aboutsummaryrefslogtreecommitdiffstats
path: root/doc/crypto
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2018-09-13 19:18:07 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2018-09-13 19:18:07 +0000
commita43ce912fc025d11e1395506111f75fc194d7ba5 (patch)
tree9794cf7720d75938ed0ea4f499c0dcd4b6eacdda /doc/crypto
parent02be298e504b8554caca6dc85af450e1ea44d19d (diff)
downloadsrc-a43ce912fc025d11e1395506111f75fc194d7ba5.tar.gz
src-a43ce912fc025d11e1395506111f75fc194d7ba5.zip
Import OpenSSL 1.1.1.vendor/openssl/1.1.1
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=338658 svn path=/vendor-crypto/openssl/1.1.1/; revision=338659; tag=vendor/openssl/1.1.1
Diffstat (limited to 'doc/crypto')
-rw-r--r--doc/crypto/ASN1_OBJECT_new.pod45
-rw-r--r--doc/crypto/ASN1_STRING_length.pod83
-rw-r--r--doc/crypto/ASN1_STRING_new.pod46
-rw-r--r--doc/crypto/ASN1_STRING_print_ex.pod96
-rw-r--r--doc/crypto/ASN1_TIME_set.pod129
-rw-r--r--doc/crypto/ASN1_generate_nconf.pod265
-rw-r--r--doc/crypto/BIO_ctrl.pod128
-rw-r--r--doc/crypto/BIO_f_base64.pod82
-rw-r--r--doc/crypto/BIO_f_buffer.pod74
-rw-r--r--doc/crypto/BIO_f_cipher.pod76
-rw-r--r--doc/crypto/BIO_f_md.pod144
-rw-r--r--doc/crypto/BIO_f_null.pod32
-rw-r--r--doc/crypto/BIO_f_ssl.pod322
-rw-r--r--doc/crypto/BIO_find_type.pod98
-rw-r--r--doc/crypto/BIO_new.pod65
-rw-r--r--doc/crypto/BIO_new_CMS.pod66
-rw-r--r--doc/crypto/BIO_push.pod69
-rw-r--r--doc/crypto/BIO_read.pod66
-rw-r--r--doc/crypto/BIO_s_accept.pod195
-rw-r--r--doc/crypto/BIO_s_bio.pod185
-rw-r--r--doc/crypto/BIO_s_connect.pod192
-rw-r--r--doc/crypto/BIO_s_fd.pod89
-rw-r--r--doc/crypto/BIO_s_file.pod148
-rw-r--r--doc/crypto/BIO_s_mem.pod115
-rw-r--r--doc/crypto/BIO_s_null.pod37
-rw-r--r--doc/crypto/BIO_s_socket.pod63
-rw-r--r--doc/crypto/BIO_set_callback.pod108
-rw-r--r--doc/crypto/BIO_should_retry.pod114
-rw-r--r--doc/crypto/BN_BLINDING_new.pod115
-rw-r--r--doc/crypto/BN_CTX_new.pod57
-rw-r--r--doc/crypto/BN_CTX_start.pod52
-rw-r--r--doc/crypto/BN_add.pod126
-rw-r--r--doc/crypto/BN_add_word.pod61
-rw-r--r--doc/crypto/BN_bn2bin.pod98
-rw-r--r--doc/crypto/BN_cmp.pod48
-rw-r--r--doc/crypto/BN_copy.pod34
-rw-r--r--doc/crypto/BN_generate_prime.pod150
-rw-r--r--doc/crypto/BN_mod_inverse.pod36
-rw-r--r--doc/crypto/BN_mod_mul_montgomery.pod101
-rw-r--r--doc/crypto/BN_mod_mul_reciprocal.pod81
-rw-r--r--doc/crypto/BN_new.pod55
-rw-r--r--doc/crypto/BN_num_bytes.pod57
-rw-r--r--doc/crypto/BN_rand.pod63
-rw-r--r--doc/crypto/BN_set_bit.pod66
-rw-r--r--doc/crypto/BN_swap.pod23
-rw-r--r--doc/crypto/BN_zero.pod62
-rw-r--r--doc/crypto/CMS_add0_cert.pod66
-rw-r--r--doc/crypto/CMS_add1_recipient_cert.pod62
-rw-r--r--doc/crypto/CMS_add1_signer.pod101
-rw-r--r--doc/crypto/CMS_compress.pod73
-rw-r--r--doc/crypto/CMS_decrypt.pod79
-rw-r--r--doc/crypto/CMS_encrypt.pod96
-rw-r--r--doc/crypto/CMS_final.pod41
-rw-r--r--doc/crypto/CMS_get0_RecipientInfos.pod120
-rw-r--r--doc/crypto/CMS_get0_SignerInfos.pod81
-rw-r--r--doc/crypto/CMS_get0_type.pod77
-rw-r--r--doc/crypto/CMS_get1_ReceiptRequest.pod69
-rw-r--r--doc/crypto/CMS_sign.pod121
-rw-r--r--doc/crypto/CMS_sign_receipt.pod45
-rw-r--r--doc/crypto/CMS_uncompress.pod54
-rw-r--r--doc/crypto/CMS_verify.pod126
-rw-r--r--doc/crypto/CMS_verify_receipt.pod47
-rw-r--r--doc/crypto/CONF_modules_free.pod47
-rw-r--r--doc/crypto/CONF_modules_load_file.pod137
-rw-r--r--doc/crypto/CRYPTO_set_ex_data.pod53
-rw-r--r--doc/crypto/DH_generate_key.pod50
-rw-r--r--doc/crypto/DH_generate_parameters.pod82
-rw-r--r--doc/crypto/DH_get_ex_new_index.pod36
-rw-r--r--doc/crypto/DH_new.pod40
-rw-r--r--doc/crypto/DH_set_method.pod129
-rw-r--r--doc/crypto/DH_size.pod33
-rw-r--r--doc/crypto/DSA_SIG_new.pod40
-rw-r--r--doc/crypto/DSA_do_sign.pod47
-rw-r--r--doc/crypto/DSA_dup_DH.pod36
-rw-r--r--doc/crypto/DSA_generate_key.pod34
-rw-r--r--doc/crypto/DSA_generate_parameters.pod121
-rw-r--r--doc/crypto/DSA_get_ex_new_index.pod36
-rw-r--r--doc/crypto/DSA_new.pod42
-rw-r--r--doc/crypto/DSA_set_method.pod143
-rw-r--r--doc/crypto/DSA_sign.pod66
-rw-r--r--doc/crypto/DSA_size.pod33
-rw-r--r--doc/crypto/EC_GFp_simple_method.pod60
-rw-r--r--doc/crypto/EC_GROUP_copy.pod174
-rw-r--r--doc/crypto/EC_GROUP_new.pod95
-rw-r--r--doc/crypto/EC_KEY_new.pod108
-rw-r--r--doc/crypto/EC_POINT_add.pod72
-rw-r--r--doc/crypto/EC_POINT_new.pod128
-rw-r--r--doc/crypto/ERR_GET_LIB.pod51
-rw-r--r--doc/crypto/ERR_clear_error.pod29
-rw-r--r--doc/crypto/ERR_error_string.pod73
-rw-r--r--doc/crypto/ERR_get_error.pod79
-rw-r--r--doc/crypto/ERR_load_crypto_strings.pod46
-rw-r--r--doc/crypto/ERR_load_strings.pod54
-rw-r--r--doc/crypto/ERR_print_errors.pod51
-rw-r--r--doc/crypto/ERR_put_error.pod44
-rw-r--r--doc/crypto/ERR_remove_state.pod45
-rw-r--r--doc/crypto/ERR_set_mark.pod38
-rw-r--r--doc/crypto/EVP_BytesToKey.pod70
-rw-r--r--doc/crypto/EVP_DigestInit.pod282
-rw-r--r--doc/crypto/EVP_DigestSignInit.pod87
-rw-r--r--doc/crypto/EVP_DigestVerifyInit.pod83
-rw-r--r--doc/crypto/EVP_EncodeInit.pod127
-rw-r--r--doc/crypto/EVP_EncryptInit.pod594
-rw-r--r--doc/crypto/EVP_OpenInit.pod63
-rw-r--r--doc/crypto/EVP_PKEY_CTX_ctrl.pod134
-rw-r--r--doc/crypto/EVP_PKEY_CTX_new.pod52
-rw-r--r--doc/crypto/EVP_PKEY_cmp.pod63
-rw-r--r--doc/crypto/EVP_PKEY_decrypt.pod93
-rw-r--r--doc/crypto/EVP_PKEY_derive.pod93
-rw-r--r--doc/crypto/EVP_PKEY_encrypt.pod99
-rw-r--r--doc/crypto/EVP_PKEY_get_default_digest.pod41
-rw-r--r--doc/crypto/EVP_PKEY_keygen.pod161
-rw-r--r--doc/crypto/EVP_PKEY_meth_new.pod376
-rw-r--r--doc/crypto/EVP_PKEY_new.pod47
-rw-r--r--doc/crypto/EVP_PKEY_print_private.pod53
-rw-r--r--doc/crypto/EVP_PKEY_set1_RSA.pod80
-rw-r--r--doc/crypto/EVP_PKEY_sign.pod106
-rw-r--r--doc/crypto/EVP_PKEY_verify.pod91
-rw-r--r--doc/crypto/EVP_PKEY_verify_recover.pod103
-rw-r--r--doc/crypto/EVP_SealInit.pod85
-rw-r--r--doc/crypto/EVP_SignInit.pod107
-rw-r--r--doc/crypto/EVP_VerifyInit.pod95
-rw-r--r--doc/crypto/OBJ_nid2obj.pod170
-rw-r--r--doc/crypto/OPENSSL_Applink.pod21
-rw-r--r--doc/crypto/OPENSSL_VERSION_NUMBER.pod101
-rw-r--r--doc/crypto/OPENSSL_config.pod63
-rw-r--r--doc/crypto/OPENSSL_ia32cap.pod96
-rw-r--r--doc/crypto/OPENSSL_instrument_bus.pod42
-rw-r--r--doc/crypto/OPENSSL_load_builtin_modules.pod51
-rw-r--r--doc/crypto/OpenSSL_add_all_algorithms.pod66
-rw-r--r--doc/crypto/PEM_write_bio_CMS_stream.pod41
-rw-r--r--doc/crypto/PEM_write_bio_PKCS7_stream.pod41
-rw-r--r--doc/crypto/PKCS12_create.pod75
-rw-r--r--doc/crypto/PKCS12_parse.pod57
-rw-r--r--doc/crypto/PKCS7_decrypt.pod55
-rw-r--r--doc/crypto/PKCS7_encrypt.pod80
-rw-r--r--doc/crypto/PKCS7_sign.pod116
-rw-r--r--doc/crypto/PKCS7_sign_add_signer.pod87
-rw-r--r--doc/crypto/PKCS7_verify.pod118
-rw-r--r--doc/crypto/RAND_add.pod77
-rw-r--r--doc/crypto/RAND_bytes.pod50
-rw-r--r--doc/crypto/RAND_cleanup.pod29
-rw-r--r--doc/crypto/RAND_egd.pod88
-rw-r--r--doc/crypto/RAND_load_file.pod53
-rw-r--r--doc/crypto/RAND_set_rand_method.pod83
-rw-r--r--doc/crypto/RSA_blinding_on.pod43
-rw-r--r--doc/crypto/RSA_check_key.pod67
-rw-r--r--doc/crypto/RSA_generate_key.pod80
-rw-r--r--doc/crypto/RSA_get_ex_new_index.pod120
-rw-r--r--doc/crypto/RSA_new.pod41
-rw-r--r--doc/crypto/RSA_padding_add_PKCS1_type_1.pod131
-rw-r--r--doc/crypto/RSA_print.pod49
-rw-r--r--doc/crypto/RSA_private_encrypt.pod70
-rw-r--r--doc/crypto/RSA_public_encrypt.pod91
-rw-r--r--doc/crypto/RSA_set_method.pod206
-rw-r--r--doc/crypto/RSA_sign.pod66
-rw-r--r--doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod59
-rw-r--r--doc/crypto/RSA_size.pod33
-rw-r--r--doc/crypto/SMIME_read_CMS.pod70
-rw-r--r--doc/crypto/SMIME_read_PKCS7.pod73
-rw-r--r--doc/crypto/SMIME_write_CMS.pod64
-rw-r--r--doc/crypto/SMIME_write_PKCS7.pod65
-rw-r--r--doc/crypto/SSLeay_version.pod74
-rw-r--r--doc/crypto/X509_NAME_ENTRY_get_object.pod74
-rw-r--r--doc/crypto/X509_NAME_add_entry_by_txt.pod116
-rw-r--r--doc/crypto/X509_NAME_get_index_by_NID.pod118
-rw-r--r--doc/crypto/X509_NAME_print_ex.pod107
-rw-r--r--doc/crypto/X509_STORE_CTX_get_error.pod305
-rw-r--r--doc/crypto/X509_STORE_CTX_get_ex_new_index.pod41
-rw-r--r--doc/crypto/X509_STORE_CTX_new.pod127
-rw-r--r--doc/crypto/X509_STORE_CTX_set_verify_cb.pod161
-rw-r--r--doc/crypto/X509_STORE_set_verify_cb_func.pod54
-rw-r--r--doc/crypto/X509_VERIFY_PARAM_set_flags.pod266
-rw-r--r--doc/crypto/X509_check_host.pod140
-rw-r--r--doc/crypto/X509_check_private_key.pod54
-rw-r--r--doc/crypto/X509_new.pod39
-rw-r--r--doc/crypto/X509_verify_cert.pod55
-rw-r--r--doc/crypto/bio.pod54
-rw-r--r--doc/crypto/blowfish.pod112
-rw-r--r--doc/crypto/bn.pod181
-rw-r--r--doc/crypto/bn_internal.pod238
-rw-r--r--doc/crypto/buffer.pod76
-rw-r--r--doc/crypto/crypto.pod85
-rw-r--r--doc/crypto/d2i_ASN1_OBJECT.pod29
-rw-r--r--doc/crypto/d2i_CMS_ContentInfo.pod29
-rw-r--r--doc/crypto/d2i_DHparams.pod30
-rw-r--r--doc/crypto/d2i_DSAPublicKey.pod83
-rw-r--r--doc/crypto/d2i_ECPKParameters.pod84
-rw-r--r--doc/crypto/d2i_ECPrivateKey.pod67
-rw-r--r--doc/crypto/d2i_PKCS8PrivateKey.pod56
-rw-r--r--doc/crypto/d2i_PrivateKey.pod59
-rw-r--r--doc/crypto/d2i_RSAPublicKey.pod67
-rw-r--r--doc/crypto/d2i_X509.pod272
-rw-r--r--doc/crypto/d2i_X509_ALGOR.pod30
-rw-r--r--doc/crypto/d2i_X509_CRL.pod37
-rw-r--r--doc/crypto/d2i_X509_NAME.pod31
-rw-r--r--doc/crypto/d2i_X509_REQ.pod36
-rw-r--r--doc/crypto/d2i_X509_SIG.pod30
-rw-r--r--doc/crypto/des.pod357
-rw-r--r--doc/crypto/des_modes.pod255
-rw-r--r--doc/crypto/dh.pod78
-rw-r--r--doc/crypto/dsa.pod114
-rw-r--r--doc/crypto/ec.pod201
-rw-r--r--doc/crypto/ecdsa.pod206
-rw-r--r--doc/crypto/engine.pod599
-rw-r--r--doc/crypto/err.pod186
-rw-r--r--doc/crypto/evp.pod108
-rw-r--r--doc/crypto/hmac.pod111
-rw-r--r--doc/crypto/i2d_CMS_bio_stream.pod44
-rw-r--r--doc/crypto/i2d_PKCS7_bio_stream.pod44
-rw-r--r--doc/crypto/lh_stats.pod60
-rw-r--r--doc/crypto/lhash.pod302
-rw-r--r--doc/crypto/md5.pod101
-rw-r--r--doc/crypto/mdc2.pod64
-rw-r--r--doc/crypto/pem.pod503
-rw-r--r--doc/crypto/rand.pod175
-rw-r--r--doc/crypto/rc4.pod62
-rw-r--r--doc/crypto/ripemd.pod66
-rw-r--r--doc/crypto/rsa.pod123
-rw-r--r--doc/crypto/sha.pod104
-rw-r--r--doc/crypto/threads.pod214
-rw-r--r--doc/crypto/ui.pod194
-rw-r--r--doc/crypto/ui_compat.pod57
-rw-r--r--doc/crypto/x509.pod64
224 files changed, 0 insertions, 22009 deletions
diff --git a/doc/crypto/ASN1_OBJECT_new.pod b/doc/crypto/ASN1_OBJECT_new.pod
deleted file mode 100644
index 9bae40fccf1b..000000000000
--- a/doc/crypto/ASN1_OBJECT_new.pod
+++ /dev/null
@@ -1,45 +0,0 @@
-=pod
-
-=head1 NAME
-
-ASN1_OBJECT_new, ASN1_OBJECT_free, - object allocation functions
-
-=head1 SYNOPSIS
-
- #include <openssl/asn1.h>
-
- ASN1_OBJECT *ASN1_OBJECT_new(void);
- void ASN1_OBJECT_free(ASN1_OBJECT *a);
-
-=head1 DESCRIPTION
-
-The ASN1_OBJECT allocation routines, allocate and free an
-ASN1_OBJECT structure, which represents an ASN1 OBJECT IDENTIFIER.
-
-ASN1_OBJECT_new() allocates and initializes a ASN1_OBJECT structure.
-
-ASN1_OBJECT_free() frees up the B<ASN1_OBJECT> structure B<a>.
-
-=head1 NOTES
-
-Although ASN1_OBJECT_new() allocates a new ASN1_OBJECT structure it
-is almost never used in applications. The ASN1 object utility functions
-such as OBJ_nid2obj() are used instead.
-
-=head1 RETURN VALUES
-
-If the allocation fails, ASN1_OBJECT_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-Otherwise it returns a pointer to the newly allocated structure.
-
-ASN1_OBJECT_free() returns no value.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_ASN1_OBJECT(3)|d2i_ASN1_OBJECT(3)>
-
-=head1 HISTORY
-
-ASN1_OBJECT_new() and ASN1_OBJECT_free() are available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/ASN1_STRING_length.pod b/doc/crypto/ASN1_STRING_length.pod
deleted file mode 100644
index 4ea6e8c226c0..000000000000
--- a/doc/crypto/ASN1_STRING_length.pod
+++ /dev/null
@@ -1,83 +0,0 @@
-=pod
-
-=head1 NAME
-
-ASN1_STRING_dup, ASN1_STRING_cmp, ASN1_STRING_set, ASN1_STRING_length,
-ASN1_STRING_length_set, ASN1_STRING_type, ASN1_STRING_data, ASN1_STRING_to_UTF8 -
-ASN1_STRING utility functions
-
-=head1 SYNOPSIS
-
- #include <openssl/asn1.h>
-
- int ASN1_STRING_length(ASN1_STRING *x);
- unsigned char * ASN1_STRING_data(ASN1_STRING *x);
-
- ASN1_STRING * ASN1_STRING_dup(ASN1_STRING *a);
-
- int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b);
-
- int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
-
- int ASN1_STRING_type(ASN1_STRING *x);
-
- int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
-
-=head1 DESCRIPTION
-
-These functions allow an B<ASN1_STRING> structure to be manipulated.
