it is quite easy
+No support for time stamps over \s-1SMTP,\s0 though it is quite easy
 to implement an automatic e\-mail based \s-1TSA\s0 with \fIprocmail\fR\|(1) 
 and \fIperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of 
 a separate apache module. \s-1HTTP\s0 client support is provided by
diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1
index f846f1cea4d6..9513b865a9c7 100644
--- a/secure/usr.bin/openssl/man/tsget.1
+++ b/secure/usr.bin/openssl/man/tsget.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "TSGET 1"
-.TH TSGET 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH TSGET 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -150,7 +159,7 @@ tsget \- Time Stamping HTTP/HTTPS client
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBtsget\fR command can be used for sending a time stamp request, as
-specified in \fB\s-1RFC\s0 3161\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing
+specified in \fB\s-1RFC 3161\s0\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing
 the time stamp response in a file. This tool cannot be used for creating the
 requests and verifying responses, you can use the OpenSSL \fB\f(BIts\fB\|(1)\fR command to
 do that. \fBtsget\fR can send several requests to the server without closing
@@ -219,13 +228,13 @@ certificate-based client authentication will take place. (Optional)
 .IX Item "-C CA_certs.pem"
 (\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's
 certificate must include one of the \s-1CA\s0 certificates specified in this file.
-Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS\s0. (Optional)
+Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS. \s0(Optional)
 .IP "\fB\-P\fR CA_path" 4
 .IX Item "-P CA_path"
 (\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's
 certificate. The directory must be prepared with the \fBc_rehash\fR
 OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of
-\&\s-1HTTPS\s0. (Optional)
+\&\s-1HTTPS. \s0(Optional)
 .IP "\fB\-rand\fR file:file..." 4
 .IX Item "-rand file:file..."
 The files containing random data for seeding the random number
@@ -236,8 +245,8 @@ MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optiona
 The name of an \s-1EGD\s0 socket to get random data from. (Optional)
 .IP "[request]..." 4
 .IX Item "[request]..."
-List of files containing \fB\s-1RFC\s0 3161\fR DER-encoded time stamp requests. If no
-requests are specifed only one request will be sent to the server and it will be
+List of files containing \fB\s-1RFC 3161\s0\fR DER-encoded time stamp requests. If no
+requests are specified only one request will be sent to the server and it will be
 read from the standard input. (Optional)
 .SH "ENVIRONMENT VARIABLES"
 .IX Header "ENVIRONMENT VARIABLES"
@@ -251,7 +260,7 @@ time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 reques
 and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa
 absolute path.
 .PP
-Get a time stamp response for file1.tsq over \s-1HTTP\s0, output is written to 
+Get a time stamp response for file1.tsq over \s-1HTTP,\s0 output is written to 
 file1.tsr:
 .PP
 .Vb 1
@@ -308,4 +317,4 @@ Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), 
-\&\fB\s-1RFC\s0 3161\fR
+\&\fB\s-1RFC 3161\s0\fR
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index fd4477bc55ea..a7ff1da6b11a 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VERIFY 1"
-.TH VERIFY 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH VERIFY 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -152,6 +161,7 @@ verify \- Utility to verify certificates.
 [\fB\-untrusted file\fR]
 [\fB\-help\fR]
 [\fB\-issuer_checks\fR]
+[\fB\-attime timestamp\fR]
 [\fB\-verbose\fR]
 [\fB\-\fR]
 [certificates]
@@ -167,12 +177,12 @@ of the form: hash.0 or have symbolic links to them of this
 form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
 of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
 create symbolic links to a directory of certificates.
-.IP "\fB\-CAfile file\fR" 4
-.IX Item "-CAfile file"
-A file of trusted certificates. The file should contain multiple certificates
-in \s-1PEM\s0 format concatenated together.
+.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4
+.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together."
+.PD 0
 .IP "\fB\-untrusted file\fR" 4
 .IX Item "-untrusted file"
+.PD
 A file of untrusted certificates. The file should contain multiple certificates
 in \s-1PEM\s0 format concatenated together.
