From f13663bcc1a0d7b86a29e52e0a0d5bd746bc4d21 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Mon, 1 Sep 2014 17:44:28 -0400
Subject: Update OpenSSL from 1.0.1h to 1.0.1i

---
 openssl/doc/crypto/ASN1_generate_nconf.pod |  2 +-
 openssl/doc/crypto/BIO_f_base64.pod        | 15 ++++++++-------
 openssl/doc/crypto/BIO_push.pod            |  2 +-
 openssl/doc/crypto/ERR_get_error.pod       |  4 ++--
 openssl/doc/crypto/EVP_DigestInit.pod      |  5 ++---
 openssl/doc/crypto/EVP_EncryptInit.pod     |  5 ++++-
 openssl/doc/crypto/EVP_SignInit.pod        |  8 +++++---
 openssl/doc/crypto/RSA_set_method.pod      | 14 +++++++++-----
 openssl/doc/crypto/RSA_sign.pod            |  4 ++++
 openssl/doc/crypto/des.pod                 |  7 +++----
 openssl/doc/crypto/err.pod                 |  1 -
 openssl/doc/crypto/pem.pod                 |  8 ++++++--
 openssl/doc/crypto/ui.pod                  |  2 +-
 13 files changed, 46 insertions(+), 31 deletions(-)

(limited to 'openssl/doc/crypto')

diff --git a/openssl/doc/crypto/ASN1_generate_nconf.pod b/openssl/doc/crypto/ASN1_generate_nconf.pod
index 542fd1579..bfa0a04ff 100644
--- a/openssl/doc/crypto/ASN1_generate_nconf.pod
+++ b/openssl/doc/crypto/ASN1_generate_nconf.pod
@@ -61,7 +61,7 @@ Encode the B<NULL> type, the B<value> string must not be present.
 =item B<INTEGER>, B<INT>
 
 Encodes an ASN1 B<INTEGER> type. The B<value> string represents
-the value of the integer, it can be preceeded by a minus sign and
+the value of the integer, it can be prefaced by a minus sign and
 is normally interpreted as a decimal value unless the prefix B<0x>
 is included.
 
diff --git a/openssl/doc/crypto/BIO_f_base64.pod b/openssl/doc/crypto/BIO_f_base64.pod
index 438af3b6b..d1d7bf0bd 100644
--- a/openssl/doc/crypto/BIO_f_base64.pod
+++ b/openssl/doc/crypto/BIO_f_base64.pod
@@ -46,11 +46,11 @@ to standard output:
 
  b64 = BIO_new(BIO_f_base64());
  bio = BIO_new_fp(stdout, BIO_NOCLOSE);
- bio = BIO_push(b64, bio);
- BIO_write(bio, message, strlen(message));
- BIO_flush(bio);
+ BIO_push(b64, bio);
+ BIO_write(b64, message, strlen(message));
+ BIO_flush(b64);
 
- BIO_free_all(bio);
+ BIO_free_all(b64);
 
 Read Base64 encoded data from standard input and write the decoded
 data to standard output:
@@ -62,11 +62,12 @@ data to standard output:
  b64 = BIO_new(BIO_f_base64());
  bio = BIO_new_fp(stdin, BIO_NOCLOSE);
  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
- bio = BIO_push(b64, bio);
- while((inlen = BIO_read(bio, inbuf, 512)) > 0) 
+ BIO_push(b64, bio);
+ while((inlen = BIO_read(b64, inbuf, 512)) > 0) 
 	BIO_write(bio_out, inbuf, inlen);
 
- BIO_free_all(bio);
+ BIO_flush(bio_out);
+ BIO_free_all(b64);
 
 =head1 BUGS
 
diff --git a/openssl/doc/crypto/BIO_push.pod b/openssl/doc/crypto/BIO_push.pod
index 8af1d3c09..8a2657cd5 100644
--- a/openssl/doc/crypto/BIO_push.pod
+++ b/openssl/doc/crypto/BIO_push.pod
@@ -40,7 +40,7 @@ If the call:
 
  BIO_push(b64, f);
 
-is made then the new chain will be B<b64-chain>. After making the calls
+is made then the new chain will be B<b64-f>. After making the calls
 
  BIO_push(md2, b64);
  BIO_push(md1, md2);
diff --git a/openssl/doc/crypto/ERR_get_error.pod b/openssl/doc/crypto/ERR_get_error.pod
index 828ecf529..01e196c95 100644
--- a/openssl/doc/crypto/ERR_get_error.pod
+++ b/openssl/doc/crypto/ERR_get_error.pod
@@ -49,10 +49,10 @@ additionally store the file name and line number where
 the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
 
 ERR_get_error_line_data(), ERR_peek_error_line_data() and
-ERR_get_last_error_line_data() store additional data and flags
+ERR_peek_last_error_line_data() store additional data and flags
 associated with the error code in *B<data>
 and *B<flags>, unless these are B<NULL>. *B<data> contains a string
-if *B<flags>&B<ERR_TXT_STRING> is true. 
+if *B<flags>&B<ERR_TXT_STRING> is true.
 