-
-ASN1_STRING_length() returns the length of the content of B<x>.
-
-ASN1_STRING_data() returns an internal pointer to the data of B<x>.
-Since this is an internal pointer it should B<not> be freed or
-modified in any way.
-
-ASN1_STRING_dup() returns a copy of the structure B<a>.
-
-ASN1_STRING_cmp() compares B<a> and B<b> returning 0 if the two
-are identical. The string types and content are compared.
-
-ASN1_STRING_set() sets the data of string B<str> to the buffer
-B<data> or length B<len>. The supplied data is copied. If B<len>
-is -1 then the length is determined by strlen(data).
-
-ASN1_STRING_type() returns the type of B<x>, using standard constants
-such as B<V_ASN1_OCTET_STRING>.
-
-ASN1_STRING_to_UTF8() converts the string B<in> to UTF8 format, the
-converted data is allocated in a buffer in B<*out>. The length of
-B<out> is returned or a negative error code. The buffer B<*out>
-should be free using OPENSSL_free().
-
-=head1 NOTES
-
-Almost all ASN1 types in OpenSSL are represented as an B<ASN1_STRING>
-structure. Other types such as B<ASN1_OCTET_STRING> are simply typedefed
-to B<ASN1_STRING> and the functions call the B<ASN1_STRING> equivalents.
-B<ASN1_STRING> is also used for some B<CHOICE> types which consist
-entirely of primitive string types such as B<DirectoryString> and
-B<Time>.
-
-These functions should B<not> be used to examine or modify B<ASN1_INTEGER>
-or B<ASN1_ENUMERATED> types: the relevant B<INTEGER> or B<ENUMERATED>
-utility functions should be used instead.
-
-In general it cannot be assumed that the data returned by ASN1_STRING_data()
-is null terminated or does not contain embedded nulls. The actual format
-of the data will depend on the actual string type itself: for example
-for an IA5String the data will be ASCII, for a BMPString two bytes per
-character in big endian format, and for an UTF8String it will be in UTF8 format.
-
-Similar care should be take to ensure the data is in the correct format
-when calling ASN1_STRING_set().
-
-=head1 RETURN VALUES
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-=cut
diff --git a/doc/crypto/ASN1_STRING_new.pod b/doc/crypto/ASN1_STRING_new.pod
deleted file mode 100644
index 8ac2a03ae267..000000000000
--- a/doc/crypto/ASN1_STRING_new.pod
+++ /dev/null
@@ -1,46 +0,0 @@
-=pod
-
-=head1 NAME
-
-ASN1_STRING_new, ASN1_STRING_type_new, ASN1_STRING_free -
-ASN1_STRING allocation functions
-
-=head1 SYNOPSIS
-
- #include <openssl/asn1.h>
-
- ASN1_STRING * ASN1_STRING_new(void);
- ASN1_STRING * ASN1_STRING_type_new(int type);
- void ASN1_STRING_free(ASN1_STRING *a);
-
-=head1 DESCRIPTION
-
-ASN1_STRING_new() returns an allocated B<ASN1_STRING> structure. Its type
-is undefined.
-
-ASN1_STRING_type_new() returns an allocated B<ASN1_STRING> structure of
-type B<type>.
-
-ASN1_STRING_free() frees up B<a>.
-
-=head1 NOTES
-
-Other string types call the B<ASN1_STRING> functions. For example
-ASN1_OCTET_STRING_new() calls ASN1_STRING_type(V_ASN1_OCTET_STRING).
-
-=head1 RETURN VALUES
-
-ASN1_STRING_new() and ASN1_STRING_type_new() return a valid
-ASN1_STRING structure or B<NULL> if an error occurred.
-
-ASN1_STRING_free() does not return a value.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/ASN1_STRING_print_ex.pod b/doc/crypto/ASN1_STRING_print_ex.pod
deleted file mode 100644
index 19c82ff1e444..000000000000
--- a/doc/crypto/ASN1_STRING_print_ex.pod
+++ /dev/null
@@ -1,96 +0,0 @@
-=pod
-
-=head1 NAME
-
-ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print - ASN1_STRING output routines.
-
-=head1 SYNOPSIS
-
- #include <openssl/asn1.h>
-
- int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags);
- int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
- int ASN1_STRING_print(BIO *out, ASN1_STRING *str);
-
-
-=head1 DESCRIPTION
-
-These functions output an B<ASN1_STRING> structure. B<ASN1_STRING> is used to
-represent all the ASN1 string types.
-
-ASN1_STRING_print_ex() outputs B<str> to B<out>, the format is determined by
-the options B<flags>. ASN1_STRING_print_ex_fp() is identical except it outputs
-to B<fp> instead.
-
-ASN1_STRING_print() prints B<str> to B<out> but using a different format to
-ASN1_STRING_print_ex(). It replaces unprintable characters (other than CR, LF)
-with '.'.
-
-=head1 NOTES
-
-ASN1_STRING_print() is a legacy function which should be avoided in new applications.
-
-Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is
-suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB>.
-
-The complete set of supported options for B<flags> is listed below.
-
-Various characters can be escaped. If B<ASN1_STRFLGS_ESC_2253> is set the characters
-determined by RFC2253 are escaped. If B<ASN1_STRFLGS_ESC_CTRL> is set control
-characters are escaped. If B<ASN1_STRFLGS_ESC_MSB> is set characters with the
-MSB set are escaped: this option should B<not> be used if the terminal correctly
-interprets UTF8 sequences.
-
-Escaping takes several forms.
-
-If the character being escaped is a 16 bit character then the form "\UXXXX" is used
-using exactly four characters for the hex representation. If it is 32 bits then
-"\WXXXXXXXX" is used using eight characters of its hex representation. These forms
-will only be used if UTF8 conversion is not set (see below).
-
-Printable characters are normally escaped using the backslash '\' character. If
-B<ASN1_STRFLGS_ESC_QUOTE> is set then the whole string is instead surrounded by
-double quote characters: this is arguably more readable than the backslash
-notation. Other characters use the "\XX" using exactly two characters of the hex
-representation.
-
-If B<ASN1_STRFLGS_UTF8_CONVERT> is set then characters are converted to UTF8
-format first. If the terminal supports the display of UTF8 sequences then this
-option will correctly display multi byte characters.
-
-If B<ASN1_STRFLGS_IGNORE_TYPE> is set then the string type is not interpreted at
-all: everything is assumed to be one byte per character. This is primarily for
-debugging purposes and can result in confusing output in multi character strings.
-
-If B<ASN1_STRFLGS_SHOW_TYPE> is set then the string type itself is printed out
-before its value (for example "BMPSTRING"), this actually uses ASN1_tag2str().
-
-The content of a string instead of being interpreted can be "dumped": this just
-outputs the value of the string using the form #XXXX using hex format for each
-octet.
-
-If B<ASN1_STRFLGS_DUMP_ALL> is set then any type is dumped.
-
-Normally non character string types (such as OCTET STRING) are assumed to be
-one byte per character, if B<ASN1_STRFLGS_DUMP_UNKNOWN> is set then they will
-be dumped instead.
-
-When a type is dumped normally just the content octets are printed, if
-B<ASN1_STRFLGS_DUMP_DER> is set then the complete encoding is dumped
-instead (including tag and length octets).
-
-B<ASN1_STRFLGS_RFC2253> includes all the flags required by RFC2253. It is
-equivalent to:
- ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB |
- ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER
-
-=head1 SEE ALSO
-
-L<X509_NAME_print_ex(3)|X509_NAME_print_ex(3)>,
-L<ASN1_tag2str(3)|ASN1_tag2str(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/ASN1_TIME_set.pod b/doc/crypto/ASN1_TIME_set.pod
deleted file mode 100644
index ae2b53d35584..000000000000
--- a/doc/crypto/ASN1_TIME_set.pod
+++ /dev/null
@@ -1,129 +0,0 @@
-=pod
-
-=head1 NAME
-
-ASN1_TIME_set, ASN1_TIME_adj, ASN1_TIME_check, ASN1_TIME_set_string,
-ASN1_TIME_print, ASN1_TIME_diff - ASN.1 Time functions.
-
-=head1 SYNOPSIS
-
- ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
- ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
- int offset_day, long offset_sec);
- int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
- int ASN1_TIME_check(const ASN1_TIME *t);
- int ASN1_TIME_print(BIO *b, const ASN1_TIME *s);
-
- int ASN1_TIME_diff(int *pday, int *psec,
- const ASN1_TIME *from, const ASN1_TIME *to);
-
-=head1 DESCRIPTION
-
-The function ASN1_TIME_set() sets the ASN1_TIME structure B<s> to the
-time represented by the time_t value B<t>. If B<s> is NULL a new ASN1_TIME
-structure is allocated and returned.
-
-ASN1_TIME_adj() sets the ASN1_TIME structure B<s> to the time represented
-by the time B<offset_day> and B<offset_sec> after the time_t value B<t>.
-The values of B<offset_day> or B<offset_sec> can be negative to set a
-time before B<t>. The B<offset_sec> value can also exceed the number of
-seconds in a day. If B<s> is NULL a new ASN1_TIME structure is allocated
-and returned.
-
-ASN1_TIME_set_string() sets ASN1_TIME structure B<s> to the time
-represented by string B<str> which must be in appropriate ASN.1 time
-format (for example YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ).
-
-ASN1_TIME_check() checks the syntax of ASN1_TIME structure B<s>.
-
-ASN1_TIME_print() prints out the time B<s> to BIO B<b> in human readable
-format. It will be of the format MMM DD HH:MM:SS YYYY [GMT], for example
-"Feb 3 00:55:52 2015 GMT" it does not include a newline. If the time
-structure has invalid format it prints out "Bad time value" and returns
-an error.
-
-ASN1_TIME_diff() sets B<*pday> and B<*psec> to the time difference between
-B<from> and B<to>. If B<to> represents a time later than B<from> then
-one or both (depending on the time difference) of B<*pday> and B<*psec>
-will be positive. If B<to> represents a time earlier than B<from> then
-one or both of B<*pday> and B<*psec> will be negative. If B<to> and B<from>
-represent the same time then B<*pday> and B<*psec> will both be zero.
-If both B<*pday> and B<*psec> are non-zero they will always have the same
-sign. The value of B<*psec> will always be less than the number of seconds
-in a day. If B<from> or B<to> is NULL the current time is used.
-
-=head1 NOTES
-
-The ASN1_TIME structure corresponds to the ASN.1 structure B<Time>
-defined in RFC5280 et al. The time setting functions obey the rules outlined
-in RFC5280: if the date can be represented by UTCTime it is used, else
-GeneralizedTime is used.
-
-The ASN1_TIME structure is represented as an ASN1_STRING internally and can
-be freed up using ASN1_STRING_free().
-
-The ASN1_TIME structure can represent years from 0000 to 9999 but no attempt
-is made to correct ancient calendar changes (for example from Julian to
-Gregorian calendars).
-
-Some applications add offset times directly to a time_t value and pass the
-results to ASN1_TIME_set() (or equivalent). This can cause problems as the
-time_t value can overflow on some systems resulting in unexpected results.
-New applications should use ASN1_TIME_adj() instead and pass the offset value
-in the B<offset_sec> and B<offset_day> parameters instead of directly
-manipulating a time_t value.
-
-=head1 BUGS
-
-ASN1_TIME_print() currently does not print out the time zone: it either prints
-out "GMT" or nothing. But all certificates complying with RFC5280 et al use GMT
-anyway.
-
-=head1 EXAMPLES
-
-Set a time structure to one hour after the current time and print it out:
-
- #include <time.h>
- #include <openssl/asn1.h>
- ASN1_TIME *tm;
- time_t t;
- BIO *b;
- t = time(NULL);
- tm = ASN1_TIME_adj(NULL, t, 0, 60 * 60);
- b = BIO_new_fp(stdout, BIO_NOCLOSE);
- ASN1_TIME_print(b, tm);
- ASN1_STRING_free(tm);
- BIO_free(b);
-
-Determine if one time is later or sooner than the current time:
-
- int day, sec;
-
- if (!ASN1_TIME_diff(&day, &sec, NULL, to))
- /* Invalid time format */
-
- if (day > 0 || sec > 0)
- printf("Later\n");
- else if (day < 0 || sec < 0)
- printf("Sooner\n");
- else
- printf("Same\n");
-
-=head1 RETURN VALUES
-
-ASN1_TIME_set() and ASN1_TIME_adj() return a pointer to an ASN1_TIME structure
-or NULL if an error occurred.
-
-ASN1_TIME_set_string() returns 1 if the time value is successfully set and
-0 otherwise.
-
-ASN1_TIME_check() returns 1 if the structure is syntactically correct and 0
-otherwise.
-
-ASN1_TIME_print() returns 1 if the time is successfully printed out and 0 if
-an error occurred (I/O error or invalid time format).
-
-ASN1_TIME_diff() returns 1 for sucess and 0 for failure. It can fail if the
-pass ASN1_TIME structure has invalid syntax for example.
-
-=cut
diff --git a/doc/crypto/ASN1_generate_nconf.pod b/doc/crypto/ASN1_generate_nconf.pod
deleted file mode 100644
index bfa0a04ff974..000000000000
--- a/doc/crypto/ASN1_generate_nconf.pod
+++ /dev/null
@@ -1,265 +0,0 @@
-=pod
-
-=head1 NAME
-
-ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions
-
-=head1 SYNOPSIS
-
- #include <openssl/asn1.h>
-
- ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
- ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
-
-=head1 DESCRIPTION
-
-These functions generate the ASN1 encoding of a string
-in an B<ASN1_TYPE> structure.
-
-B<str> contains the string to encode B<nconf> or B<cnf> contains
-the optional configuration information where additional strings
-will be read from. B<nconf> will typically come from a config
-file wherease B<cnf> is obtained from an B<X509V3_CTX> structure
-which will typically be used by X509 v3 certificate extension
-functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional
-configuration will be used.
-
-=head1 GENERATION STRING FORMAT
-
-The actual data encoded is determined by the string B<str> and
-the configuration information. The general format of the string
-is:
-
-=over 2
-
-=item B<[modifier,]type[:value]>
-
-=back
-
-That is zero or more comma separated modifiers followed by a type
-followed by an optional colon and a value. The formats of B<type>,
-B<value> and B<modifier> are explained below.
-
-=head2 SUPPORTED TYPES
-
-The supported types are listed below. Unless otherwise specified
-only the B<ASCII> format is permissible.
-
-=over 2
-
-=item B<BOOLEAN>, B<BOOL>
-
-This encodes a boolean type. The B<value> string is mandatory and
-should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>,
-B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no>
-are acceptable.
-
-=item B<NULL>
-
-Encode the B<NULL> type, the B<value> string must not be present.
-
-=item B<INTEGER>, B<INT>
-
-Encodes an ASN1 B<INTEGER> type. The B<value> string represents
-the value of the integer, it can be prefaced by a minus sign and
-is normally interpreted as a decimal value unless the prefix B<0x>
-is included.
-
-=item B<ENUMERATED>, B<ENUM>
-
-Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to
-B<INTEGER>.
-
-=item B<OBJECT>, B<OID>
-
-Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be
-a short name, a long name or numerical format.
-
-=item B<UTCTIME>, B<UTC>
-
-Encodes an ASN1 B<UTCTime> structure, the value should be in
-the format B<YYMMDDHHMMSSZ>.
-
-=item B<GENERALIZEDTIME>, B<GENTIME>
-
-Encodes an ASN1 B<GeneralizedTime> structure, the value should be in
-the format B<YYYYMMDDHHMMSSZ>.
-
-=item B<OCTETSTRING>, B<OCT>
-
-Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents
-of this structure, the format strings B<ASCII> and B<HEX> can be
-used to specify the format of B<value>.
-
-=item B<BITSTRING>, B<BITSTR>
-
-Encodes an ASN1 B<BIT STRING>. B<value> represents the contents
-of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST>
-can be used to specify the format of B<value>.
-
-If the format is anything other than B<BITLIST> the number of unused
-bits is set to zero.
-
-=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>,
-B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>,
-B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>,
-B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>,
-B<NUMERIC>
-
-These encode the corresponding string types. B<value> represents the
-contents of this structure. The format can be B<ASCII> or B<UTF8>.
-
-=item B<SEQUENCE>, B<SEQ>, B<SET>
-
-Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value>
-should be a section name which will contain the contents. The
-field names in the section are ignored and the values are in the
-generated string format. If B<value> is absent then an empty SEQUENCE
-will be encoded.
-
-=back
-
-=head2 MODIFIERS
-
-Modifiers affect the following structure, they can be used to
-add EXPLICIT or IMPLICIT tagging, add wrappers or to change
-the string format of the final type and value. The supported
-formats are documented below.
-
-=over 2
-
-=item B<EXPLICIT>, B<EXP>
-
-Add an explicit tag to the following structure. This string
-should be followed by a colon and the tag value to use as a
-decimal value.
-
-By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL,
-APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
-the default is CONTEXT SPECIFIC.
-
-=item B<IMPLICIT>, B<IMP>
-
-This is the same as B<EXPLICIT> except IMPLICIT tagging is used
-instead.
-
-=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP>
-
-The following structure is surrounded by an OCTET STRING, a SEQUENCE,
-a SET or a BIT STRING respectively. For a BIT STRING the number of unused
-bits is set to zero.
-
-=item B<FORMAT>
-
-This specifies the format of the ultimate value. It should be followed
-by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>.
-
-If no format specifier is included then B<ASCII> is used. If B<UTF8> is
-specified then the value string must be a valid B<UTF8> string. For B<HEX> the
-output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT
-STRING) is a comma separated list of the indices of the set bits, all other
-bits are zero.