 .IP "\fB\-purpose purpose\fR" 4
@@ -180,7 +190,7 @@ in \s-1PEM\s0 format concatenated together.
 The intended use for the certificate. If this option is not specified,
 \&\fBverify\fR will not consider certificate purpose during chain verification.
 Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR,
-\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR section for more
+\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more
 information.
 .IP "\fB\-help\fR" 4
 .IX Item "-help"
@@ -195,6 +205,11 @@ current certificate. This shows why each candidate issuer certificate was
 rejected. The presence of rejection messages does not itself imply that
 anything is wrong; during the normal verification process, several
 rejections may take place.
+.IP "\fB\-attime timestamp\fR" 4
+.IX Item "-attime timestamp"
+Perform validation checks using time specified by \fBtimestamp\fR and not
+current system time. \fBtimestamp\fR is the number of seconds since
+01.01.1970 (\s-1UNIX\s0 time).
 .IP "\fB\-policy arg\fR" 4
 .IX Item "-policy arg"
 Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
@@ -217,7 +232,7 @@ Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
 Print out diagnostics related to policy processing.
 .IP "\fB\-crl_check\fR" 4
 .IX Item "-crl_check"
-Checks end entity certificate validity by attempting to look up a valid \s-1CRL\s0.
+Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
 If a valid \s-1CRL\s0 cannot be found an error occurs.
 .IP "\fB\-crl_check_all\fR" 4
 .IX Item "-crl_check_all"
@@ -241,7 +256,7 @@ signing keys.
 Enable support for delta CRLs.
 .IP "\fB\-check_ss_sig\fR" 4
 .IX Item "-check_ss_sig"
-Verify the signature on the self-signed root \s-1CA\s0. This is disabled by default
+Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default
 because it doesn't add any security.
 .IP "\fB\-\fR" 4
 .IX Item "-"
@@ -268,10 +283,10 @@ determined.
 The verify operation consists of a number of separate steps.
 .PP
 Firstly a certificate chain is built up starting from the supplied certificate
-and ending in the root \s-1CA\s0. It is an error if the whole chain cannot be built
+and ending in the root \s-1CA.\s0 It is an error if the whole chain cannot be built
 up. The chain is built up by looking up the issuers certificate of the current
 certificate. If a certificate is found which is its own issuer it is assumed 
-to be the root \s-1CA\s0.
+to be the root \s-1CA.\s0
 .PP
 The process of 'looking up the issuers certificate' itself involves a number
 of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
@@ -295,9 +310,9 @@ consistency with the supplied purpose. If the \fB\-purpose\fR option is not incl
 then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
 compatible with the supplied purpose and all other certificates must also be valid
 \&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
-the \fB\s-1CERTIFICATE\s0 \s-1EXTENSIONS\s0\fR section of the \fBx509\fR utility.
+the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility.
 .PP
-The third operation is to check the trust settings on the root \s-1CA\s0. The root
+The third operation is to check the trust settings on the root \s-1CA.\s0 The root
 \&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous
 versions of SSLeay and OpenSSL a certificate with no trust settings is considered
 to be valid for all purposes.
@@ -447,8 +462,8 @@ does not permit certificate signing.
 an application specific error. Unused.
 .SH "BUGS"
 .IX Header "BUGS"
-Although the issuer checks are a considerably improvement over the old technique they still
-suffer from limitations in the underlying X509_LOOKUP \s-1API\s0. One consequence of this is that
+Although the issuer checks are a considerable improvement over the old technique they still
+suffer from limitations in the underlying X509_LOOKUP \s-1API.\s0 One consequence of this is that
 trusted certificates with matching subject name must either appear in a file (as specified by the
 \&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only
 the certificates in the file will be recognised.
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
index 683c074445c5..34f18b699499 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/version.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VERSION 1"
-.TH VERSION 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH VERSION 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -140,6 +149,7 @@ version \- print OpenSSL version information
 [\fB\-o\fR]
 [\fB\-f\fR]
 [\fB\-p\fR]
+[\fB\-d\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 This command is used to print out version information about OpenSSL.
@@ -157,8 +167,8 @@ the date the current version of OpenSSL was built.