 An application B<MUST NOT> free the *B<data> pointer (or any other pointers
 returned by these functions) with OPENSSL_free() as freeing is handled
diff --git a/openssl/doc/crypto/EVP_DigestInit.pod b/openssl/doc/crypto/EVP_DigestInit.pod
index 367691cc7..310c65eb3 100644
--- a/openssl/doc/crypto/EVP_DigestInit.pod
+++ b/openssl/doc/crypto/EVP_DigestInit.pod
@@ -161,9 +161,8 @@ EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure.
 EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
 corresponding OBJECT IDENTIFIER or NID_undef if none exists.
 
-EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(),
-EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block
-size in bytes.
+EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
+EVP_MD_CTX_block_size() return the digest or block size in bytes.
 
 EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
 EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
diff --git a/openssl/doc/crypto/EVP_EncryptInit.pod b/openssl/doc/crypto/EVP_EncryptInit.pod
index 1c4bf184a..d11e054e4 100644
--- a/openssl/doc/crypto/EVP_EncryptInit.pod
+++ b/openssl/doc/crypto/EVP_EncryptInit.pod
@@ -344,7 +344,10 @@ bits and 12 rounds.
 
 Where possible the B<EVP> interface to symmetric ciphers should be used in
 preference to the low level interfaces. This is because the code then becomes
-transparent to the cipher used and much more flexible.
+transparent to the cipher used and much more flexible. Additionally, the
+B<EVP> interface will ensure the use of platform specific cryptographic
+acceleration such as AES-NI (the low level interfaces do not provide the
+guarantee).
 
 PKCS padding works by adding B<n> padding bytes of value B<n> to make the total 
 length of the encrypted data a multiple of the block size. Padding is always
diff --git a/openssl/doc/crypto/EVP_SignInit.pod b/openssl/doc/crypto/EVP_SignInit.pod
index 620a623ab..14ecc775a 100644
--- a/openssl/doc/crypto/EVP_SignInit.pod
+++ b/openssl/doc/crypto/EVP_SignInit.pod
@@ -30,9 +30,11 @@ signature context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
 
 EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
-places the signature in B<sig>. The number of bytes of data written (i.e. the
-length of the signature) will be written to the integer at B<s>, at most
-EVP_PKEY_size(pkey) bytes will be written. 
+places the signature in B<sig>. B<sig> must be at least EVP_PKEY_size(pkey)
+bytes in size. B<s> is an OUT paramter, and not used as an IN parameter.
+The number of bytes of data written (i.e. the length of the signature)
+will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
+will be written.
 
 EVP_SignInit() initializes a signing context B<ctx> to use the default
 implementation of digest B<type>.
diff --git a/openssl/doc/crypto/RSA_set_method.pod b/openssl/doc/crypto/RSA_set_method.pod
index 2c963d7e5..0ef078118 100644
--- a/openssl/doc/crypto/RSA_set_method.pod
+++ b/openssl/doc/crypto/RSA_set_method.pod
@@ -125,14 +125,18 @@ the default method is used.
      /* sign. For backward compatibility, this is used only
       * if (flags & RSA_FLAG_SIGN_VER)
       */
-	int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-
+	int (*rsa_sign)(int type,
+		const unsigned char *m, unsigned int m_length,
+		unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
      /* verify. For backward compatibility, this is used only
       * if (flags & RSA_FLAG_SIGN_VER)
       */
-	int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+	int (*rsa_verify)(int dtype,
+		const unsigned char *m, unsigned int m_length,
+		const unsigned char *sigbuf, unsigned int siglen,
+								const RSA *rsa);
+     /* keygen. If NULL builtin RSA key generation will be used */
+	int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
 
  } RSA_METHOD;
 
diff --git a/openssl/doc/crypto/RSA_sign.pod b/openssl/doc/crypto/RSA_sign.pod
index 8553be8e9..fc16b1f4f 100644
--- a/openssl/doc/crypto/RSA_sign.pod
+++ b/openssl/doc/crypto/RSA_sign.pod
@@ -20,6 +20,10 @@ RSA_sign() signs the message digest B<m> of size B<m_len> using the
 private key B<rsa> as specified in PKCS #1 v2.0. It stores the
 signature in B<sigret> and the signature size in B<siglen>. B<sigret>
 must point to RSA_size(B<rsa>) bytes of memory.
+Note that PKCS #1 adds meta-data, placing limits on the size of the
+key that can be used.
+See L<RSA_private_encrypt(3)|RSA_private_encrypt(3)> for lower-level
+operations.
 