-
-=back
-
-=head1 EXAMPLES
-
-A simple IA5String:
-
- IA5STRING:Hello World
-
-An IA5String explicitly tagged:
-
- EXPLICIT:0,IA5STRING:Hello World
-
-An IA5String explicitly tagged using APPLICATION tagging:
-
- EXPLICIT:0A,IA5STRING:Hello World
-
-A BITSTRING with bits 1 and 5 set and all others zero:
-
- FORMAT:BITLIST,BITSTRING:1,5
-
-A more complex example using a config file to produce a
-SEQUENCE consiting of a BOOL an OID and a UTF8String:
-
- asn1 = SEQUENCE:seq_section
-
- [seq_section]
-
- field1 = BOOLEAN:TRUE
- field2 = OID:commonName
- field3 = UTF8:Third field
-
-This example produces an RSAPrivateKey structure, this is the
-key contained in the file client.pem in all OpenSSL distributions
-(note: the field names such as 'coeff' are ignored and are present just
-for clarity):
-
- asn1=SEQUENCE:private_key
- [private_key]
- version=INTEGER:0
-
- n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
- D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
-
- e=INTEGER:0x010001
-
- d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
- F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
-
- p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
- D4BD57
-
- q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
- 46EC4F
-
- exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
- 9C0A39B9
-
- exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
- E7B2458F
-
- coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
- 628657053A
-
-This example is the corresponding public key in a SubjectPublicKeyInfo
-structure:
-
- # Start with a SEQUENCE
- asn1=SEQUENCE:pubkeyinfo
-
- # pubkeyinfo contains an algorithm identifier and the public key wrapped
- # in a BIT STRING
- [pubkeyinfo]
- algorithm=SEQUENCE:rsa_alg
- pubkey=BITWRAP,SEQUENCE:rsapubkey
-
- # algorithm ID for RSA is just an OID and a NULL
- [rsa_alg]
- algorithm=OID:rsaEncryption
- parameter=NULL
-
- # Actual public key: modulus and exponent
- [rsapubkey]
- n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
- D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
-
- e=INTEGER:0x010001
-
-=head1 RETURN VALUES
-
-ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
-data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
-
-The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/BIO_ctrl.pod b/doc/crypto/BIO_ctrl.pod
deleted file mode 100644
index 722e8b8f46c9..000000000000
--- a/doc/crypto/BIO_ctrl.pod
+++ /dev/null
@@ -1,128 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset,
-BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close,
-BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending,
-BIO_get_info_callback, BIO_set_info_callback - BIO control operations
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
- long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long));
- char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
- long BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg);
-
- int BIO_reset(BIO *b);
- int BIO_seek(BIO *b, int ofs);
- int BIO_tell(BIO *b);
- int BIO_flush(BIO *b);
- int BIO_eof(BIO *b);
- int BIO_set_close(BIO *b,long flag);
- int BIO_get_close(BIO *b);
- int BIO_pending(BIO *b);
- int BIO_wpending(BIO *b);
- size_t BIO_ctrl_pending(BIO *b);
- size_t BIO_ctrl_wpending(BIO *b);
-
- int BIO_get_info_callback(BIO *b,bio_info_cb **cbp);
- int BIO_set_info_callback(BIO *b,bio_info_cb *cb);
-
- typedef void bio_info_cb(BIO *b, int oper, const char *ptr, int arg1, long arg2, long arg3);
-
-=head1 DESCRIPTION
-
-BIO_ctrl(), BIO_callback_ctrl(), BIO_ptr_ctrl() and BIO_int_ctrl()
-are BIO "control" operations taking arguments of various types.
-These functions are not normally called directly, various macros
-are used instead. The standard macros are described below, macros
-specific to a particular type of BIO are described in the specific
-BIOs manual page as well as any special features of the standard
-calls.
-
-BIO_reset() typically resets a BIO to some initial state, in the case
-of file related BIOs for example it rewinds the file pointer to the
-start of the file.
-
-BIO_seek() resets a file related BIO's (that is file descriptor and
-FILE BIOs) file position pointer to B<ofs> bytes from start of file.
-
-BIO_tell() returns the current file position of a file related BIO.
-
-BIO_flush() normally writes out any internally buffered data, in some
-cases it is used to signal EOF and that no more data will be written.
-
-BIO_eof() returns 1 if the BIO has read EOF, the precise meaning of
-"EOF" varies according to the BIO type.
-
-BIO_set_close() sets the BIO B<b> close flag to B<flag>. B<flag> can
-take the value BIO_CLOSE or BIO_NOCLOSE. Typically BIO_CLOSE is used
-in a source/sink BIO to indicate that the underlying I/O stream should
-be closed when the BIO is freed.
-
-BIO_get_close() returns the BIOs close flag.
-
-BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending()
-return the number of pending characters in the BIOs read and write buffers.
-Not all BIOs support these calls. BIO_ctrl_pending() and BIO_ctrl_wpending()
-return a size_t type and are functions, BIO_pending() and BIO_wpending() are
-macros which call BIO_ctrl().
-
-=head1 RETURN VALUES
-
-BIO_reset() normally returns 1 for success and 0 or -1 for failure. File
-BIOs are an exception, they return 0 for success and -1 for failure.
-
-BIO_seek() and BIO_tell() both return the current file position on success
-and -1 for failure, except file BIOs which for BIO_seek() always return 0
-for success and -1 for failure.
-
-BIO_flush() returns 1 for success and 0 or -1 for failure.
-
-BIO_eof() returns 1 if EOF has been reached 0 otherwise.
-
-BIO_set_close() always returns 1.
-
-BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE.
-
-BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending()
-return the amount of pending data.
-
-=head1 NOTES
-
-BIO_flush(), because it can write data may return 0 or -1 indicating
-that the call should be retried later in a similar manner to BIO_write().
-The BIO_should_retry() call should be used and appropriate action taken
-is the call fails.
-
-The return values of BIO_pending() and BIO_wpending() may not reliably
-determine the amount of pending data in all cases. For example in the
-case of a file BIO some data may be available in the FILE structures
-internal buffers but it is not possible to determine this in a
-portably way. For other types of BIO they may not be supported.
-
-Filter BIOs if they do not internally handle a particular BIO_ctrl()
-operation usually pass the operation to the next BIO in the chain.
-This often means there is no need to locate the required BIO for
-a particular operation, it can be called on a chain and it will
-be automatically passed to the relevant BIO. However this can cause
-unexpected results: for example no current filter BIOs implement
-BIO_seek(), but this may still succeed if the chain ends in a FILE
-or file descriptor BIO.
-
-Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl()
-operation.
-
-=head1 BUGS
-
-Some of the return values are ambiguous and care should be taken. In
-particular a return value of 0 can be returned if an operation is not
-supported, if an error occurred, if EOF has not been reached and in
-the case of BIO_seek() on a file BIO for a successful operation.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_f_base64.pod b/doc/crypto/BIO_f_base64.pod
deleted file mode 100644
index d1d7bf0bd066..000000000000
--- a/doc/crypto/BIO_f_base64.pod
+++ /dev/null
@@ -1,82 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_f_base64 - base64 BIO filter
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
- #include <openssl/evp.h>
-
- BIO_METHOD * BIO_f_base64(void);
-
-=head1 DESCRIPTION
-
-BIO_f_base64() returns the base64 BIO method. This is a filter
-BIO that base64 encodes any data written through it and decodes
-any data read through it.
-
-Base64 BIOs do not support BIO_gets() or BIO_puts().
-
-BIO_flush() on a base64 BIO that is being written through is
-used to signal that no more data is to be encoded: this is used
-to flush the final block through the BIO.
-
-The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags()
-to encode the data all on one line or expect the data to be all
-on one line.
-
-=head1 NOTES
-
-Because of the format of base64 encoding the end of the encoded
-block cannot always be reliably determined.
-
-=head1 RETURN VALUES
-
-BIO_f_base64() returns the base64 BIO method.
-
-=head1 EXAMPLES
-
-Base64 encode the string "Hello World\n" and write the result
-to standard output:
-
- BIO *bio, *b64;
- char message[] = "Hello World \n";
-
- b64 = BIO_new(BIO_f_base64());
- bio = BIO_new_fp(stdout, BIO_NOCLOSE);
- BIO_push(b64, bio);
- BIO_write(b64, message, strlen(message));
- BIO_flush(b64);
-
- BIO_free_all(b64);
-
-Read Base64 encoded data from standard input and write the decoded
-data to standard output:
-
- BIO *bio, *b64, *bio_out;
- char inbuf[512];
- int inlen;
-
- b64 = BIO_new(BIO_f_base64());
- bio = BIO_new_fp(stdin, BIO_NOCLOSE);
- bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
- BIO_push(b64, bio);
- while((inlen = BIO_read(b64, inbuf, 512)) > 0)
- BIO_write(bio_out, inbuf, inlen);
-
- BIO_flush(bio_out);
- BIO_free_all(b64);
-
-=head1 BUGS
-
-The ambiguity of EOF in base64 encoded data can cause additional
-data following the base64 encoded block to be misinterpreted.
-
-There should be some way of specifying a test that the BIO can perform
-to reliably determine EOF (for example a MIME boundary).
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_f_buffer.pod b/doc/crypto/BIO_f_buffer.pod
deleted file mode 100644
index c0dccf1abe31..000000000000
--- a/doc/crypto/BIO_f_buffer.pod
+++ /dev/null
@@ -1,74 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_f_buffer - buffering BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_f_buffer(void);
-
- #define BIO_get_buffer_num_lines(b) BIO_ctrl(b,BIO_C_GET_BUFF_NUM_LINES,0,NULL)
- #define BIO_set_read_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,0)
- #define BIO_set_write_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,1)
- #define BIO_set_buffer_size(b,size) BIO_ctrl(b,BIO_C_SET_BUFF_SIZE,size,NULL)
- #define BIO_set_buffer_read_data(b,buf,num) BIO_ctrl(b,BIO_C_SET_BUFF_READ_DATA,num,buf)
-
-=head1 DESCRIPTION
-
-BIO_f_buffer() returns the buffering BIO method.
-
-Data written to a buffering BIO is buffered and periodically written
-to the next BIO in the chain. Data read from a buffering BIO comes from
-an internal buffer which is filled from the next BIO in the chain.
-Both BIO_gets() and BIO_puts() are supported.
-
-Calling BIO_reset() on a buffering BIO clears any buffered data.
-
-BIO_get_buffer_num_lines() returns the number of lines currently buffered.
-
-BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
-set the read, write or both read and write buffer sizes to B<size>. The initial
-buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any attempt to reduce the
-buffer size below DEFAULT_BUFFER_SIZE is ignored. Any buffered data is cleared
-when the buffer is resized.
-
-BIO_set_buffer_read_data() clears the read buffer and fills it with B<num>
-bytes of B<buf>. If B<num> is larger than the current buffer size the buffer
-is expanded.
-
-=head1 NOTES
-
-Buffering BIOs implement BIO_gets() by using BIO_read() operations on the
-next BIO in the chain. By prepending a buffering BIO to a chain it is therefore
-possible to provide BIO_gets() functionality if the following BIOs do not
-support it (for example SSL BIOs).
-
-Data is only written to the next BIO in the chain when the write buffer fills
-or when BIO_flush() is called. It is therefore important to call BIO_flush()
-whenever any pending data should be written such as when removing a buffering
-BIO using BIO_pop(). BIO_flush() may need to be retried if the ultimate
-source/sink BIO is non blocking.
-
-=head1 RETURN VALUES
-
-BIO_f_buffer() returns the buffering BIO method.
-
-BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0).
-
-BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
-return 1 if the buffer was successfully resized or 0 for failure.
-
-BIO_set_buffer_read_data() returns 1 if the data was set correctly or 0 if
-there was an error.
-
-=head1 SEE ALSO
-
-L<BIO(3)|BIO(3)>,
-L<BIO_reset(3)|BIO_reset(3)>,
-L<BIO_flush(3)|BIO_flush(3)>,
-L<BIO_pop(3)|BIO_pop(3)>,
-L<BIO_ctrl(3)|BIO_ctrl(3)>,
-L<BIO_int_ctrl(3)|BIO_ctrl(3)>
diff --git a/doc/crypto/BIO_f_cipher.pod b/doc/crypto/BIO_f_cipher.pod
deleted file mode 100644
index 02439cea94a0..000000000000
--- a/doc/crypto/BIO_f_cipher.pod
+++ /dev/null
@@ -1,76 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher BIO filter
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
- #include <openssl/evp.h>
-
- BIO_METHOD * BIO_f_cipher(void);
- void BIO_set_cipher(BIO *b,const EVP_CIPHER *cipher,
- unsigned char *key, unsigned char *iv, int enc);
- int BIO_get_cipher_status(BIO *b)
- int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx)
-
-=head1 DESCRIPTION
-
-BIO_f_cipher() returns the cipher BIO method. This is a filter
-BIO that encrypts any data written through it, and decrypts any data
-read from it. It is a BIO wrapper for the cipher routines
-EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal().
-
-Cipher BIOs do not support BIO_gets() or BIO_puts().
-
-BIO_flush() on an encryption BIO that is being written through is
-used to signal that no more data is to be encrypted: this is used
-to flush and possibly pad the final block through the BIO.
-
-BIO_set_cipher() sets the cipher of BIO B<b> to B<cipher> using key B<key>
-and IV B<iv>. B<enc> should be set to 1 for encryption and zero for
-decryption.
-
-When reading from an encryption BIO the final block is automatically
-decrypted and checked when EOF is detected. BIO_get_cipher_status()
-is a BIO_ctrl() macro which can be called to determine whether the
-decryption operation was successful.
-
-BIO_get_cipher_ctx() is a BIO_ctrl() macro which retrieves the internal
-BIO cipher context. The retrieved context can be used in conjunction
-with the standard cipher routines to set it up. This is useful when
-BIO_set_cipher() is not flexible enough for the applications needs.
-
-=head1 NOTES
-
-When encrypting BIO_flush() B<must> be called to flush the final block
-through the BIO. If it is not then the final block will fail a subsequent
-decrypt.
-
-When decrypting an error on the final block is signalled by a zero
-return value from the read operation. A successful decrypt followed
-by EOF will also return zero for the final read. BIO_get_cipher_status()
-should be called to determine if the decrypt was successful.
-
-As always, if BIO_gets() or BIO_puts() support is needed then it can
-be achieved by preceding the cipher BIO with a buffering BIO.
-
-=head1 RETURN VALUES
-
-BIO_f_cipher() returns the cipher BIO method.
-
-BIO_set_cipher() does not return a value.
-
-BIO_get_cipher_status() returns 1 for a successful decrypt and 0
-for failure.
-
-BIO_get_cipher_ctx() currently always returns 1.
-
-=head1 EXAMPLES
-
-TBA
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_f_md.pod b/doc/crypto/BIO_f_md.pod
deleted file mode 100644
index 2cc41f89d2fd..000000000000
--- a/doc/crypto/BIO_f_md.pod
+++ /dev/null
@@ -1,144 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx - message digest BIO filter
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
- #include <openssl/evp.h>
-
- BIO_METHOD * BIO_f_md(void);
- int BIO_set_md(BIO *b,EVP_MD *md);
- int BIO_get_md(BIO *b,EVP_MD **mdp);
- int BIO_get_md_ctx(BIO *b,EVP_MD_CTX **mdcp);
-
-=head1 DESCRIPTION
-
-BIO_f_md() returns the message digest BIO method. This is a filter
-BIO that digests any data passed through it, it is a BIO wrapper
-for the digest routines EVP_DigestInit(), EVP_DigestUpdate()
-and EVP_DigestFinal().
-
-Any data written or read through a digest BIO using BIO_read() and
-BIO_write() is digested.
-
-BIO_gets(), if its B<size> parameter is large enough finishes the
-digest calculation and returns the digest value. BIO_puts() is
-not supported.
-
-BIO_reset() reinitialises a digest BIO.
-
-BIO_set_md() sets the message digest of BIO B<b> to B<md>: this
-must be called to initialize a digest BIO before any data is
-passed through it. It is a BIO_ctrl() macro.
-
-BIO_get_md() places the a pointer to the digest BIOs digest method
-in B<mdp>, it is a BIO_ctrl() macro.
-
-BIO_get_md_ctx() returns the digest BIOs context into B<mdcp>.
-
-=head1 NOTES
-
-The context returned by BIO_get_md_ctx() can be used in calls
-to EVP_DigestFinal() and also the signature routines EVP_SignFinal()
-and EVP_VerifyFinal().
-
-The context returned by BIO_get_md_ctx() is an internal context
-structure. Changes made to this context will affect the digest
-BIO itself and the context pointer will become invalid when the digest
-BIO is freed.
-
-After the digest has been retrieved from a digest BIO it must be
-reinitialized by calling BIO_reset(), or BIO_set_md() before any more
-data is passed through it.
-
-If an application needs to call BIO_gets() or BIO_puts() through
-a chain containing digest BIOs then this can be done by prepending
-a buffering BIO.
-
-Before OpenSSL 1.0.0 the call to BIO_get_md_ctx() would only work if the BIO
-had been initialized for example by calling BIO_set_md() ). In OpenSSL
-1.0.0 and later the context is always returned and the BIO is state is set
-to initialized. This allows applications to initialize the context externally
-if the standard calls such as BIO_set_md() are not sufficiently flexible.
-
-=head1 RETURN VALUES
-
-BIO_f_md() returns the digest BIO method.
-
-BIO_set_md(), BIO_get_md() and BIO_md_ctx() return 1 for success and
-0 for failure.
-
-=head1 EXAMPLES
-
-The following example creates a BIO chain containing an SHA1 and MD5
-digest BIO and passes the string "Hello World" through it. Error
-checking has been omitted for clarity.
-
- BIO *bio, *mdtmp;
- char message[] = "Hello World";
- bio = BIO_new(BIO_s_null());
- mdtmp = BIO_new(BIO_f_md());
- BIO_set_md(mdtmp, EVP_sha1());
- /* For BIO_push() we want to append the sink BIO and keep a note of
- * the start of the chain.
- */
- bio = BIO_push(mdtmp, bio);
- mdtmp = BIO_new(BIO_f_md());
- BIO_set_md(mdtmp, EVP_md5());
- bio = BIO_push(mdtmp, bio);
- /* Note: mdtmp can now be discarded */
- BIO_write(bio, message, strlen(message));
-
-The next example digests data by reading through a chain instead:
-
- BIO *bio, *mdtmp;
- char buf[1024];
- int rdlen;
- bio = BIO_new_file(file, "rb");
- mdtmp = BIO_new(BIO_f_md());
- BIO_set_md(mdtmp, EVP_sha1());
- bio = BIO_push(mdtmp, bio);
- mdtmp = BIO_new(BIO_f_md());
- BIO_set_md(mdtmp, EVP_md5());
- bio = BIO_push(mdtmp, bio);
- do {
- rdlen = BIO_read(bio, buf, sizeof(buf));
- /* Might want to do something with the data here */
- } while(rdlen > 0);
-
-This next example retrieves the message digests from a BIO chain and
-outputs them. This could be used with the examples above.