 .IP "\fB\-o\fR" 4
 .IX Item "-o"
 option information: various options set when the library was built.
-.IP "\fB\-c\fR" 4
-.IX Item "-c"
+.IP "\fB\-f\fR" 4
+.IX Item "-f"
 compilation flags.
 .IP "\fB\-p\fR" 4
 .IX Item "-p"
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index 221412e12ba1..55d6e6d98430 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509 1"
-.TH X509 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -145,6 +154,7 @@ x509 \- Certificate display and signing utility
 [\fB\-hash\fR]
 [\fB\-subject_hash\fR]
 [\fB\-issuer_hash\fR]
+[\fB\-ocspid\fR]
 [\fB\-subject\fR]
 [\fB\-issuer\fR]
 [\fB\-nameopt option\fR]
@@ -154,6 +164,7 @@ x509 \- Certificate display and signing utility
 [\fB\-enddate\fR]
 [\fB\-purpose\fR]
 [\fB\-dates\fR]
+[\fB\-checkend num\fR]
 [\fB\-modulus\fR]
 [\fB\-pubkey\fR]
 [\fB\-fingerprint\fR]
@@ -168,6 +179,7 @@ x509 \- Certificate display and signing utility
 [\fB\-days arg\fR]
 [\fB\-set_serial n\fR]
 [\fB\-signkey filename\fR]
+[\fB\-passin arg\fR]
 [\fB\-x509toreq\fR]
 [\fB\-req\fR]
 [\fB\-CA filename\fR]
@@ -175,6 +187,7 @@ x509 \- Certificate display and signing utility
 [\fB\-CAcreateserial\fR]
 [\fB\-CAserial filename\fR]
 [\fB\-text\fR]
+[\fB\-certopt option\fR]
 [\fB\-C\fR]
 [\fB\-md2|\-md5|\-sha1|\-mdc2\fR]
 [\fB\-clrext\fR]
@@ -185,14 +198,14 @@ x509 \- Certificate display and signing utility
 .IX Header "DESCRIPTION"
 The \fBx509\fR command is a multi purpose certificate utility. It can be
 used to display certificate information, convert certificates to
-various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit
+various forms, sign certificate requests like a \*(L"mini \s-1CA\*(R"\s0 or edit
 certificate trust settings.
 .PP
 Since there are a large number of options they will split up into
 various sections.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.SS "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0"
+.SS "\s-1INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS\s0"
 .IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS"
 .IP "\fB\-inform DER|PEM|NET\fR" 4
 .IX Item "-inform DER|PEM|NET"
@@ -226,10 +239,10 @@ specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
-.SS "\s-1DISPLAY\s0 \s-1OPTIONS\s0"
+.SS "\s-1DISPLAY OPTIONS\s0"
 .IX Subsection "DISPLAY OPTIONS"
 Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
-but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section.
+but are described in the \fB\s-1TRUST SETTINGS\s0\fR section.
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the certificate in text form. Full details are output including the
@@ -239,7 +252,7 @@ any extensions present and any trust settings.
 .IX Item "-certopt option"
 customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
 a single option or multiple options separated by commas. The \fB\-certopt\fR switch
-may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR
+may be also be used more than once to set multiple options. See the \fB\s-1TEXT OPTIONS\s0\fR
 section for more information.
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
@@ -262,6 +275,9 @@ name.
 .IP "\fB\-issuer_hash\fR" 4
 .IX Item "-issuer_hash"
 outputs the \*(L"hash\*(R" of the certificate issuer name.
+.IP "\fB\-ocspid\fR" 4
+.IX Item "-ocspid"
+outputs the \s-1OCSP\s0 hash values for the subject name and public key.
 .IP "\fB\-hash\fR" 4
 .IX Item "-hash"
 synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
@@ -284,7 +300,7 @@ outputs the issuer name.
 option which determines how the subject or issuer names are displayed. The
 \&\fBoption\fR argument can be a single option or multiple options separated by
 commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information.
+set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information.
 .IP "\fB\-email\fR" 4
 .IX Item "-email"
 outputs the email address(es) if any.