 B<type> denotes the message digest algorithm that was used to generate
 B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
diff --git a/openssl/doc/crypto/des.pod b/openssl/doc/crypto/des.pod
index 6f0cf1cc5..e1add56b5 100644
--- a/openssl/doc/crypto/des.pod
+++ b/openssl/doc/crypto/des.pod
@@ -135,9 +135,8 @@ depend on a global variable.
 
 DES_set_odd_parity() sets the parity of the passed I<key> to odd.
 
-DES_is_weak_key() returns 1 is the passed key is a weak key, 0 if it
-is ok.  The probability that a randomly generated key is weak is
-1/2^52, so it is not really worth checking for them.
+DES_is_weak_key() returns 1 if the passed key is a weak key, 0 if it
+is ok.  
 
 The following routines mostly operate on an input and output stream of
 I<DES_cblock>s.
@@ -181,7 +180,7 @@ of 24 bytes.  This is much better than CBC DES.
 
 DES_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
 three keys. This means that each DES operation inside the CBC mode is
-really an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
+an C<C=E(ks3,D(ks2,E(ks1,M)))>.  This mode is used by SSL.
 
 The DES_ede2_cbc_encrypt() macro implements two-key Triple-DES by
 reusing I<ks1> for the final encryption.  C<C=E(ks1,D(ks2,E(ks1,M)))>.
diff --git a/openssl/doc/crypto/err.pod b/openssl/doc/crypto/err.pod
index 6f729554d..4a5dc6935 100644
--- a/openssl/doc/crypto/err.pod
+++ b/openssl/doc/crypto/err.pod
@@ -171,7 +171,6 @@ ERR_get_string_table(void) respectively.
 
 =head1 SEE ALSO
 
-L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>,
 L<CRYPTO_set_locking_callback(3)|CRYPTO_set_locking_callback(3)>,
 L<ERR_get_error(3)|ERR_get_error(3)>,
 L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
diff --git a/openssl/doc/crypto/pem.pod b/openssl/doc/crypto/pem.pod
index 54414a3f6..21e9fe3b9 100644
--- a/openssl/doc/crypto/pem.pod
+++ b/openssl/doc/crypto/pem.pod
@@ -450,9 +450,9 @@ byte B<salt> encoded as a set of hexadecimal digits.
 
 After this is the base64 encoded encrypted data.
 
-The encryption key is determined using EVP_bytestokey(), using B<salt> and an
+The encryption key is determined using EVP_BytesToKey(), using B<salt> and an
 iteration count of 1. The IV used is the value of B<salt> and *not* the IV
-returned by EVP_bytestokey().
+returned by EVP_BytesToKey().
 
 =head1 BUGS
 
@@ -474,3 +474,7 @@ The read routines return either a pointer to the structure read or NULL
 if an error occurred.
 
 The write routines return 1 for success or 0 for failure.
+
+=head1 SEE ALSO
+
+L<EVP_get_cipherbyname(3)|EVP_get_cipherbyname>, L<EVP_BytesToKey(3)|EVP_BytesToKey(3)>
diff --git a/openssl/doc/crypto/ui.pod b/openssl/doc/crypto/ui.pod
index 6df68d604..04f8e9c36 100644
--- a/openssl/doc/crypto/ui.pod
+++ b/openssl/doc/crypto/ui.pod
@@ -119,7 +119,7 @@ verification will fail.
 UI_add_input_boolean() adds a prompt to the UI that's supposed to be answered
 in a boolean way, with a single character for yes and a different character
 for no.  A set of characters that can be used to cancel the prompt is given
-as well.  The prompt itself is really divided in two, one part being the
+as well.  The prompt itself is divided in two, one part being the
 descriptive text (given through the I<prompt> argument) and one describing
 the possible answers (given through the I<action_desc> argument).
 
-- 
cgit v1.2.3