-
- BIO *mdtmp;
- unsigned char mdbuf[EVP_MAX_MD_SIZE];
- int mdlen;
- int i;
- mdtmp = bio; /* Assume bio has previously been set up */
- do {
- EVP_MD *md;
- mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
- if(!mdtmp) break;
- BIO_get_md(mdtmp, &md);
- printf("%s digest", OBJ_nid2sn(EVP_MD_type(md)));
- mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);
- for(i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]);
- printf("\n");
- mdtmp = BIO_next(mdtmp);
- } while(mdtmp);
-
- BIO_free_all(bio);
-
-=head1 BUGS
-
-The lack of support for BIO_puts() and the non standard behaviour of
-BIO_gets() could be regarded as anomalous. It could be argued that BIO_gets()
-and BIO_puts() should be passed to the next BIO in the chain and digest
-the data passed through and that digests should be retrieved using a
-separate BIO_ctrl() call.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_f_null.pod b/doc/crypto/BIO_f_null.pod
deleted file mode 100644
index b057c1840832..000000000000
--- a/doc/crypto/BIO_f_null.pod
+++ /dev/null
@@ -1,32 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_f_null - null filter
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_f_null(void);
-
-=head1 DESCRIPTION
-
-BIO_f_null() returns the null filter BIO method. This is a filter BIO
-that does nothing.
-
-All requests to a null filter BIO are passed through to the next BIO in
-the chain: this means that a BIO chain containing a null filter BIO
-behaves just as though the BIO was not there.
-
-=head1 NOTES
-
-As may be apparent a null filter BIO is not particularly useful.
-
-=head1 RETURN VALUES
-
-BIO_f_null() returns the null filter BIO method.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_f_ssl.pod b/doc/crypto/BIO_f_ssl.pod
deleted file mode 100644
index a9f23f1dd7de..000000000000
--- a/doc/crypto/BIO_f_ssl.pod
+++ /dev/null
@@ -1,322 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes,
-BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl,
-BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id,
-BIO_ssl_shutdown - SSL BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
- #include <openssl/ssl.h>
-
- BIO_METHOD *BIO_f_ssl(void);
-
- #define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl)
- #define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
- #define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
- #define BIO_set_ssl_renegotiate_bytes(b,num) \
- BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
- #define BIO_set_ssl_renegotiate_timeout(b,seconds) \
- BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
- #define BIO_get_num_renegotiates(b) \
- BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
-
- BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
- BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
- BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
- int BIO_ssl_copy_session_id(BIO *to,BIO *from);
- void BIO_ssl_shutdown(BIO *bio);
-
- #define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
-
-=head1 DESCRIPTION
-
-BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which
-is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to
-SSL I/O.
-
-I/O performed on an SSL BIO communicates using the SSL protocol with
-the SSLs read and write BIOs. If an SSL connection is not established
-then an attempt is made to establish one on the first I/O call.
-
-If a BIO is appended to an SSL BIO using BIO_push() it is automatically
-used as the SSL BIOs read and write BIOs.
-
-Calling BIO_reset() on an SSL BIO closes down any current SSL connection
-by calling SSL_shutdown(). BIO_reset() is then sent to the next BIO in
-the chain: this will typically disconnect the underlying transport.
-The SSL BIO is then reset to the initial accept or connect state.
-
-If the close flag is set when an SSL BIO is freed then the internal
-SSL structure is also freed using SSL_free().
-
-BIO_set_ssl() sets the internal SSL pointer of BIO B<b> to B<ssl> using
-the close flag B<c>.
-
-BIO_get_ssl() retrieves the SSL pointer of BIO B<b>, it can then be
-manipulated using the standard SSL library functions.
-
-BIO_set_ssl_mode() sets the SSL BIO mode to B<client>. If B<client>
-is 1 client mode is set. If B<client> is 0 server mode is set.
-
-BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count
-to B<num>. When set after every B<num> bytes of I/O (read and write)
-the SSL session is automatically renegotiated. B<num> must be at
-least 512 bytes.
-
-BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to
-B<seconds>. When the renegotiate timeout elapses the session is
-automatically renegotiated.
-
-BIO_get_num_renegotiates() returns the total number of session
-renegotiations due to I/O or timeout.
-
-BIO_new_ssl() allocates an SSL BIO using SSL_CTX B<ctx> and using
-client mode if B<client> is non zero.
-
-BIO_new_ssl_connect() creates a new BIO chain consisting of an
-SSL BIO (using B<ctx>) followed by a connect BIO.
-
-BIO_new_buffer_ssl_connect() creates a new BIO chain consisting
-of a buffering BIO, an SSL BIO (using B<ctx>) and a connect
-BIO.
-
-BIO_ssl_copy_session_id() copies an SSL session id between
-BIO chains B<from> and B<to>. It does this by locating the
-SSL BIOs in each chain and calling SSL_copy_session_id() on
-the internal SSL pointer.
-
-BIO_ssl_shutdown() closes down an SSL connection on BIO
-chain B<bio>. It does this by locating the SSL BIO in the
-chain and calling SSL_shutdown() on its internal SSL
-pointer.
-
-BIO_do_handshake() attempts to complete an SSL handshake on the
-supplied BIO and establish the SSL connection. It returns 1
-if the connection was established successfully. A zero or negative
-value is returned if the connection could not be established, the
-call BIO_should_retry() should be used for non blocking connect BIOs
-to determine if the call should be retried. If an SSL connection has
-already been established this call has no effect.
-
-=head1 NOTES
-
-SSL BIOs are exceptional in that if the underlying transport
-is non blocking they can still request a retry in exceptional
-circumstances. Specifically this will happen if a session
-renegotiation takes place during a BIO_read() operation, one
-case where this happens is when step up occurs.
-
-In OpenSSL 0.9.6 and later the SSL flag SSL_AUTO_RETRY can be
-set to disable this behaviour. That is when this flag is set
-an SSL BIO using a blocking transport will never request a
-retry.
-
-Since unknown BIO_ctrl() operations are sent through filter
-BIOs the servers name and port can be set using BIO_set_host()
-on the BIO returned by BIO_new_ssl_connect() without having
-to locate the connect BIO first.
-
-Applications do not have to call BIO_do_handshake() but may wish
-to do so to separate the handshake process from other I/O
-processing.
-
-=head1 RETURN VALUES
-
-TBA
-
-=head1 EXAMPLE
-
-This SSL/TLS client example, attempts to retrieve a page from an
-SSL/TLS web server. The I/O routines are identical to those of the
-unencrypted example in L<BIO_s_connect(3)|BIO_s_connect(3)>.
-
- BIO *sbio, *out;
- int len;
- char tmpbuf[1024];
- SSL_CTX *ctx;
- SSL *ssl;
-
- ERR_load_crypto_strings();
- ERR_load_SSL_strings();
- OpenSSL_add_all_algorithms();
-
- /* We would seed the PRNG here if the platform didn't
- * do it automatically
- */
-
- ctx = SSL_CTX_new(SSLv23_client_method());
-
- /* We'd normally set some stuff like the verify paths and
- * mode here because as things stand this will connect to
- * any server whose certificate is signed by any CA.
- */
-
- sbio = BIO_new_ssl_connect(ctx);
-
- BIO_get_ssl(sbio, &ssl);
-
- if(!ssl) {
- fprintf(stderr, "Can't locate SSL pointer\n");
- /* whatever ... */
- }
-
- /* Don't want any retries */
- SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
-
- /* We might want to do other things with ssl here */
-
- BIO_set_conn_hostname(sbio, "localhost:https");
-
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
- if(BIO_do_connect(sbio) <= 0) {
- fprintf(stderr, "Error connecting to server\n");
- ERR_print_errors_fp(stderr);
- /* whatever ... */
- }
-
- if(BIO_do_handshake(sbio) <= 0) {
- fprintf(stderr, "Error establishing SSL connection\n");
- ERR_print_errors_fp(stderr);
- /* whatever ... */
- }
-
- /* Could examine ssl here to get connection info */
-
- BIO_puts(sbio, "GET / HTTP/1.0\n\n");
- for(;;) {
- len = BIO_read(sbio, tmpbuf, 1024);
- if(len <= 0) break;
- BIO_write(out, tmpbuf, len);
- }
- BIO_free_all(sbio);
- BIO_free(out);
-
-Here is a simple server example. It makes use of a buffering
-BIO to allow lines to be read from the SSL BIO using BIO_gets.
-It creates a pseudo web page containing the actual request from
-a client and also echoes the request to standard output.
-
- BIO *sbio, *bbio, *acpt, *out;
- int len;
- char tmpbuf[1024];
- SSL_CTX *ctx;
- SSL *ssl;
-
- ERR_load_crypto_strings();
- ERR_load_SSL_strings();
- OpenSSL_add_all_algorithms();
-
- /* Might seed PRNG here */
-
- ctx = SSL_CTX_new(SSLv23_server_method());
-
- if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM)
- || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM)
- || !SSL_CTX_check_private_key(ctx)) {
-
- fprintf(stderr, "Error setting up SSL_CTX\n");
- ERR_print_errors_fp(stderr);
- return 0;
- }
-
- /* Might do other things here like setting verify locations and
- * DH and/or RSA temporary key callbacks
- */
-
- /* New SSL BIO setup as server */
- sbio=BIO_new_ssl(ctx,0);
-
- BIO_get_ssl(sbio, &ssl);
-
- if(!ssl) {
- fprintf(stderr, "Can't locate SSL pointer\n");
- /* whatever ... */
- }
-
- /* Don't want any retries */
- SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
-
- /* Create the buffering BIO */
-
- bbio = BIO_new(BIO_f_buffer());
-
- /* Add to chain */
- sbio = BIO_push(bbio, sbio);
-
- acpt=BIO_new_accept("4433");
-
- /* By doing this when a new connection is established
- * we automatically have sbio inserted into it. The
- * BIO chain is now 'swallowed' by the accept BIO and
- * will be freed when the accept BIO is freed.
- */
-
- BIO_set_accept_bios(acpt,sbio);
-
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
- /* Setup accept BIO */
- if(BIO_do_accept(acpt) <= 0) {
- fprintf(stderr, "Error setting up accept BIO\n");
- ERR_print_errors_fp(stderr);
- return 0;
- }
-
- /* Now wait for incoming connection */
- if(BIO_do_accept(acpt) <= 0) {
- fprintf(stderr, "Error in connection\n");
- ERR_print_errors_fp(stderr);
- return 0;
- }
-
- /* We only want one connection so remove and free
- * accept BIO
- */
-
- sbio = BIO_pop(acpt);
-
- BIO_free_all(acpt);
-
- if(BIO_do_handshake(sbio) <= 0) {
- fprintf(stderr, "Error in SSL handshake\n");
- ERR_print_errors_fp(stderr);
- return 0;
- }
-
- BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n");
- BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
- BIO_puts(sbio, "--------------------------------------------------\r\n");
-
- for(;;) {
- len = BIO_gets(sbio, tmpbuf, 1024);
- if(len <= 0) break;
- BIO_write(sbio, tmpbuf, len);
- BIO_write(out, tmpbuf, len);
- /* Look for blank line signifying end of headers*/
- if((tmpbuf[0] == '\r') || (tmpbuf[0] == '\n')) break;
- }
-
- BIO_puts(sbio, "--------------------------------------------------\r\n");
- BIO_puts(sbio, "\r\n");
-
- /* Since there is a buffering BIO present we had better flush it */
- BIO_flush(sbio);
-
- BIO_free_all(sbio);
-
-=head1 BUGS
-
-In OpenSSL versions before 1.0.0 the BIO_pop() call was handled incorrectly,
-the I/O BIO reference count was incorrectly incremented (instead of
-decremented) and dissociated with the SSL BIO even if the SSL BIO was not
-explicitly being popped (e.g. a pop higher up the chain). Applications which
-included workarounds for this bug (e.g. freeing BIOs more than once) should
-be modified to handle this fix or they may free up an already freed BIO.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_find_type.pod b/doc/crypto/BIO_find_type.pod
deleted file mode 100644
index 259520032756..000000000000
--- a/doc/crypto/BIO_find_type.pod
+++ /dev/null
@@ -1,98 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_find_type, BIO_next, BIO_method_type - BIO chain traversal
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO * BIO_find_type(BIO *b,int bio_type);
- BIO * BIO_next(BIO *b);
-
- #define BIO_method_type(b) ((b)->method->type)
-
- #define BIO_TYPE_NONE 0
- #define BIO_TYPE_MEM (1|0x0400)
- #define BIO_TYPE_FILE (2|0x0400)
-
- #define BIO_TYPE_FD (4|0x0400|0x0100)
- #define BIO_TYPE_SOCKET (5|0x0400|0x0100)
- #define BIO_TYPE_NULL (6|0x0400)
- #define BIO_TYPE_SSL (7|0x0200)
- #define BIO_TYPE_MD (8|0x0200)
- #define BIO_TYPE_BUFFER (9|0x0200)
- #define BIO_TYPE_CIPHER (10|0x0200)
- #define BIO_TYPE_BASE64 (11|0x0200)
- #define BIO_TYPE_CONNECT (12|0x0400|0x0100)
- #define BIO_TYPE_ACCEPT (13|0x0400|0x0100)
- #define BIO_TYPE_PROXY_CLIENT (14|0x0200)
- #define BIO_TYPE_PROXY_SERVER (15|0x0200)
- #define BIO_TYPE_NBIO_TEST (16|0x0200)
- #define BIO_TYPE_NULL_FILTER (17|0x0200)
- #define BIO_TYPE_BER (18|0x0200)
- #define BIO_TYPE_BIO (19|0x0400)
-
- #define BIO_TYPE_DESCRIPTOR 0x0100
- #define BIO_TYPE_FILTER 0x0200
- #define BIO_TYPE_SOURCE_SINK 0x0400
-
-=head1 DESCRIPTION
-
-The BIO_find_type() searches for a BIO of a given type in a chain, starting
-at BIO B<b>. If B<type> is a specific type (such as BIO_TYPE_MEM) then a search
-is made for a BIO of that type. If B<type> is a general type (such as
-B<BIO_TYPE_SOURCE_SINK>) then the next matching BIO of the given general type is
-searched for. BIO_find_type() returns the next matching BIO or NULL if none is
-found.
-
-Note: not all the B<BIO_TYPE_*> types above have corresponding BIO implementations.
-
-BIO_next() returns the next BIO in a chain. It can be used to traverse all BIOs
-in a chain or used in conjunction with BIO_find_type() to find all BIOs of a
-certain type.
-
-BIO_method_type() returns the type of a BIO.
-
-=head1 RETURN VALUES
-
-BIO_find_type() returns a matching BIO or NULL for no match.
-
-BIO_next() returns the next BIO in a chain.
-
-BIO_method_type() returns the type of the BIO B<b>.
-
-=head1 NOTES
-
-BIO_next() was added to OpenSSL 0.9.6 to provide a 'clean' way to traverse a BIO
-chain or find multiple matches using BIO_find_type(). Previous versions had to
-use:
-
- next = bio->next_bio;
-
-=head1 BUGS
-
-BIO_find_type() in OpenSSL 0.9.5a and earlier could not be safely passed a
-NULL pointer for the B<b> argument.
-
-=head1 EXAMPLE
-
-Traverse a chain looking for digest BIOs:
-
- BIO *btmp;
- btmp = in_bio; /* in_bio is chain to search through */
-
- do {
- btmp = BIO_find_type(btmp, BIO_TYPE_MD);
- if(btmp == NULL) break; /* Not found */
- /* btmp is a digest BIO, do something with it ...*/
- ...
-
- btmp = BIO_next(btmp);
- } while(btmp);
-
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_new.pod b/doc/crypto/BIO_new.pod
deleted file mode 100644
index 2a245fc8de83..000000000000
--- a/doc/crypto/BIO_new.pod
+++ /dev/null
@@ -1,65 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all - BIO allocation and freeing functions
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO * BIO_new(BIO_METHOD *type);
- int BIO_set(BIO *a,BIO_METHOD *type);
- int BIO_free(BIO *a);
- void BIO_vfree(BIO *a);
- void BIO_free_all(BIO *a);
-
-=head1 DESCRIPTION
-
-The BIO_new() function returns a new BIO using method B<type>.
-
-BIO_set() sets the method of an already existing BIO.
-
-BIO_free() frees up a single BIO, BIO_vfree() also frees up a single BIO
-but it does not return a value. Calling BIO_free() may also have some effect
-on the underlying I/O structure, for example it may close the file being
-referred to under certain circumstances. For more details see the individual
-BIO_METHOD descriptions.
-
-BIO_free_all() frees up an entire BIO chain, it does not halt if an error
-occurs freeing up an individual BIO in the chain.
-
-=head1 RETURN VALUES
-
-BIO_new() returns a newly created BIO or NULL if the call fails.
-
-BIO_set(), BIO_free() return 1 for success and 0 for failure.
-
-BIO_free_all() and BIO_vfree() do not return values.
-
-=head1 NOTES
-
-Some BIOs (such as memory BIOs) can be used immediately after calling
-BIO_new(). Others (such as file BIOs) need some additional initialization,
-and frequently a utility function exists to create and initialize such BIOs.
-
-If BIO_free() is called on a BIO chain it will only free one BIO resulting
-in a memory leak.
-
-Calling BIO_free_all() a single BIO has the same effect as calling BIO_free()
-on it other than the discarded return value.
-
-Normally the B<type> argument is supplied by a function which returns a
-pointer to a BIO_METHOD. There is a naming convention for such functions:
-a source/sink BIO is normally called BIO_s_*() and a filter BIO
-BIO_f_*();
-
-=head1 EXAMPLE
-
-Create a memory BIO:
-
- BIO *mem = BIO_new(BIO_s_mem());
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_new_CMS.pod b/doc/crypto/BIO_new_CMS.pod
deleted file mode 100644
index 9e3a4b7f89e1..000000000000
--- a/doc/crypto/BIO_new_CMS.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
- BIO_new_CMS - CMS streaming filter BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms);
-
-=head1 DESCRIPTION
-
-BIO_new_CMS() returns a streaming filter BIO chain based on B<cms>. The output
-of the filter is written to B<out>. Any data written to the chain is
-automatically translated to a BER format CMS structure of the appropriate type.
-
-=head1 NOTES
-
-The chain returned by this function behaves like a standard filter BIO. It
-supports non blocking I/O. Content is processed and streamed on the fly and not
-all held in memory at once: so it is possible to encode very large structures.
-After all content has been written through the chain BIO_flush() must be called
-to finalise the structure.
-
-The B<CMS_STREAM> flag must be included in the corresponding B<flags>
-parameter of the B<cms> creation function.
-
-If an application wishes to write additional data to B<out> BIOs should be
-removed from the chain using BIO_pop() and freed with BIO_free() until B<out>
-is reached. If no additional data needs to be written BIO_free_all() can be
-called to free up the whole chain.
-
-Any content written through the filter is used verbatim: no canonical
-translation is performed.
-
-It is possible to chain multiple BIOs to, for example, create a triple wrapped
-signed, enveloped, signed structure. In this case it is the applications
-responsibility to set the inner content type of any outer CMS_ContentInfo
-structures.
-
-Large numbers of small writes through the chain should be avoided as this will
-produce an output consisting of lots of OCTET STRING structures. Prepending
-a BIO_f_buffer() buffering BIO will prevent this.