@@ -300,6 +316,10 @@ prints out the expiry date of the certificate, that is the notAfter date.
 .IP "\fB\-dates\fR" 4
 .IX Item "-dates"
 prints out the start and expiry dates of a certificate.
+.IP "\fB\-checkend arg\fR" 4
+.IX Item "-checkend arg"
+checks if the certificate expires within the next \fBarg\fR seconds and exits
+non-zero if yes it will expire or zero if not.
 .IP "\fB\-fingerprint\fR" 4
 .IX Item "-fingerprint"
 prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
@@ -307,7 +327,7 @@ prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
 .IP "\fB\-C\fR" 4
 .IX Item "-C"
 this outputs the certificate in the form of a C source file.
-.SS "\s-1TRUST\s0 \s-1SETTINGS\s0"
+.SS "\s-1TRUST SETTINGS\s0"
 .IX Subsection "TRUST SETTINGS"
 Please note these options are currently experimental and may well change.
 .PP
@@ -320,7 +340,7 @@ must be \*(L"trusted\*(R". By default a trusted certificate must be stored
 locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
 is then usable for any purpose.
 .PP
-Trust settings currently are only used with a root \s-1CA\s0. They allow a finer
+Trust settings currently are only used with a root \s-1CA.\s0 They allow a finer
 control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0
 may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
 .PP
@@ -362,12 +382,12 @@ option.
 .IP "\fB\-purpose\fR" 4
 .IX Item "-purpose"
 this option performs tests on the certificate extensions and outputs
-the results. For a more complete description see the \fB\s-1CERTIFICATE\s0
-\&\s-1EXTENSIONS\s0\fR section.
-.SS "\s-1SIGNING\s0 \s-1OPTIONS\s0"
+the results. For a more complete description see the \fB\s-1CERTIFICATE
+EXTENSIONS\s0\fR section.
+.SS "\s-1SIGNING OPTIONS\s0"
 .IX Subsection "SIGNING OPTIONS"
 The \fBx509\fR utility can be used to sign certificates and requests: it
-can thus behave like a \*(L"mini \s-1CA\s0\*(R".
+can thus behave like a \*(L"mini \s-1CA\*(R".\s0
 .IP "\fB\-signkey filename\fR" 4
 .IX Item "-signkey filename"
 this option causes the input file to be self signed using the supplied
@@ -383,6 +403,10 @@ the \fB\-clrext\fR option is supplied.
 If the input is a certificate request then a self signed certificate
 is created using the supplied private key using the subject name in
 the request.
+.IP "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the key password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
 .IP "\fB\-clrext\fR" 4
 .IX Item "-clrext"
 delete any extensions from a certificate. This option is used when a
@@ -417,7 +441,7 @@ serial numbers can also be specified but their use is not recommended.
 .IP "\fB\-CA filename\fR" 4
 .IX Item "-CA filename"
 specifies the \s-1CA\s0 certificate to be used for signing. When this option is
-present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this
+present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this
 \&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
 of the \s-1CA\s0 and it is digitally signed using the CAs private key.
 .Sp
@@ -458,7 +482,7 @@ specified then the extensions should either be contained in the unnamed
 \&\*(L"extensions\*(R" which contains the section to use. See the
 \&\fIx509v3_config\fR\|(5) manual page for details of the
 extension section format.
-.SS "\s-1NAME\s0 \s-1OPTIONS\s0"
+.SS "\s-1NAME OPTIONS\s0"
 .IX Subsection "NAME OPTIONS"
 The \fBnameopt\fR command line switch determines how the subject and issuer
 names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
@@ -475,7 +499,7 @@ displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBe
 \&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
 .IP "\fBoneline\fR" 4
 .IX Item "oneline"
-a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to
+a oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to
 specifying the  \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
 \&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR
 options.
@@ -504,7 +528,7 @@ escapes some characters by surrounding the whole string with \fB"\fR characters,
 without the option all escaping is done with the \fB\e\fR character.