-
-=head1 BUGS
-
-There is currently no corresponding inverse BIO: i.e. one which can decode
-a CMS structure on the fly.
-
-=head1 RETURN VALUES
-
-BIO_new_CMS() returns a BIO chain when successful or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_encrypt(3)|CMS_encrypt(3)>
-
-=head1 HISTORY
-
-BIO_new_CMS() was added to OpenSSL 1.0.0
-
-=cut
diff --git a/doc/crypto/BIO_push.pod b/doc/crypto/BIO_push.pod
deleted file mode 100644
index 8a2657cd588c..000000000000
--- a/doc/crypto/BIO_push.pod
+++ /dev/null
@@ -1,69 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_push, BIO_pop - add and remove BIOs from a chain.
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO * BIO_push(BIO *b,BIO *append);
- BIO * BIO_pop(BIO *b);
-
-=head1 DESCRIPTION
-
-The BIO_push() function appends the BIO B<append> to B<b>, it returns
-B<b>.
-
-BIO_pop() removes the BIO B<b> from a chain and returns the next BIO
-in the chain, or NULL if there is no next BIO. The removed BIO then
-becomes a single BIO with no association with the original chain,
-it can thus be freed or attached to a different chain.
-
-=head1 NOTES
-
-The names of these functions are perhaps a little misleading. BIO_push()
-joins two BIO chains whereas BIO_pop() deletes a single BIO from a chain,
-the deleted BIO does not need to be at the end of a chain.
-
-The process of calling BIO_push() and BIO_pop() on a BIO may have additional
-consequences (a control call is made to the affected BIOs) any effects will
-be noted in the descriptions of individual BIOs.
-
-=head1 EXAMPLES
-
-For these examples suppose B<md1> and B<md2> are digest BIOs, B<b64> is
-a base64 BIO and B<f> is a file BIO.
-
-If the call:
-
- BIO_push(b64, f);
-
-is made then the new chain will be B<b64-f>. After making the calls
-
- BIO_push(md2, b64);
- BIO_push(md1, md2);
-
-the new chain is B<md1-md2-b64-f>. Data written to B<md1> will be digested
-by B<md1> and B<md2>, B<base64> encoded and written to B<f>.
-
-It should be noted that reading causes data to pass in the reverse
-direction, that is data is read from B<f>, base64 B<decoded> and digested
-by B<md1> and B<md2>. If the call:
-
- BIO_pop(md2);
-
-The call will return B<b64> and the new chain will be B<md1-b64-f> data can
-be written to B<md1> as before.
-
-=head1 RETURN VALUES
-
-BIO_push() returns the end of the chain, B<b>.
-
-BIO_pop() returns the next BIO in the chain, or NULL if there is no next
-BIO.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_read.pod b/doc/crypto/BIO_read.pod
deleted file mode 100644
index 2c177f0b6d86..000000000000
--- a/doc/crypto/BIO_read.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_read, BIO_write, BIO_gets, BIO_puts - BIO I/O functions
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- int BIO_read(BIO *b, void *buf, int len);
- int BIO_gets(BIO *b, char *buf, int size);
- int BIO_write(BIO *b, const void *buf, int len);
- int BIO_puts(BIO *b, const char *buf);
-
-=head1 DESCRIPTION
-
-BIO_read() attempts to read B<len> bytes from BIO B<b> and places
-the data in B<buf>.
-
-BIO_gets() performs the BIOs "gets" operation and places the data
-in B<buf>. Usually this operation will attempt to read a line of data
-from the BIO of maximum length B<len>. There are exceptions to this
-however, for example BIO_gets() on a digest BIO will calculate and
-return the digest and other BIOs may not support BIO_gets() at all.
-
-BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
-
-BIO_puts() attempts to write a null terminated string B<buf> to BIO B<b>.
-
-=head1 RETURN VALUES
-
-All these functions return either the amount of data successfully read or
-written (if the return value is positive) or that no data was successfully
-read or written if the result is 0 or -1. If the return value is -2 then
-the operation is not implemented in the specific BIO type.
-
-=head1 NOTES
-
-A 0 or -1 return is not necessarily an indication of an error. In
-particular when the source/sink is non-blocking or of a certain type
-it may merely be an indication that no data is currently available and that
-the application should retry the operation later.
-
-One technique sometimes used with blocking sockets is to use a system call
-(such as select(), poll() or equivalent) to determine when data is available
-and then call read() to read the data. The equivalent with BIOs (that is call
-select() on the underlying I/O structure and then call BIO_read() to
-read the data) should B<not> be used because a single call to BIO_read()
-can cause several reads (and writes in the case of SSL BIOs) on the underlying
-I/O structure and may block as a result. Instead select() (or equivalent)
-should be combined with non blocking I/O so successive reads will request
-a retry instead of blocking.
-
-See L<BIO_should_retry(3)|BIO_should_retry(3)> for details of how to
-determine the cause of a retry and other I/O issues.
-
-If the BIO_gets() function is not supported by a BIO then it possible to
-work around this by adding a buffering BIO L<BIO_f_buffer(3)|BIO_f_buffer(3)>
-to the chain.
-
-=head1 SEE ALSO
-
-L<BIO_should_retry(3)|BIO_should_retry(3)>
-
-TBA
diff --git a/doc/crypto/BIO_s_accept.pod b/doc/crypto/BIO_s_accept.pod
deleted file mode 100644
index 560c1128efe0..000000000000
--- a/doc/crypto/BIO_s_accept.pod
+++ /dev/null
@@ -1,195 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_accept, BIO_set_accept_port, BIO_get_accept_port, BIO_new_accept,
-BIO_set_nbio_accept, BIO_set_accept_bios, BIO_set_bind_mode,
-BIO_get_bind_mode, BIO_do_accept - accept BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD *BIO_s_accept(void);
-
- long BIO_set_accept_port(BIO *b, char *name);
- char *BIO_get_accept_port(BIO *b);
-
- BIO *BIO_new_accept(char *host_port);
-
- long BIO_set_nbio_accept(BIO *b, int n);
- long BIO_set_accept_bios(BIO *b, char *bio);
-
- long BIO_set_bind_mode(BIO *b, long mode);
- long BIO_get_bind_mode(BIO *b, long dummy);
-
- #define BIO_BIND_NORMAL 0
- #define BIO_BIND_REUSEADDR_IF_UNUSED 1
- #define BIO_BIND_REUSEADDR 2
-
- int BIO_do_accept(BIO *b);
-
-=head1 DESCRIPTION
-
-BIO_s_accept() returns the accept BIO method. This is a wrapper
-round the platform's TCP/IP socket accept routines.
-
-Using accept BIOs, TCP/IP connections can be accepted and data
-transferred using only BIO routines. In this way any platform
-specific operations are hidden by the BIO abstraction.
-
-Read and write operations on an accept BIO will perform I/O
-on the underlying connection. If no connection is established
-and the port (see below) is set up properly then the BIO
-waits for an incoming connection.
-
-Accept BIOs support BIO_puts() but not BIO_gets().
-
-If the close flag is set on an accept BIO then any active
-connection on that chain is shutdown and the socket closed when
-the BIO is freed.
-
-Calling BIO_reset() on a accept BIO will close any active
-connection and reset the BIO into a state where it awaits another
-incoming connection.
-
-BIO_get_fd() and BIO_set_fd() can be called to retrieve or set
-the accept socket. See L<BIO_s_fd(3)|BIO_s_fd(3)>
-
-BIO_set_accept_port() uses the string B<name> to set the accept
-port. The port is represented as a string of the form "host:port",
-where "host" is the interface to use and "port" is the port.
-The host can be can be "*" which is interpreted as meaning
-any interface; "port" has the same syntax
-as the port specified in BIO_set_conn_port() for connect BIOs,
-that is it can be a numerical port string or a string to lookup
-using getservbyname() and a string table.
-
-BIO_new_accept() combines BIO_new() and BIO_set_accept_port() into
-a single call: that is it creates a new accept BIO with port
-B<host_port>.
-
-BIO_set_nbio_accept() sets the accept socket to blocking mode
-(the default) if B<n> is 0 or non blocking mode if B<n> is 1.
-
-BIO_set_accept_bios() can be used to set a chain of BIOs which
-will be duplicated and prepended to the chain when an incoming
-connection is received. This is useful if, for example, a
-buffering or SSL BIO is required for each connection. The
-chain of BIOs must not be freed after this call, they will
-be automatically freed when the accept BIO is freed.
-
-BIO_set_bind_mode() and BIO_get_bind_mode() set and retrieve
-the current bind mode. If BIO_BIND_NORMAL (the default) is set
-then another socket cannot be bound to the same port. If
-BIO_BIND_REUSEADDR is set then other sockets can bind to the
-same port. If BIO_BIND_REUSEADDR_IF_UNUSED is set then and
-attempt is first made to use BIO_BIN_NORMAL, if this fails
-and the port is not in use then a second attempt is made
-using BIO_BIND_REUSEADDR.
-
-BIO_do_accept() serves two functions. When it is first
-called, after the accept BIO has been setup, it will attempt
-to create the accept socket and bind an address to it. Second
-and subsequent calls to BIO_do_accept() will await an incoming
-connection, or request a retry in non blocking mode.
-
-=head1 NOTES
-
-When an accept BIO is at the end of a chain it will await an
-incoming connection before processing I/O calls. When an accept
-BIO is not at then end of a chain it passes I/O calls to the next
-BIO in the chain.
-
-When a connection is established a new socket BIO is created for
-the connection and appended to the chain. That is the chain is now
-accept->socket. This effectively means that attempting I/O on
-an initial accept socket will await an incoming connection then
-perform I/O on it.
-
-If any additional BIOs have been set using BIO_set_accept_bios()
-then they are placed between the socket and the accept BIO,
-that is the chain will be accept->otherbios->socket.
-
-If a server wishes to process multiple connections (as is normally
-the case) then the accept BIO must be made available for further
-incoming connections. This can be done by waiting for a connection and
-then calling:
-
- connection = BIO_pop(accept);
-
-After this call B<connection> will contain a BIO for the recently
-established connection and B<accept> will now be a single BIO
-again which can be used to await further incoming connections.
-If no further connections will be accepted the B<accept> can
-be freed using BIO_free().
-
-If only a single connection will be processed it is possible to
-perform I/O using the accept BIO itself. This is often undesirable
-however because the accept BIO will still accept additional incoming
-connections. This can be resolved by using BIO_pop() (see above)
-and freeing up the accept BIO after the initial connection.
-
-If the underlying accept socket is non-blocking and BIO_do_accept() is
-called to await an incoming connection it is possible for
-BIO_should_io_special() with the reason BIO_RR_ACCEPT. If this happens
-then it is an indication that an accept attempt would block: the application
-should take appropriate action to wait until the underlying socket has
-accepted a connection and retry the call.
-
-BIO_set_accept_port(), BIO_get_accept_port(), BIO_set_nbio_accept(),
-BIO_set_accept_bios(), BIO_set_bind_mode(), BIO_get_bind_mode() and
-BIO_do_accept() are macros.
-
-=head1 RETURN VALUES
-
-TBA
-
-=head1 EXAMPLE
-
-This example accepts two connections on port 4444, sends messages
-down each and finally closes both down.
-
- BIO *abio, *cbio, *cbio2;
- ERR_load_crypto_strings();
- abio = BIO_new_accept("4444");
-
- /* First call to BIO_accept() sets up accept BIO */
- if(BIO_do_accept(abio) <= 0) {
- fprintf(stderr, "Error setting up accept\n");
- ERR_print_errors_fp(stderr);
- exit(0);
- }
-
- /* Wait for incoming connection */
- if(BIO_do_accept(abio) <= 0) {
- fprintf(stderr, "Error accepting connection\n");
- ERR_print_errors_fp(stderr);
- exit(0);
- }
- fprintf(stderr, "Connection 1 established\n");
- /* Retrieve BIO for connection */
- cbio = BIO_pop(abio);
- BIO_puts(cbio, "Connection 1: Sending out Data on initial connection\n");
- fprintf(stderr, "Sent out data on connection 1\n");
- /* Wait for another connection */
- if(BIO_do_accept(abio) <= 0) {
- fprintf(stderr, "Error accepting connection\n");
- ERR_print_errors_fp(stderr);
- exit(0);
- }
- fprintf(stderr, "Connection 2 established\n");
- /* Close accept BIO to refuse further connections */
- cbio2 = BIO_pop(abio);
- BIO_free(abio);
- BIO_puts(cbio2, "Connection 2: Sending out Data on second\n");
- fprintf(stderr, "Sent out data on connection 2\n");
-
- BIO_puts(cbio, "Connection 1: Second connection established\n");
- /* Close the two established connections */
- BIO_free(cbio);
- BIO_free(cbio2);
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_s_bio.pod b/doc/crypto/BIO_s_bio.pod
deleted file mode 100644
index 9fe88b26b0af..000000000000
--- a/doc/crypto/BIO_s_bio.pod
+++ /dev/null
@@ -1,185 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr,
-BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair,
-BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request,
-BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request - BIO pair BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD *BIO_s_bio(void);
-
- #define BIO_make_bio_pair(b1,b2) (int)BIO_ctrl(b1,BIO_C_MAKE_BIO_PAIR,0,b2)
- #define BIO_destroy_bio_pair(b) (int)BIO_ctrl(b,BIO_C_DESTROY_BIO_PAIR,0,NULL)
-
- #define BIO_shutdown_wr(b) (int)BIO_ctrl(b, BIO_C_SHUTDOWN_WR, 0, NULL)
-
- #define BIO_set_write_buf_size(b,size) (int)BIO_ctrl(b,BIO_C_SET_WRITE_BUF_SIZE,size,NULL)
- #define BIO_get_write_buf_size(b,size) (size_t)BIO_ctrl(b,BIO_C_GET_WRITE_BUF_SIZE,size,NULL)
-
- int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, BIO **bio2, size_t writebuf2);
-
- #define BIO_get_write_guarantee(b) (int)BIO_ctrl(b,BIO_C_GET_WRITE_GUARANTEE,0,NULL)
- size_t BIO_ctrl_get_write_guarantee(BIO *b);
-
- #define BIO_get_read_request(b) (int)BIO_ctrl(b,BIO_C_GET_READ_REQUEST,0,NULL)
- size_t BIO_ctrl_get_read_request(BIO *b);
-
- int BIO_ctrl_reset_read_request(BIO *b);
-
-=head1 DESCRIPTION
-
-BIO_s_bio() returns the method for a BIO pair. A BIO pair is a pair of source/sink
-BIOs where data written to either half of the pair is buffered and can be read from
-the other half. Both halves must usually by handled by the same application thread
-since no locking is done on the internal data structures.
-
-Since BIO chains typically end in a source/sink BIO it is possible to make this
-one half of a BIO pair and have all the data processed by the chain under application
-control.
-
-One typical use of BIO pairs is to place TLS/SSL I/O under application control, this
-can be used when the application wishes to use a non standard transport for
-TLS/SSL or the normal socket routines are inappropriate.
-
-Calls to BIO_read() will read data from the buffer or request a retry if no
-data is available.
-
-Calls to BIO_write() will place data in the buffer or request a retry if the
-buffer is full.
-
-The standard calls BIO_ctrl_pending() and BIO_ctrl_wpending() can be used to
-determine the amount of pending data in the read or write buffer.
-
-BIO_reset() clears any data in the write buffer.
-
-BIO_make_bio_pair() joins two separate BIOs into a connected pair.
-
-BIO_destroy_pair() destroys the association between two connected BIOs. Freeing
-up any half of the pair will automatically destroy the association.
-
-BIO_shutdown_wr() is used to close down a BIO B<b>. After this call no further
-writes on BIO B<b> are allowed (they will return an error). Reads on the other
-half of the pair will return any pending data or EOF when all pending data has
-been read.
-
-BIO_set_write_buf_size() sets the write buffer size of BIO B<b> to B<size>.
-If the size is not initialized a default value is used. This is currently
-17K, sufficient for a maximum size TLS record.
-
-BIO_get_write_buf_size() returns the size of the write buffer.
-
-BIO_new_bio_pair() combines the calls to BIO_new(), BIO_make_bio_pair() and
-BIO_set_write_buf_size() to create a connected pair of BIOs B<bio1>, B<bio2>
-with write buffer sizes B<writebuf1> and B<writebuf2>. If either size is
-zero then the default size is used. BIO_new_bio_pair() does not check whether
-B<bio1> or B<bio2> do point to some other BIO, the values are overwritten,
-BIO_free() is not called.
-
-BIO_get_write_guarantee() and BIO_ctrl_get_write_guarantee() return the maximum
-length of data that can be currently written to the BIO. Writes larger than this
-value will return a value from BIO_write() less than the amount requested or if the
-buffer is full request a retry. BIO_ctrl_get_write_guarantee() is a function
-whereas BIO_get_write_guarantee() is a macro.
-
-BIO_get_read_request() and BIO_ctrl_get_read_request() return the
-amount of data requested, or the buffer size if it is less, if the
-last read attempt at the other half of the BIO pair failed due to an
-empty buffer. This can be used to determine how much data should be
-written to the BIO so the next read will succeed: this is most useful
-in TLS/SSL applications where the amount of data read is usually
-meaningful rather than just a buffer size. After a successful read
-this call will return zero. It also will return zero once new data
-has been written satisfying the read request or part of it.
-Note that BIO_get_read_request() never returns an amount larger
-than that returned by BIO_get_write_guarantee().
-
-BIO_ctrl_reset_read_request() can also be used to reset the value returned by
-BIO_get_read_request() to zero.
-
-=head1 NOTES
-
-Both halves of a BIO pair should be freed. That is even if one half is implicit
-freed due to a BIO_free_all() or SSL_free() call the other half needs to be freed.
-
-When used in bidirectional applications (such as TLS/SSL) care should be taken to
-flush any data in the write buffer. This can be done by calling BIO_pending()
-on the other half of the pair and, if any data is pending, reading it and sending
-it to the underlying transport. This must be done before any normal processing
-(such as calling select() ) due to a request and BIO_should_read() being true.
-
-To see why this is important consider a case where a request is sent using
-BIO_write() and a response read with BIO_read(), this can occur during an
-TLS/SSL handshake for example. BIO_write() will succeed and place data in the write
-buffer. BIO_read() will initially fail and BIO_should_read() will be true. If
-the application then waits for data to be available on the underlying transport
-before flushing the write buffer it will never succeed because the request was
-never sent!
-
-BIO_eof() is true if no data is in the peer BIO and the peer BIO has been
-shutdown.
-
-=head1 RETURN VALUES
-
-BIO_new_bio_pair() returns 1 on success, with the new BIOs available in
-B<bio1> and B<bio2>, or 0 on failure, with NULL pointers stored into the
-locations for B<bio1> and B<bio2>. Check the error stack for more information.