 .IP "\fButf8\fR" 4
 .IX Item "utf8"
-convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If
+convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If
 you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
 of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
 display of multibyte (international) characters. Is this option is not
@@ -512,8 +536,8 @@ present then multibyte characters larger than 0xff will be represented
 using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
 Also if this option is off any UTF8Strings will be converted to their
 character form first.
-.IP "\fBno_type\fR" 4
-.IX Item "no_type"
+.IP "\fBignore_type\fR" 4
+.IX Item "ignore_type"
 this option does not attempt to interpret multibyte characters in any
 way. That is their content octets are merely dumped as though one octet
 represents each character. This is useful for diagnostic purposes but
@@ -526,11 +550,11 @@ field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
 .IX Item "dump_der"
 when this option is set any fields that need to be hexdumped will
 be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
-content octets will be displayed. Both options use the \s-1RFC2253\s0
-\&\fB#XXXX...\fR format.
+content octets will be displayed. Both options use the \s-1RFC2253
+\&\s0\fB#XXXX...\fR format.
 .IP "\fBdump_nostr\fR" 4
 .IX Item "dump_nostr"
-dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this
+dump non character string types (for example \s-1OCTET STRING\s0) if this
 option is not set then non character string types will be displayed
 as though each content octet represents a single character.
 .IP "\fBdump_all\fR" 4
@@ -551,7 +575,7 @@ the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It a
 indents the fields by four characters.
 .IP "\fBdn_rev\fR" 4
 .IX Item "dn_rev"
-reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side
+reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side
 effect this also reverses the order of multiple AVAs but this is
 permissible.
 .IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
@@ -569,7 +593,7 @@ align field values for a more readable output. Only usable with
 .IX Item "space_eq"
 places spaces round the \fB=\fR character which follows the field
 name.
-.SS "\s-1TEXT\s0 \s-1OPTIONS\s0"
+.SS "\s-1TEXT OPTIONS\s0"
 .IX Subsection "TEXT OPTIONS"
 As well as customising the name output format, it is also possible to
 customise the actual fields printed using the \fBcertopt\fR options when
@@ -703,7 +727,7 @@ certificate extensions:
 .Ve
 .PP
 Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
-\&\*(L"Steve's Class 1 \s-1CA\s0\*(R"
+\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
 .PP
 .Vb 2
 \& openssl x509 \-in cert.pem \-addtrust clientAuth \e
@@ -742,7 +766,7 @@ This is commonly called a \*(L"fingerprint\*(R". Because of the nature of messag
 digests the fingerprint of a certificate is unique to that certificate and
 two certificates with the same fingerprint can be considered to be the same.
 .PP
-The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0.
+The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1.\s0
 .PP
 The \fB\-email\fR option searches the subject name and the subject alternative
 name extension. Only unique email addresses will be printed out: it will
@@ -758,12 +782,12 @@ The same code is used when verifying untrusted certificates in chains
 so this section is useful if a chain is rejected by the verify code.
 .PP
 The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
-certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0,
-if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the
+certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0
+if the \s-1CA\s0 flag is false then it is not a \s-1CA. \s0\fBAll\fR CAs should have the
 \&\s-1CA\s0 flag set to true.
 .PP
 If the basicConstraints extension is absent then the certificate is
-considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according
+considered to be a \*(L"possible \s-1CA\*(R"\s0 other extensions are checked according
 to the intended use of the certificate. A warning is given in this case
 because the certificate should really not be regarded as a \s-1CA:\s0 however
 it is allowed to be a \s-1CA\s0 to work around some broken software.
@@ -787,14 +811,14 @@ basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
 .IP "\fB\s-1SSL\s0 Client\fR" 4
 .IX Item "SSL Client"
 The extended key usage extension must be absent or include the \*(L"web client
-authentication\*(R" \s-1OID\s0.  keyUsage must be absent or it must have the
+authentication\*(R" \s-1OID. \s0 keyUsage must be absent or it must have the
 digitalSignature bit set. Netscape certificate type must be absent or it must
 have the \s-1SSL\s0 client bit set.
 .IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
 .IX Item "SSL Client CA"
 The extended key usage extension must be absent or include the \*(L"web client
-authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have
-the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
+authentication\*(R" \s-1OID.\s0 Netscape certificate type must be absent or it must have
+the \s-1SSL CA\s0 bit set: this is used as a work around if the basicConstraints
 extension is absent.
 .IP "\fB\s-1SSL\s0 Server\fR" 4
 .IX Item "SSL Server"
@@ -806,7 +830,7 @@ Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
 .IX Item "SSL Server CA"
 The extended key usage extension must be absent or include the \*(L"web server
 authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  Netscape certificate type must
-be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the
+be absent or the \s-1SSL CA\s0 bit must be set: this is used as a work around if the
 basicConstraints extension is absent.
 .IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
 .IX Item "Netscape SSL Server"
@@ -817,7 +841,7 @@ Otherwise it is the same as a normal \s-1SSL\s0 server.
 .IP "\fBCommon S/MIME Client Tests\fR" 4
 .IX Item "Common S/MIME Client Tests"
 The extended key usage extension must be absent or include the \*(L"email
-protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the
+protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the
 S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
 then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
 this is because some Verisign certificates don't set the S/MIME bit.
@@ -832,7 +856,7 @@ if the keyUsage extension is present.
 .IP "\fBS/MIME \s-1CA\s0\fR" 4
 .IX Item "S/MIME CA"
 The extended key usage extension must be absent or include the \*(L"email
-protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the
+protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or must have the
 S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
 extension is absent.
 .IP "\fB\s-1CRL\s0 Signing\fR" 4
@@ -855,7 +879,7 @@ be checked.
 There should be options to explicitly set such things as start and end
 dates rather than an offset from the current time.
 .PP
-The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR
+The code to implement the verify behaviour described in the \fB\s-1TRUST SETTINGS\s0\fR
 is currently being developed. It thus describes the intended behaviour rather
 than the current behaviour. It is hoped that it will represent reality in
 OpenSSL 0.9.5 and later.
@@ -866,10 +890,10 @@ OpenSSL 0.9.5 and later.
 \&\fIx509v3_config\fR\|(5)
 .SH "HISTORY"
 .IX Header "HISTORY"
-Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5\s0.
+Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5.\s0
 .PP
 The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
 before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
 of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
-canonical version of the \s-1DN\s0 using \s-1SHA1\s0. This means that any directories using
+canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using
 the old form must have their links rebuilt using \fBc_rehash\fR or similar.
diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1
index f7e0f6a2ab25..cb854542b37b 100644
--- a/secure/usr.bin/openssl/man/x509v3_config.1
+++ b/secure/usr.bin/openssl/man/x509v3_config.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509V3_CONFIG 1"
-.TH X509V3_CONFIG 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH X509V3_CONFIG 1 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -185,7 +194,7 @@ use is defined by the extension code itself: check out the certificate
 policies extension for an example.
 .PP
 If an extension type is unsupported then the \fIarbitrary\fR extension syntax
-must be used, see the \s-1ARBITRARY\s0 \s-1EXTENSIONS\s0 section for more details.
+must be used, see the \s-1ARBITRARY EXTENSIONS\s0 section for more details.
 .SH "STANDARD EXTENSIONS"
 .IX Header "STANDARD EXTENSIONS"
 The following sections describe each supported extension in detail.
@@ -207,7 +216,7 @@ For example:
 .Ve
 .PP
 A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field
-set to \s-1TRUE\s0. An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the
+set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the
 extension entirely. Some software may require the inclusion of basicConstraints
 with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates.
 .PP
@@ -237,7 +246,7 @@ the certificate public key can be used for,
 .PP
 These can either be object short names of the dotted numerical form of OIDs.
 While any \s-1OID\s0 can be used only certain values make sense. In particular the
-following \s-1PKIX\s0, \s-1NS\s0 and \s-1MS\s0 values are meaningful:
+following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful:
 .PP
 .Vb 10
 \& Value                  Meaning
@@ -296,7 +305,7 @@ Example:
 The subject alternative name extension allows various literal values to be
 included in the configuration file. These include \fBemail\fR (an email address)
 \&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a
-registered \s-1ID:\s0 \s-1OBJECT\s0 \s-1IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR
+registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR
 (a distinguished name) and otherName.