-
-[XXXXX: More return values need to be added here]
-
-=head1 EXAMPLE
-
-The BIO pair can be used to have full control over the network access of an
-application. The application can call select() on the socket as required
-without having to go through the SSL-interface.
-
- BIO *internal_bio, *network_bio;
- ...
- BIO_new_bio_pair(internal_bio, 0, network_bio, 0);
- SSL_set_bio(ssl, internal_bio, internal_bio);
- SSL_operations();
- ...
-
- application | TLS-engine
- | |
- +----------> SSL_operations()
- | /\ ||
- | || \/
- | BIO-pair (internal_bio)
- +----------< BIO-pair (network_bio)
- | |
- socket |
-
- ...
- SSL_free(ssl); /* implicitly frees internal_bio */
- BIO_free(network_bio);
- ...
-
-As the BIO pair will only buffer the data and never directly access the
-connection, it behaves non-blocking and will return as soon as the write
-buffer is full or the read buffer is drained. Then the application has to
-flush the write buffer and/or fill the read buffer.
-
-Use the BIO_ctrl_pending(), to find out whether data is buffered in the BIO
-and must be transfered to the network. Use BIO_ctrl_get_read_request() to
-find out, how many bytes must be written into the buffer before the
-SSL_operation() can successfully be continued.
-
-=head1 WARNING
-
-As the data is buffered, SSL_operation() may return with a ERROR_SSL_WANT_READ
-condition, but there is still data in the write buffer. An application must
-not rely on the error value of SSL_operation() but must assure that the
-write buffer is always flushed first. Otherwise a deadlock may occur as
-the peer might be waiting for the data before being able to continue.
-
-=head1 SEE ALSO
-
-L<SSL_set_bio(3)|SSL_set_bio(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
-L<BIO_should_retry(3)|BIO_should_retry(3)>, L<BIO_read(3)|BIO_read(3)>
-
-=cut
diff --git a/doc/crypto/BIO_s_connect.pod b/doc/crypto/BIO_s_connect.pod
deleted file mode 100644
index 345a468a5d74..000000000000
--- a/doc/crypto/BIO_s_connect.pod
+++ /dev/null
@@ -1,192 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_connect, BIO_new_connect, BIO_set_conn_hostname, BIO_set_conn_port,
-BIO_set_conn_ip, BIO_set_conn_int_port, BIO_get_conn_hostname,
-BIO_get_conn_port, BIO_get_conn_ip, BIO_get_conn_int_port,
-BIO_set_nbio, BIO_do_connect - connect BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_s_connect(void);
-
- BIO *BIO_new_connect(char *name);
-
- long BIO_set_conn_hostname(BIO *b, char *name);
- long BIO_set_conn_port(BIO *b, char *port);
- long BIO_set_conn_ip(BIO *b, char *ip);
- long BIO_set_conn_int_port(BIO *b, char *port);
- char *BIO_get_conn_hostname(BIO *b);
- char *BIO_get_conn_port(BIO *b);
- char *BIO_get_conn_ip(BIO *b);
- long BIO_get_conn_int_port(BIO *b);
-
- long BIO_set_nbio(BIO *b, long n);
-
- int BIO_do_connect(BIO *b);
-
-=head1 DESCRIPTION
-
-BIO_s_connect() returns the connect BIO method. This is a wrapper
-round the platform's TCP/IP socket connection routines.
-
-Using connect BIOs, TCP/IP connections can be made and data
-transferred using only BIO routines. In this way any platform
-specific operations are hidden by the BIO abstraction.
-
-Read and write operations on a connect BIO will perform I/O
-on the underlying connection. If no connection is established
-and the port and hostname (see below) is set up properly then
-a connection is established first.
-
-Connect BIOs support BIO_puts() but not BIO_gets().
-
-If the close flag is set on a connect BIO then any active
-connection is shutdown and the socket closed when the BIO
-is freed.
-
-Calling BIO_reset() on a connect BIO will close any active
-connection and reset the BIO into a state where it can connect
-to the same host again.
-
-BIO_get_fd() places the underlying socket in B<c> if it is not NULL,
-it also returns the socket . If B<c> is not NULL it should be of
-type (int *).
-
-BIO_set_conn_hostname() uses the string B<name> to set the hostname.
-The hostname can be an IP address. The hostname can also include the
-port in the form hostname:port . It is also acceptable to use the
-form "hostname/any/other/path" or "hostname:port/any/other/path".
-
-BIO_set_conn_port() sets the port to B<port>. B<port> can be the
-numerical form or a string such as "http". A string will be looked
-up first using getservbyname() on the host platform but if that
-fails a standard table of port names will be used. Currently the
-list is http, telnet, socks, https, ssl, ftp, gopher and wais.
-
-BIO_set_conn_ip() sets the IP address to B<ip> using binary form,
-that is four bytes specifying the IP address in big-endian form.
-
-BIO_set_conn_int_port() sets the port using B<port>. B<port> should
-be of type (int *).
-
-BIO_get_conn_hostname() returns the hostname of the connect BIO or
-NULL if the BIO is initialized but no hostname is set.
-This return value is an internal pointer which should not be modified.
-
-BIO_get_conn_port() returns the port as a string.
-
-BIO_get_conn_ip() returns the IP address in binary form.
-
-BIO_get_conn_int_port() returns the port as an int.
-
-BIO_set_nbio() sets the non blocking I/O flag to B<n>. If B<n> is
-zero then blocking I/O is set. If B<n> is 1 then non blocking I/O
-is set. Blocking I/O is the default. The call to BIO_set_nbio()
-should be made before the connection is established because
-non blocking I/O is set during the connect process.
-
-BIO_new_connect() combines BIO_new() and BIO_set_conn_hostname() into
-a single call: that is it creates a new connect BIO with B<name>.
-
-BIO_do_connect() attempts to connect the supplied BIO. It returns 1
-if the connection was established successfully. A zero or negative
-value is returned if the connection could not be established, the
-call BIO_should_retry() should be used for non blocking connect BIOs
-to determine if the call should be retried.
-
-=head1 NOTES
-
-If blocking I/O is set then a non positive return value from any
-I/O call is caused by an error condition, although a zero return
-will normally mean that the connection was closed.
-
-If the port name is supplied as part of the host name then this will
-override any value set with BIO_set_conn_port(). This may be undesirable
-if the application does not wish to allow connection to arbitrary
-ports. This can be avoided by checking for the presence of the ':'
-character in the passed hostname and either indicating an error or
-truncating the string at that point.
-
-The values returned by BIO_get_conn_hostname(), BIO_get_conn_port(),
-BIO_get_conn_ip() and BIO_get_conn_int_port() are updated when a
-connection attempt is made. Before any connection attempt the values
-returned are those set by the application itself.
-
-Applications do not have to call BIO_do_connect() but may wish to do
-so to separate the connection process from other I/O processing.
-
-If non blocking I/O is set then retries will be requested as appropriate.
-
-It addition to BIO_should_read() and BIO_should_write() it is also
-possible for BIO_should_io_special() to be true during the initial
-connection process with the reason BIO_RR_CONNECT. If this is returned
-then this is an indication that a connection attempt would block,
-the application should then take appropriate action to wait until
-the underlying socket has connected and retry the call.
-
-BIO_set_conn_hostname(), BIO_set_conn_port(), BIO_set_conn_ip(),
-BIO_set_conn_int_port(), BIO_get_conn_hostname(), BIO_get_conn_port(),
-BIO_get_conn_ip(), BIO_get_conn_int_port(), BIO_set_nbio() and
-BIO_do_connect() are macros.
-
-=head1 RETURN VALUES
-
-BIO_s_connect() returns the connect BIO method.
-
-BIO_get_fd() returns the socket or -1 if the BIO has not
-been initialized.
-
-BIO_set_conn_hostname(), BIO_set_conn_port(), BIO_set_conn_ip() and
-BIO_set_conn_int_port() always return 1.
-
-BIO_get_conn_hostname() returns the connected hostname or NULL is
-none was set.
-
-BIO_get_conn_port() returns a string representing the connected
-port or NULL if not set.
-
-BIO_get_conn_ip() returns a pointer to the connected IP address in
-binary form or all zeros if not set.
-
-BIO_get_conn_int_port() returns the connected port or 0 if none was
-set.
-
-BIO_set_nbio() always returns 1.
-
-BIO_do_connect() returns 1 if the connection was successfully
-established and 0 or -1 if the connection failed.
-
-=head1 EXAMPLE
-
-This is example connects to a webserver on the local host and attempts
-to retrieve a page and copy the result to standard output.
-
-
- BIO *cbio, *out;
- int len;
- char tmpbuf[1024];
- ERR_load_crypto_strings();
- cbio = BIO_new_connect("localhost:http");
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
- if(BIO_do_connect(cbio) <= 0) {
- fprintf(stderr, "Error connecting to server\n");
- ERR_print_errors_fp(stderr);
- /* whatever ... */
- }
- BIO_puts(cbio, "GET / HTTP/1.0\n\n");
- for(;;) {
- len = BIO_read(cbio, tmpbuf, 1024);
- if(len <= 0) break;
- BIO_write(out, tmpbuf, len);
- }
- BIO_free(cbio);
- BIO_free(out);
-
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_s_fd.pod b/doc/crypto/BIO_s_fd.pod
deleted file mode 100644
index b1de1d101549..000000000000
--- a/doc/crypto/BIO_s_fd.pod
+++ /dev/null
@@ -1,89 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd - file descriptor BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_s_fd(void);
-
- #define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
- #define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
-
- BIO *BIO_new_fd(int fd, int close_flag);
-
-=head1 DESCRIPTION
-
-BIO_s_fd() returns the file descriptor BIO method. This is a wrapper
-round the platforms file descriptor routines such as read() and write().
-
-BIO_read() and BIO_write() read or write the underlying descriptor.
-BIO_puts() is supported but BIO_gets() is not.
-
-If the close flag is set then then close() is called on the underlying
-file descriptor when the BIO is freed.
-
-BIO_reset() attempts to change the file pointer to the start of file
-using lseek(fd, 0, 0).
-
-BIO_seek() sets the file pointer to position B<ofs> from start of file
-using lseek(fd, ofs, 0).
-
-BIO_tell() returns the current file position by calling lseek(fd, 0, 1).
-
-BIO_set_fd() sets the file descriptor of BIO B<b> to B<fd> and the close
-flag to B<c>.
-
-BIO_get_fd() places the file descriptor in B<c> if it is not NULL, it also
-returns the file descriptor. If B<c> is not NULL it should be of type
-(int *).
-
-BIO_new_fd() returns a file descriptor BIO using B<fd> and B<close_flag>.
-
-=head1 NOTES
-
-The behaviour of BIO_read() and BIO_write() depends on the behavior of the
-platforms read() and write() calls on the descriptor. If the underlying
-file descriptor is in a non blocking mode then the BIO will behave in the
-manner described in the L<BIO_read(3)|BIO_read(3)> and L<BIO_should_retry(3)|BIO_should_retry(3)>
-manual pages.
-
-File descriptor BIOs should not be used for socket I/O. Use socket BIOs
-instead.
-
-=head1 RETURN VALUES
-
-BIO_s_fd() returns the file descriptor BIO method.
-
-BIO_reset() returns zero for success and -1 if an error occurred.
-BIO_seek() and BIO_tell() return the current file position or -1
-is an error occurred. These values reflect the underlying lseek()
-behaviour.
-
-BIO_set_fd() always returns 1.
-
-BIO_get_fd() returns the file descriptor or -1 if the BIO has not
-been initialized.
-
-BIO_new_fd() returns the newly allocated BIO or NULL is an error
-occurred.
-
-=head1 EXAMPLE
-
-This is a file descriptor BIO version of "Hello World":
-
- BIO *out;
- out = BIO_new_fd(fileno(stdout), BIO_NOCLOSE);
- BIO_printf(out, "Hello World\n");
- BIO_free(out);
-
-=head1 SEE ALSO
-
-L<BIO_seek(3)|BIO_seek(3)>, L<BIO_tell(3)|BIO_tell(3)>,
-L<BIO_reset(3)|BIO_reset(3)>, L<BIO_read(3)|BIO_read(3)>,
-L<BIO_write(3)|BIO_write(3)>, L<BIO_puts(3)|BIO_puts(3)>,
-L<BIO_gets(3)|BIO_gets(3)>, L<BIO_printf(3)|BIO_printf(3)>,
-L<BIO_set_close(3)|BIO_set_close(3)>, L<BIO_get_close(3)|BIO_get_close(3)>
diff --git a/doc/crypto/BIO_s_file.pod b/doc/crypto/BIO_s_file.pod
deleted file mode 100644
index 188aea347dae..000000000000
--- a/doc/crypto/BIO_s_file.pod
+++ /dev/null
@@ -1,148 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_file, BIO_new_file, BIO_new_fp, BIO_set_fp, BIO_get_fp,
-BIO_read_filename, BIO_write_filename, BIO_append_filename,
-BIO_rw_filename - FILE bio
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_s_file(void);
- BIO *BIO_new_file(const char *filename, const char *mode);
- BIO *BIO_new_fp(FILE *stream, int flags);
-
- BIO_set_fp(BIO *b,FILE *fp, int flags);
- BIO_get_fp(BIO *b,FILE **fpp);
-
- int BIO_read_filename(BIO *b, char *name)
- int BIO_write_filename(BIO *b, char *name)
- int BIO_append_filename(BIO *b, char *name)
- int BIO_rw_filename(BIO *b, char *name)
-
-=head1 DESCRIPTION
-
-BIO_s_file() returns the BIO file method. As its name implies it
-is a wrapper round the stdio FILE structure and it is a
-source/sink BIO.
-
-Calls to BIO_read() and BIO_write() read and write data to the
-underlying stream. BIO_gets() and BIO_puts() are supported on file BIOs.
-
-BIO_flush() on a file BIO calls the fflush() function on the wrapped
-stream.
-
-BIO_reset() attempts to change the file pointer to the start of file
-using fseek(stream, 0, 0).
-
-BIO_seek() sets the file pointer to position B<ofs> from start of file
-using fseek(stream, ofs, 0).
-
-BIO_eof() calls feof().
-
-Setting the BIO_CLOSE flag calls fclose() on the stream when the BIO
-is freed.
-
-BIO_new_file() creates a new file BIO with mode B<mode> the meaning
-of B<mode> is the same as the stdio function fopen(). The BIO_CLOSE
-flag is set on the returned BIO.
-
-BIO_new_fp() creates a file BIO wrapping B<stream>. Flags can be:
-BIO_CLOSE, BIO_NOCLOSE (the close flag) BIO_FP_TEXT (sets the underlying
-stream to text mode, default is binary: this only has any effect under
-Win32).
-
-BIO_set_fp() set the fp of a file BIO to B<fp>. B<flags> has the same
-meaning as in BIO_new_fp(), it is a macro.
-
-BIO_get_fp() retrieves the fp of a file BIO, it is a macro.
-
-BIO_seek() is a macro that sets the position pointer to B<offset> bytes
-from the start of file.
-
-BIO_tell() returns the value of the position pointer.
-
-BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and
-BIO_rw_filename() set the file BIO B<b> to use file B<name> for
-reading, writing, append or read write respectively.
-
-=head1 NOTES
-
-When wrapping stdout, stdin or stderr the underlying stream should not
-normally be closed so the BIO_NOCLOSE flag should be set.
-
-Because the file BIO calls the underlying stdio functions any quirks
-in stdio behaviour will be mirrored by the corresponding BIO.
-
-On Windows BIO_new_files reserves for the filename argument to be
-UTF-8 encoded. In other words if you have to make it work in multi-
-lingual environment, encode file names in UTF-8.
-
-=head1 EXAMPLES
-
-File BIO "hello world":
-
- BIO *bio_out;
- bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
- BIO_printf(bio_out, "Hello World\n");
-
-Alternative technique:
-
- BIO *bio_out;
- bio_out = BIO_new(BIO_s_file());
- if(bio_out == NULL) /* Error ... */
- if(!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */
- BIO_printf(bio_out, "Hello World\n");
-
-Write to a file:
-
- BIO *out;
- out = BIO_new_file("filename.txt", "w");
- if(!out) /* Error occurred */
- BIO_printf(out, "Hello World\n");
- BIO_free(out);
-
-Alternative technique:
-
- BIO *out;
- out = BIO_new(BIO_s_file());
- if(out == NULL) /* Error ... */
- if(!BIO_write_filename(out, "filename.txt")) /* Error ... */
- BIO_printf(out, "Hello World\n");
- BIO_free(out);
-
-=head1 RETURN VALUES
-
-BIO_s_file() returns the file BIO method.
-
-BIO_new_file() and BIO_new_fp() return a file BIO or NULL if an error
-occurred.
-
-BIO_set_fp() and BIO_get_fp() return 1 for success or 0 for failure
-(although the current implementation never return 0).
-
-BIO_seek() returns the same value as the underlying fseek() function:
-0 for success or -1 for failure.
-
-BIO_tell() returns the current file position.
-
-BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and
-BIO_rw_filename() return 1 for success or 0 for failure.
-
-=head1 BUGS
-
-BIO_reset() and BIO_seek() are implemented using fseek() on the underlying
-stream. The return value for fseek() is 0 for success or -1 if an error
-occurred this differs from other types of BIO which will typically return
-1 for success and a non positive value if an error occurred.
-
-=head1 SEE ALSO
-
-L<BIO_seek(3)|BIO_seek(3)>, L<BIO_tell(3)|BIO_tell(3)>,
-L<BIO_reset(3)|BIO_reset(3)>, L<BIO_flush(3)|BIO_flush(3)>,
-L<BIO_read(3)|BIO_read(3)>,
-L<BIO_write(3)|BIO_write(3)>, L<BIO_puts(3)|BIO_puts(3)>,
-L<BIO_gets(3)|BIO_gets(3)>, L<BIO_printf(3)|BIO_printf(3)>,
-L<BIO_set_close(3)|BIO_set_close(3)>, L<BIO_get_close(3)|BIO_get_close(3)>
diff --git a/doc/crypto/BIO_s_mem.pod b/doc/crypto/BIO_s_mem.pod
deleted file mode 100644
index 7663d8bf5ffd..000000000000
--- a/doc/crypto/BIO_s_mem.pod
+++ /dev/null
@@ -1,115 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_mem, BIO_set_mem_eof_return, BIO_get_mem_data, BIO_set_mem_buf,
-BIO_get_mem_ptr, BIO_new_mem_buf - memory BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_s_mem(void);
-
- BIO_set_mem_eof_return(BIO *b,int v)
- long BIO_get_mem_data(BIO *b, char **pp)
- BIO_set_mem_buf(BIO *b,BUF_MEM *bm,int c)
- BIO_get_mem_ptr(BIO *b,BUF_MEM **pp)
-
- BIO *BIO_new_mem_buf(const void *buf, int len);
-
-=head1 DESCRIPTION
-
-BIO_s_mem() return the memory BIO method function.