 .PP
 The email option include a special 'copy' value. This will automatically
@@ -307,7 +316,7 @@ The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4
 .PP
 The value of \fBdirName\fR should point to a section containing the distinguished
 name to use as a set of name value pairs. Multi values AVAs can be formed by
-preceeding the name with a \fB+\fR character.
+prefacing the name with a \fB+\fR character.
 .PP
 otherName can include arbitrary data associated with an \s-1OID:\s0 the value
 should be the \s-1OID\s0 followed by a semicolon and the content in standard
@@ -346,7 +355,7 @@ Example:
 .SS "Authority Info Access."
 .IX Subsection "Authority Info Access."
 The authority information access extension gives details about how to access
-certain information relating to the \s-1CA\s0. Its syntax is accessOID;location
+certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location
 where \fIlocation\fR has the same syntax as subject alternative name (except
 that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only
 certain values are meaningful, for example \s-1OCSP\s0 and caIssuers.
@@ -443,7 +452,7 @@ This is a \fIraw\fR extension. All the fields of this extension can be set by
 using the appropriate syntax.
 .PP
 If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just
-include the value of that \s-1OID\s0. Multiple OIDs can be set separated by commas,
+include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas,
 for example:
 .PP
 .Vb 1
@@ -533,7 +542,6 @@ Examples:
 \& nameConstraints=permitted;email:.somedomain.com
 \&
 \& nameConstraints=excluded;email:.com
-\&issuingDistributionPoint = idp_section
 .Ve
 .SS "\s-1OCSP\s0 No Check"
 .IX Subsection "OCSP No Check"
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 412b1f91b29d..96c8d62f596f 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.0"
-BRANCH="RELEASE-p17"
+BRANCH="RELEASE-p18"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index 9f31a191c750..908f304aeac8 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -1533,8 +1533,8 @@ igmp_input(struct mbuf *m, int off)
 		case IGMP_VERSION_3: {
 				struct igmpv3 *igmpv3;
 				uint16_t igmpv3len;
-				uint16_t srclen;
-				int nsrc;
+				uint16_t nsrc;
+				int srclen;
 
 				IGMPSTAT_INC(igps_rcv_v3_queries);
 				igmpv3 = (struct igmpv3 *)igmp;
diff --git a/usr.sbin/freebsd-update/freebsd-update.sh b/usr.sbin/freebsd-update/freebsd-update.sh
index f8129fff46ff..63cb14ced8c6 100644
--- a/usr.sbin/freebsd-update/freebsd-update.sh
+++ b/usr.sbin/freebsd-update/freebsd-update.sh
@@ -2820,18 +2820,27 @@ Kernel updates have been installed.  Please reboot and run
 		    grep -E '^[^|]+\|d\|' > INDEX-NEW
 		install_from_index INDEX-NEW || return 1
 
+		# Install new runtime linker
+		grep -vE '^/boot/' $1/INDEX-NEW |
+		    grep -vE '^[^|]+\|d\|' |
+		    grep -E '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' > INDEX-NEW
+		install_from_index INDEX-NEW || return 1
+
 		# Install new shared libraries next
 		grep -vE '^/boot/' $1/INDEX-NEW |
 		    grep -vE '^[^|]+\|d\|' |
+		    grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
 		    grep -E '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW
 		install_from_index INDEX-NEW || return 1
 
 		# Deal with everything else
 		grep -vE '^/boot/' $1/INDEX-OLD |
 		    grep -vE '^[^|]+\|d\|' |
+		    grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
 		    grep -vE '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-OLD
 		grep -vE '^/boot/' $1/INDEX-NEW |
 		    grep -vE '^[^|]+\|d\|' |
+		    grep -vE '^/libexec/ld-elf[^|]*\.so\.[0-9]+\|' |
 		    grep -vE '^[^|]*/lib/[^|]*\.so\.[0-9]+\|' > INDEX-NEW
 		install_from_index INDEX-NEW || return 1
 		install_delete INDEX-OLD INDEX-NEW || return 1