-
-A memory BIO is a source/sink BIO which uses memory for its I/O. Data
-written to a memory BIO is stored in a BUF_MEM structure which is extended
-as appropriate to accommodate the stored data.
-
-Any data written to a memory BIO can be recalled by reading from it.
-Unless the memory BIO is read only any data read from it is deleted from
-the BIO.
-
-Memory BIOs support BIO_gets() and BIO_puts().
-
-If the BIO_CLOSE flag is set when a memory BIO is freed then the underlying
-BUF_MEM structure is also freed.
-
-Calling BIO_reset() on a read write memory BIO clears any data in it. On a
-read only BIO it restores the BIO to its original state and the read only
-data can be read again.
-
-BIO_eof() is true if no data is in the BIO.
-
-BIO_ctrl_pending() returns the number of bytes currently stored.
-
-BIO_set_mem_eof_return() sets the behaviour of memory BIO B<b> when it is
-empty. If the B<v> is zero then an empty memory BIO will return EOF (that is
-it will return zero and BIO_should_retry(b) will be false. If B<v> is non
-zero then it will return B<v> when it is empty and it will set the read retry
-flag (that is BIO_read_retry(b) is true). To avoid ambiguity with a normal
-positive return value B<v> should be set to a negative value, typically -1.
-
-BIO_get_mem_data() sets *B<pp> to a pointer to the start of the memory BIOs data
-and returns the total amount of data available. It is implemented as a macro.
-
-BIO_set_mem_buf() sets the internal BUF_MEM structure to B<bm> and sets the
-close flag to B<c>, that is B<c> should be either BIO_CLOSE or BIO_NOCLOSE.
-It is a macro.
-
-BIO_get_mem_ptr() places the underlying BUF_MEM structure in *B<pp>. It is
-a macro.
-
-BIO_new_mem_buf() creates a memory BIO using B<len> bytes of data at B<buf>,
-if B<len> is -1 then the B<buf> is assumed to be nul terminated and its
-length is determined by B<strlen>. The BIO is set to a read only state and
-as a result cannot be written to. This is useful when some data needs to be
-made available from a static area of memory in the form of a BIO. The
-supplied data is read directly from the supplied buffer: it is B<not> copied
-first, so the supplied area of memory must be unchanged until the BIO is freed.
-
-=head1 NOTES
-
-Writes to memory BIOs will always succeed if memory is available: that is
-their size can grow indefinitely.
-
-Every read from a read write memory BIO will remove the data just read with
-an internal copy operation, if a BIO contains a lot of data and it is
-read in small chunks the operation can be very slow. The use of a read only
-memory BIO avoids this problem. If the BIO must be read write then adding
-a buffering BIO to the chain will speed up the process.
-
-=head1 BUGS
-
-There should be an option to set the maximum size of a memory BIO.
-
-There should be a way to "rewind" a read write BIO without destroying
-its contents.
-
-The copying operation should not occur after every small read of a large BIO
-to improve efficiency.
-
-=head1 EXAMPLE
-
-Create a memory BIO and write some data to it:
-
- BIO *mem = BIO_new(BIO_s_mem());
- BIO_puts(mem, "Hello World\n");
-
-Create a read only memory BIO:
-
- char data[] = "Hello World";
- BIO *mem;
- mem = BIO_new_mem_buf(data, -1);
-
-Extract the BUF_MEM structure from a memory BIO and then free up the BIO:
-
- BUF_MEM *bptr;
- BIO_get_mem_ptr(mem, &bptr);
- BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */
- BIO_free(mem);
-
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_s_null.pod b/doc/crypto/BIO_s_null.pod
deleted file mode 100644
index e5514f723898..000000000000
--- a/doc/crypto/BIO_s_null.pod
+++ /dev/null
@@ -1,37 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_null - null data sink
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD * BIO_s_null(void);
-
-=head1 DESCRIPTION
-
-BIO_s_null() returns the null sink BIO method. Data written to
-the null sink is discarded, reads return EOF.
-
-=head1 NOTES
-
-A null sink BIO behaves in a similar manner to the Unix /dev/null
-device.
-
-A null bio can be placed on the end of a chain to discard any data
-passed through it.
-
-A null sink is useful if, for example, an application wishes to digest some
-data by writing through a digest bio but not send the digested data anywhere.
-Since a BIO chain must normally include a source/sink BIO this can be achieved
-by adding a null sink BIO to the end of the chain
-
-=head1 RETURN VALUES
-
-BIO_s_null() returns the null sink BIO method.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_s_socket.pod b/doc/crypto/BIO_s_socket.pod
deleted file mode 100644
index 1c8d3a911027..000000000000
--- a/doc/crypto/BIO_s_socket.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_s_socket, BIO_new_socket - socket BIO
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- BIO_METHOD *BIO_s_socket(void);
-
- long BIO_set_fd(BIO *b, int fd, long close_flag);
- long BIO_get_fd(BIO *b, int *c);
-
- BIO *BIO_new_socket(int sock, int close_flag);
-
-=head1 DESCRIPTION
-
-BIO_s_socket() returns the socket BIO method. This is a wrapper
-round the platform's socket routines.
-
-BIO_read() and BIO_write() read or write the underlying socket.
-BIO_puts() is supported but BIO_gets() is not.
-
-If the close flag is set then the socket is shut down and closed
-when the BIO is freed.
-
-BIO_set_fd() sets the socket of BIO B<b> to B<fd> and the close
-flag to B<close_flag>.
-
-BIO_get_fd() places the socket in B<c> if it is not NULL, it also
-returns the socket. If B<c> is not NULL it should be of type (int *).
-
-BIO_new_socket() returns a socket BIO using B<sock> and B<close_flag>.
-
-=head1 NOTES
-
-Socket BIOs also support any relevant functionality of file descriptor
-BIOs.
-
-The reason for having separate file descriptor and socket BIOs is that on some
-platforms sockets are not file descriptors and use distinct I/O routines,
-Windows is one such platform. Any code mixing the two will not work on
-all platforms.
-
-BIO_set_fd() and BIO_get_fd() are macros.
-
-=head1 RETURN VALUES
-
-BIO_s_socket() returns the socket BIO method.
-
-BIO_set_fd() always returns 1.
-
-BIO_get_fd() returns the socket or -1 if the BIO has not been
-initialized.
-
-BIO_new_socket() returns the newly allocated BIO or NULL is an error
-occurred.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_set_callback.pod b/doc/crypto/BIO_set_callback.pod
deleted file mode 100644
index 47595562457b..000000000000
--- a/doc/crypto/BIO_set_callback.pod
+++ /dev/null
@@ -1,108 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg,
-BIO_debug_callback - BIO callback functions
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- #define BIO_set_callback(b,cb) ((b)->callback=(cb))
- #define BIO_get_callback(b) ((b)->callback)
- #define BIO_set_callback_arg(b,arg) ((b)->cb_arg=(char *)(arg))
- #define BIO_get_callback_arg(b) ((b)->cb_arg)
-
- long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
- long argl,long ret);
-
- typedef long (*callback)(BIO *b, int oper, const char *argp,
- int argi, long argl, long retvalue);
-
-=head1 DESCRIPTION
-
-BIO_set_callback() and BIO_get_callback() set and retrieve the BIO callback,
-they are both macros. The callback is called during most high level BIO
-operations. It can be used for debugging purposes to trace operations on
-a BIO or to modify its operation.
-
-BIO_set_callback_arg() and BIO_get_callback_arg() are macros which can be
-used to set and retrieve an argument for use in the callback.
-
-BIO_debug_callback() is a standard debugging callback which prints
-out information relating to each BIO operation. If the callback
-argument is set if is interpreted as a BIO to send the information
-to, otherwise stderr is used.
-
-callback() is the callback function itself. The meaning of each
-argument is described below.
-
-The BIO the callback is attached to is passed in B<b>.
-
-B<oper> is set to the operation being performed. For some operations
-the callback is called twice, once before and once after the actual
-operation, the latter case has B<oper> or'ed with BIO_CB_RETURN.
-
-The meaning of the arguments B<argp>, B<argi> and B<argl> depends on
-the value of B<oper>, that is the operation being performed.
-
-B<retvalue> is the return value that would be returned to the
-application if no callback were present. The actual value returned
-is the return value of the callback itself. In the case of callbacks
-called before the actual BIO operation 1 is placed in retvalue, if
-the return value is not positive it will be immediately returned to
-the application and the BIO operation will not be performed.
-
-The callback should normally simply return B<retvalue> when it has
-finished processing, unless if specifically wishes to modify the
-value returned to the application.
-
-=head1 CALLBACK OPERATIONS
-
-=over 4
-
-=item B<BIO_free(b)>
-
-callback(b, BIO_CB_FREE, NULL, 0L, 0L, 1L) is called before the
-free operation.
-
-=item B<BIO_read(b, out, outl)>
-
-callback(b, BIO_CB_READ, out, outl, 0L, 1L) is called before
-the read and callback(b, BIO_CB_READ|BIO_CB_RETURN, out, outl, 0L, retvalue)
-after.
-
-=item B<BIO_write(b, in, inl)>
-
-callback(b, BIO_CB_WRITE, in, inl, 0L, 1L) is called before
-the write and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, inl, 0L, retvalue)
-after.
-
-=item B<BIO_gets(b, out, outl)>
-
-callback(b, BIO_CB_GETS, out, outl, 0L, 1L) is called before
-the operation and callback(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0L, retvalue)
-after.
-
-=item B<BIO_puts(b, in)>
-
-callback(b, BIO_CB_WRITE, in, 0, 0L, 1L) is called before
-the operation and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, 0, 0L, retvalue)
-after.
-
-=item B<BIO_ctrl(BIO *b, int cmd, long larg, void *parg)>
-
-callback(b,BIO_CB_CTRL,parg,cmd,larg,1L) is called before the call and
-callback(b,BIO_CB_CTRL|BIO_CB_RETURN,parg,cmd, larg,ret) after.
-
-=back
-
-=head1 EXAMPLE
-
-The BIO_debug_callback() function is a good example, its source is
-in crypto/bio/bio_cb.c
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BIO_should_retry.pod b/doc/crypto/BIO_should_retry.pod
deleted file mode 100644
index b6d51f719d44..000000000000
--- a/doc/crypto/BIO_should_retry.pod
+++ /dev/null
@@ -1,114 +0,0 @@
-=pod
-
-=head1 NAME
-
-BIO_should_retry, BIO_should_read, BIO_should_write,
-BIO_should_io_special, BIO_retry_type, BIO_should_retry,
-BIO_get_retry_BIO, BIO_get_retry_reason - BIO retry functions
-
-=head1 SYNOPSIS
-
- #include <openssl/bio.h>
-
- #define BIO_should_read(a) ((a)->flags & BIO_FLAGS_READ)
- #define BIO_should_write(a) ((a)->flags & BIO_FLAGS_WRITE)
- #define BIO_should_io_special(a) ((a)->flags & BIO_FLAGS_IO_SPECIAL)
- #define BIO_retry_type(a) ((a)->flags & BIO_FLAGS_RWS)
- #define BIO_should_retry(a) ((a)->flags & BIO_FLAGS_SHOULD_RETRY)
-
- #define BIO_FLAGS_READ 0x01
- #define BIO_FLAGS_WRITE 0x02
- #define BIO_FLAGS_IO_SPECIAL 0x04
- #define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL)
- #define BIO_FLAGS_SHOULD_RETRY 0x08
-
- BIO * BIO_get_retry_BIO(BIO *bio, int *reason);
- int BIO_get_retry_reason(BIO *bio);
-
-=head1 DESCRIPTION
-
-These functions determine why a BIO is not able to read or write data.
-They will typically be called after a failed BIO_read() or BIO_write()
-call.
-
-BIO_should_retry() is true if the call that produced this condition
-should then be retried at a later time.
-
-If BIO_should_retry() is false then the cause is an error condition.
-
-BIO_should_read() is true if the cause of the condition is that a BIO
-needs to read data.
-
-BIO_should_write() is true if the cause of the condition is that a BIO
-needs to read data.
-
-BIO_should_io_special() is true if some "special" condition, that is a
-reason other than reading or writing is the cause of the condition.
-
-BIO_retry_type() returns a mask of the cause of a retry condition
-consisting of the values B<BIO_FLAGS_READ>, B<BIO_FLAGS_WRITE>,
-B<BIO_FLAGS_IO_SPECIAL> though current BIO types will only set one of
-these.
-
-BIO_get_retry_BIO() determines the precise reason for the special
-condition, it returns the BIO that caused this condition and if
-B<reason> is not NULL it contains the reason code. The meaning of
-the reason code and the action that should be taken depends on
-the type of BIO that resulted in this condition.
-
-BIO_get_retry_reason() returns the reason for a special condition if
-passed the relevant BIO, for example as returned by BIO_get_retry_BIO().
-
-=head1 NOTES
-
-If BIO_should_retry() returns false then the precise "error condition"
-depends on the BIO type that caused it and the return code of the BIO
-operation. For example if a call to BIO_read() on a socket BIO returns
-0 and BIO_should_retry() is false then the cause will be that the
-connection closed. A similar condition on a file BIO will mean that it
-has reached EOF. Some BIO types may place additional information on
-the error queue. For more details see the individual BIO type manual
-pages.
-
-If the underlying I/O structure is in a blocking mode almost all current
-BIO types will not request a retry, because the underlying I/O
-calls will not. If the application knows that the BIO type will never
-signal a retry then it need not call BIO_should_retry() after a failed
-BIO I/O call. This is typically done with file BIOs.
-
-SSL BIOs are the only current exception to this rule: they can request a
-retry even if the underlying I/O structure is blocking, if a handshake
-occurs during a call to BIO_read(). An application can retry the failed
-call immediately or avoid this situation by setting SSL_MODE_AUTO_RETRY
-on the underlying SSL structure.
-
-While an application may retry a failed non blocking call immediately
-this is likely to be very inefficient because the call will fail
-repeatedly until data can be processed or is available. An application
-will normally wait until the necessary condition is satisfied. How
-this is done depends on the underlying I/O structure.
-
-For example if the cause is ultimately a socket and BIO_should_read()
-is true then a call to select() may be made to wait until data is
-available and then retry the BIO operation. By combining the retry
-conditions of several non blocking BIOs in a single select() call
-it is possible to service several BIOs in a single thread, though
-the performance may be poor if SSL BIOs are present because long delays
-can occur during the initial handshake process.
-
-It is possible for a BIO to block indefinitely if the underlying I/O
-structure cannot process or return any data. This depends on the behaviour of
-the platforms I/O functions. This is often not desirable: one solution
-is to use non blocking I/O and use a timeout on the select() (or
-equivalent) call.
-
-=head1 BUGS
-
-The OpenSSL ASN1 functions cannot gracefully deal with non blocking I/O:
-that is they cannot retry after a partial read or write. This is usually
-worked around by only passing the relevant data to ASN1 functions when
-the entire structure can be read or written.
-
-=head1 SEE ALSO
-
-TBA
diff --git a/doc/crypto/BN_BLINDING_new.pod b/doc/crypto/BN_BLINDING_new.pod
deleted file mode 100644
index 06d7ea20a361..000000000000
--- a/doc/crypto/BN_BLINDING_new.pod
+++ /dev/null
@@ -1,115 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert,
-BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex,
-BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_thread_id, BN_BLINDING_get_flags,
-BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM
-functions.
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
- BIGNUM *mod);
- void BN_BLINDING_free(BN_BLINDING *b);
- int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
- int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
- int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
- int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
- BN_CTX *ctx);
- int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
- BN_CTX *ctx);
- #ifndef OPENSSL_NO_DEPRECATED
- unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
- void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
- #endif
- CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
- unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
- void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
- BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
- const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
- int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
- BN_MONT_CTX *m_ctx);
-
-=head1 DESCRIPTION
-
-BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies
-the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object.
-
-BN_BLINDING_free() frees the B<BN_BLINDING> structure.
-
-BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring
-the B<A> and B<Ai> or, after specific number of uses and if the
-necessary parameters are set, by re-creating the blinding parameters.
-
-BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
-If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
-returned in B<r> (this is useful if a B<RSA> object is shared among
-several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
-inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
-the inverse blinding.
-
-BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper
-functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex()
-with B<r> set to NULL.
-
-BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID>
-object within the B<BN_BLINDING> structure. This is to help users
-provide proper locking if needed for multi-threaded use. The "thread
-id" object of a newly allocated B<BN_BLINDING> structure is
-initialised to the thread id in which BN_BLINDING_new() was called.
-
-BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently
-there are two supported flags: B<BN_BLINDING_NO_UPDATE> and
-B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the
-automatic update of the B<BN_BLINDING> parameters after each use
-and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation
-of the B<BN_BLINDING> parameters after a fixed number of uses (currently
-32). In newly allocated B<BN_BLINDING> objects no flags are set.
-BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags.
-
-BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters
-using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and
-B<m_ctx> can be used to pass special functions for exponentiation
-(normally BN_mod_exp_mont() and B<BN_MONT_CTX>).
-
-=head1 RETURN VALUES
-
-BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure
-or NULL in case of an error.
-
-BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(),
-BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on
-success and 0 if an error occurred.
-
-BN_BLINDING_thread_id() returns a pointer to the thread id object
-within a B<BN_BLINDING> object.
-
-BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags
-(a B<unsigned long> value).
-
-BN_BLINDING_create_param() returns the newly created B<BN_BLINDING>
-parameters or NULL on error.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>
-
-=head1 HISTORY
-
-BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it
-deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id.
-
-BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id,
-BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags
-and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8
-
-=head1 AUTHOR
-
-Nils Larsch for the OpenSSL project (http://www.openssl.org).
-
-=cut
diff --git a/doc/crypto/BN_CTX_new.pod b/doc/crypto/BN_CTX_new.pod
deleted file mode 100644
index bbedbb17782c..000000000000
--- a/doc/crypto/BN_CTX_new.pod
+++ /dev/null
@@ -1,57 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_CTX_new, BN_CTX_init, BN_CTX_free - allocate and free BN_CTX structures
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BN_CTX *BN_CTX_new(void);
-
- void BN_CTX_free(BN_CTX *c);
-
-Deprecated:
-
- void BN_CTX_init(BN_CTX *c);
-
-
-=head1 DESCRIPTION
-
-A B<BN_CTX> is a structure that holds B<BIGNUM> temporary variables used by
-library functions. Since dynamic memory allocation to create B<BIGNUM>s
-is rather expensive when used in conjunction with repeated subroutine
-calls, the B<BN_CTX> structure is used.
-
-BN_CTX_new() allocates and initializes a B<BN_CTX>
-structure.
-
-BN_CTX_free() frees the components of the B<BN_CTX>, and if it was
-created by BN_CTX_new(), also the structure itself.
-If L<BN_CTX_start(3)|BN_CTX_start(3)> has been used on the B<BN_CTX>,
-L<BN_CTX_end(3)|BN_CTX_end(3)> must be called before the B<BN_CTX>
-may be freed by BN_CTX_free().
-
-BN_CTX_init() (deprecated) initializes an existing uninitialized B<BN_CTX>.
-This should not be used for new programs. Use BN_CTX_new() instead.
-
-=head1 RETURN VALUES
-
-BN_CTX_new() returns a pointer to the B<BN_CTX>. If the allocation fails,
-it returns B<NULL> and sets an error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-
-BN_CTX_init() and BN_CTX_free() have no return values.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
-L<BN_CTX_start(3)|BN_CTX_start(3)>
-
-=head1 HISTORY
-
-BN_CTX_new() and BN_CTX_free() are available in all versions on SSLeay
-and OpenSSL. BN_CTX_init() was added in SSLeay 0.9.1b.
-
-=cut
diff --git a/doc/crypto/BN_CTX_start.pod b/doc/crypto/BN_CTX_start.pod
deleted file mode 100644
index dfcefe1a8876..000000000000
--- a/doc/crypto/BN_CTX_start.pod
+++ /dev/null
@@ -1,52 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_CTX_start, BN_CTX_get, BN_CTX_end - use temporary BIGNUM variables
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- void BN_CTX_start(BN_CTX *ctx);
-
- BIGNUM *BN_CTX_get(BN_CTX *ctx);
-
- void BN_CTX_end(BN_CTX *ctx);
-
-=head1 DESCRIPTION
-
-These functions are used to obtain temporary B<BIGNUM> variables from
-a B<BN_CTX> (which can been created by using L<BN_CTX_new(3)|BN_CTX_new(3)>)
-in order to save the overhead of repeatedly creating and
-freeing B<BIGNUM>s in functions that are called from inside a loop.
-
-A function must call BN_CTX_start() first. Then, BN_CTX_get() may be
-called repeatedly to obtain temporary B<BIGNUM>s. All BN_CTX_get()
-calls must be made before calling any other functions that use the
-B<ctx> as an argument.
-
-Finally, BN_CTX_end() must be called before returning from the function.
-When BN_CTX_end() is called, the B<BIGNUM> pointers obtained from
-BN_CTX_get() become invalid.
-
-=head1 RETURN VALUES
-
-BN_CTX_start() and BN_CTX_end() return no values.
-
-BN_CTX_get() returns a pointer to the B<BIGNUM>, or B<NULL> on error.
-Once BN_CTX_get() has failed, the subsequent calls will return B<NULL>
-as well, so it is sufficient to check the return value of the last
-BN_CTX_get() call. In case of an error, an error code is set, which
-can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-
-=head1 SEE ALSO
-
-L<BN_CTX_new(3)|BN_CTX_new(3)>
-
-=head1 HISTORY
-
-BN_CTX_start(), BN_CTX_get() and BN_CTX_end() were added in OpenSSL 0.9.5.
-
-=cut
diff --git a/doc/crypto/BN_add.pod b/doc/crypto/BN_add.pod
deleted file mode 100644
index 88c7a799eea5..000000000000
--- a/doc/crypto/BN_add.pod
+++ /dev/null
@@ -1,126 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
-arithmetic operations on BIGNUMs
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-
- int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-
- int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
-
- int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
-
- int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
- BN_CTX *ctx);
-
- int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
-
- int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
-
- int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
- BN_CTX *ctx);
-
- int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
- BN_CTX *ctx);
-
- int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
- BN_CTX *ctx);
-
- int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
-
- int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
-
- int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx);
-
- int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
-
-=head1 DESCRIPTION
-
-BN_add() adds I<a> and I<b> and places the result in I<r> (C<r=a+b>).
-I<r> may be the same B<BIGNUM> as I<a> or I<b>.
-
-BN_sub() subtracts I<b> from I<a> and places the result in I<r> (C<r=a-b>).
-
-BN_mul() multiplies I<a> and I<b> and places the result in I<r> (C<r=a*b>).
-I<r> may be the same B<BIGNUM> as I<a> or I<b>.
-For multiplication by powers of 2, use L<BN_lshift(3)|BN_lshift(3)>.
-
-BN_sqr() takes the square of I<a> and places the result in I<r>
-(C<r=a^2>). I<r> and I<a> may be the same B<BIGNUM>.
-This function is faster than BN_mul(r,a,a).
-
-BN_div() divides I<a> by I<d> and places the result in I<dv> and the
-remainder in I<rem> (C<dv=a/d, rem=a%d>). Either of I<dv> and I<rem> may
-be B<NULL>, in which case the respective value is not returned.
-The result is rounded towards zero; thus if I<a> is negative, the
-remainder will be zero or negative.
-For division by powers of 2, use BN_rshift(3).
-
-BN_mod() corresponds to BN_div() with I<dv> set to B<NULL>.
-
-BN_nnmod() reduces I<a> modulo I<m> and places the non-negative
-remainder in I<r>.
-
-BN_mod_add() adds I<a> to I<b> modulo I<m> and places the non-negative
-result in I<r>.
-
-BN_mod_sub() subtracts I<b> from I<a> modulo I<m> and places the
-non-negative result in I<r>.
-
-BN_mod_mul() multiplies I<a> by I<b> and finds the non-negative
-remainder respective to modulus I<m> (C<r=(a*b) mod m>). I<r> may be
-the same B<BIGNUM> as I<a> or I<b>. For more efficient algorithms for
-repeated computations using the same modulus, see
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> and
-L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>.
-
-BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
-result in I<r>.
-
-BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
-(C<r=a^p>). This function is faster than repeated applications of
-BN_mul().
-
-BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p %
-m>). This function uses less time and space than BN_exp().
-
-BN_gcd() computes the greatest common divisor of I<a> and I<b> and
-places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or
-I<b>.
-
-For all functions, I<ctx> is a previously allocated B<BN_CTX> used for
-temporary variables; see L<BN_CTX_new(3)|BN_CTX_new(3)>.
-
-Unless noted otherwise, the result B<BIGNUM> must be different from
-the arguments.
-
-=head1 RETURN VALUES
-
-For all functions, 1 is returned for success, 0 on error. The return
-value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
-L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
-
-=head1 HISTORY
-
-BN_add(), BN_sub(), BN_sqr(), BN_div(), BN_mod(), BN_mod_mul(),
-BN_mod_exp() and BN_gcd() are available in all versions of SSLeay and
-OpenSSL. The I<ctx> argument to BN_mul() was added in SSLeay
-0.9.1b. BN_exp() appeared in SSLeay 0.9.0.
-BN_nnmod(), BN_mod_add(), BN_mod_sub(), and BN_mod_sqr() were added in
-OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/BN_add_word.pod b/doc/crypto/BN_add_word.pod
deleted file mode 100644
index 70667d289345..000000000000
--- a/doc/crypto/BN_add_word.pod
+++ /dev/null
@@ -1,61 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word - arithmetic
-functions on BIGNUMs with integers
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_add_word(BIGNUM *a, BN_ULONG w);
-
- int BN_sub_word(BIGNUM *a, BN_ULONG w);
-
- int BN_mul_word(BIGNUM *a, BN_ULONG w);
-
- BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
-
- BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
-
-=head1 DESCRIPTION
-
-These functions perform arithmetic operations on BIGNUMs with unsigned
-integers. They are much more efficient than the normal BIGNUM
-arithmetic operations.
-
-BN_add_word() adds B<w> to B<a> (C<a+=w>).
-
-BN_sub_word() subtracts B<w> from B<a> (C<a-=w>).
-
-BN_mul_word() multiplies B<a> and B<w> (C<a*=w>).
-
-BN_div_word() divides B<a> by B<w> (C<a/=w>) and returns the remainder.
-
-BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%w>).
-
-For BN_div_word() and BN_mod_word(), B<w> must not be 0.
-
-=head1 RETURN VALUES
-
-BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
-on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-BN_mod_word() and BN_div_word() return B<a>%B<w> on success and
-B<(BN_ULONG)-1> if an error occurred.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
-
-=head1 HISTORY
-
-BN_add_word() and BN_mod_word() are available in all versions of
-SSLeay and OpenSSL. BN_div_word() was added in SSLeay 0.8, and
-BN_sub_word() and BN_mul_word() in SSLeay 0.9.0.
-
-Before 0.9.8a the return value for BN_div_word() and BN_mod_word()
-in case of an error was 0.
-
-=cut
diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod
deleted file mode 100644
index f6bb484f902f..000000000000
--- a/doc/crypto/BN_bn2bin.pod
+++ /dev/null
@@ -1,98 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_bn2bin, BN_bin2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn,
-BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn - format conversions
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_bn2bin(const BIGNUM *a, unsigned char *to);
- BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
-
- char *BN_bn2hex(const BIGNUM *a);
- char *BN_bn2dec(const BIGNUM *a);
- int BN_hex2bn(BIGNUM **a, const char *str);
- int BN_dec2bn(BIGNUM **a, const char *str);
-
- int BN_print(BIO *fp, const BIGNUM *a);
- int BN_print_fp(FILE *fp, const BIGNUM *a);
-
- int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
- BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
-
-=head1 DESCRIPTION
-
-BN_bn2bin() converts the absolute value of B<a> into big-endian form
-and stores it at B<to>. B<to> must point to BN_num_bytes(B<a>) bytes of
-memory.
-
-BN_bin2bn() converts the positive integer in big-endian form of length
-B<len> at B<s> into a B<BIGNUM> and places it in B<ret>. If B<ret> is
-NULL, a new B<BIGNUM> is created.
-
-BN_bn2hex() and BN_bn2dec() return printable strings containing the
-hexadecimal and decimal encoding of B<a> respectively. For negative
-numbers, the string is prefaced with a leading '-'. The string must be
-freed later using OPENSSL_free().
-
-BN_hex2bn() converts the string B<str> containing a hexadecimal number
-to a B<BIGNUM> and stores it in **B<bn>. If *B<bn> is NULL, a new
-B<BIGNUM> is created. If B<bn> is NULL, it only computes the number's
-length in hexadecimal digits. If the string starts with '-', the
-number is negative.
-A "negative zero" is converted to zero.
-BN_dec2bn() is the same using the decimal system.
-
-BN_print() and BN_print_fp() write the hexadecimal encoding of B<a>,
-with a leading '-' for negative numbers, to the B<BIO> or B<FILE>
-B<fp>.
-
-BN_bn2mpi() and BN_mpi2bn() convert B<BIGNUM>s from and to a format
-that consists of the number's length in bytes represented as a 4-byte
-big-endian number, and the number itself in big-endian format, where
-the most significant bit signals a negative number (the representation
-of numbers with the MSB set is prefixed with null byte).
-
-BN_bn2mpi() stores the representation of B<a> at B<to>, where B<to>
-must be large enough to hold the result. The size can be determined by
-calling BN_bn2mpi(B<a>, NULL).
-
-BN_mpi2bn() converts the B<len> bytes long representation at B<s> to
-a B<BIGNUM> and stores it at B<ret>, or in a newly allocated B<BIGNUM>
-if B<ret> is NULL.
-
-=head1 RETURN VALUES
-
-BN_bn2bin() returns the length of the big-endian number placed at B<to>.
-BN_bin2bn() returns the B<BIGNUM>, NULL on error.
-
-BN_bn2hex() and BN_bn2dec() return a null-terminated string, or NULL
-on error. BN_hex2bn() and BN_dec2bn() return the number of characters
-used in parsing, or 0 on error, in which
-case no new B<BIGNUM> will be created.
-
-BN_print_fp() and BN_print() return 1 on success, 0 on write errors.
-
-BN_bn2mpi() returns the length of the representation. BN_mpi2bn()
-returns the B<BIGNUM>, and NULL on error.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_zero(3)|BN_zero(3)>,
-L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>,
-L<BN_num_bytes(3)|BN_num_bytes(3)>
-
-=head1 HISTORY
-
-BN_bn2bin(), BN_bin2bn(), BN_print_fp() and BN_print() are available
-in all versions of SSLeay and OpenSSL.
-
-BN_bn2hex(), BN_bn2dec(), BN_hex2bn(), BN_dec2bn(), BN_bn2mpi() and
-BN_mpi2bn() were added in SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/BN_cmp.pod b/doc/crypto/BN_cmp.pod
deleted file mode 100644
index 23e9ed0b4f95..000000000000
--- a/doc/crypto/BN_cmp.pod
+++ /dev/null
@@ -1,48 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM comparison and test functions
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_cmp(BIGNUM *a, BIGNUM *b);
- int BN_ucmp(BIGNUM *a, BIGNUM *b);
-
- int BN_is_zero(BIGNUM *a);
- int BN_is_one(BIGNUM *a);
- int BN_is_word(BIGNUM *a, BN_ULONG w);
- int BN_is_odd(BIGNUM *a);
-
-=head1 DESCRIPTION
-
-BN_cmp() compares the numbers B<a> and B<b>. BN_ucmp() compares their
-absolute values.
-
-BN_is_zero(), BN_is_one() and BN_is_word() test if B<a> equals 0, 1,
-or B<w> respectively. BN_is_odd() tests if a is odd.
-
-BN_is_zero(), BN_is_one(), BN_is_word() and BN_is_odd() are macros.
-
-=head1 RETURN VALUES
-
-BN_cmp() returns -1 if B<a> E<lt> B<b>, 0 if B<a> == B<b> and 1 if
-B<a> E<gt> B<b>. BN_ucmp() is the same using the absolute values
-of B<a> and B<b>.
-
-BN_is_zero(), BN_is_one() BN_is_word() and BN_is_odd() return 1 if
-the condition is true, 0 otherwise.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>
-
-=head1 HISTORY
-
-BN_cmp(), BN_ucmp(), BN_is_zero(), BN_is_one() and BN_is_word() are
-available in all versions of SSLeay and OpenSSL.
-BN_is_odd() was added in SSLeay 0.8.
-
-=cut
diff --git a/doc/crypto/BN_copy.pod b/doc/crypto/BN_copy.pod
deleted file mode 100644
index 388dd7df2653..000000000000
--- a/doc/crypto/BN_copy.pod
+++ /dev/null
@@ -1,34 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_copy, BN_dup - copy BIGNUMs
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BIGNUM *BN_copy(BIGNUM *to, const BIGNUM *from);
-
- BIGNUM *BN_dup(const BIGNUM *from);
-
-=head1 DESCRIPTION
-
-BN_copy() copies B<from> to B<to>. BN_dup() creates a new B<BIGNUM>
-containing the value B<from>.
-
-=head1 RETURN VALUES
-
-BN_copy() returns B<to> on success, NULL on error. BN_dup() returns
-the new B<BIGNUM>, and NULL on error. The error codes can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-BN_copy() and BN_dup() are available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod
deleted file mode 100644
index bf1b5308adab..000000000000
--- a/doc/crypto/BN_generate_prime.pod
+++ /dev/null
@@ -1,150 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex, BN_GENCB_call,
-BN_GENCB_set_old, BN_GENCB_set, BN_generate_prime, BN_is_prime,
-BN_is_prime_fasttest - generate primes and test for primality
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_generate_prime_ex(BIGNUM *ret,int bits,int safe, const BIGNUM *add,
- const BIGNUM *rem, BN_GENCB *cb);
-
- int BN_is_prime_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, BN_GENCB *cb);
-
- int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
- int do_trial_division, BN_GENCB *cb);
-
- int BN_GENCB_call(BN_GENCB *cb, int a, int b);
-
- #define BN_GENCB_set_old(gencb, callback, cb_arg) ...
-
- #define BN_GENCB_set(gencb, callback, cb_arg) ...
-
-
-Deprecated:
-
- BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
- BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
-
- int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int,
- void *), BN_CTX *ctx, void *cb_arg);
-
- int BN_is_prime_fasttest(const BIGNUM *a, int checks,
- void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg,
- int do_trial_division);
-
-=head1 DESCRIPTION
-
-BN_generate_prime_ex() generates a pseudo-random prime number of
-bit length B<bits>.
-If B<ret> is not B<NULL>, it will be used to store the number.
-
-If B<cb> is not B<NULL>, it is used as follows:
-
-=over 4
-
-=item *
-
-B<BN_GENCB_call(cb, 0, i)> is called after generating the i-th
-potential prime number.
-
-=item *
-
-While the number is being tested for primality,
-B<BN_GENCB_call(cb, 1, j)> is called as described below.
-
-=item *
-
-When a prime has been found, B<BN_GENCB_call(cb, 2, i)> is called.
-
-=back
-
-The prime may have to fulfill additional requirements for use in
-Diffie-Hellman key exchange:
-
-If B<add> is not B<NULL>, the prime will fulfill the condition p % B<add>
-== B<rem> (p % B<add> == 1 if B<rem> == B<NULL>) in order to suit a given
-generator.
-
-If B<safe> is true, it will be a safe prime (i.e. a prime p so
-that (p-1)/2 is also prime).
-
-The PRNG must be seeded prior to calling BN_generate_prime_ex().
-The prime number generation has a negligible error probability.
-
-BN_is_prime_ex() and BN_is_prime_fasttest_ex() test if the number B<p> is
-prime. The following tests are performed until one of them shows that
-B<p> is composite; if B<p> passes all these tests, it is considered
-prime.
-
-BN_is_prime_fasttest_ex(), when called with B<do_trial_division == 1>,
-first attempts trial division by a number of small primes;
-if no divisors are found by this test and B<cb> is not B<NULL>,
-B<BN_GENCB_call(cb, 1, -1)> is called.
-If B<do_trial_division == 0>, this test is skipped.
-
-Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin
-probabilistic primality test with B<nchecks> iterations. If
-B<nchecks == BN_prime_checks>, a number of iterations is used that
-yields a false positive rate of at most 2^-80 for random input.
-
-If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called
-after the j-th iteration (j = 0, 1, ...). B<ctx> is a
-pre-allocated B<BN_CTX> (to save the overhead of allocating and
-freeing the structure in a loop), or B<NULL>.
-
-BN_GENCB_call calls the callback function held in the B<BN_GENCB> structure
-and passes the ints B<a> and B<b> as arguments. There are two types of
-B<BN_GENCB> structure that are supported: "new" style and "old" style. New
-programs should prefer the "new" style, whilst the "old" style is provided
-for backwards compatibility purposes.
-
-For "new" style callbacks a BN_GENCB structure should be initialised with a
-call to BN_GENCB_set, where B<gencb> is a B<BN_GENCB *>, B<callback> is of
-type B<int (*callback)(int, int, BN_GENCB *)> and B<cb_arg> is a B<void *>.
-"Old" style callbacks are the same except they are initialised with a call
-to BN_GENCB_set_old and B<callback> is of type
-B<void (*callback)(int, int, void *)>.
-
-A callback is invoked through a call to B<BN_GENCB_call>. This will check
-the type of the callback and will invoke B<callback(a, b, gencb)> for new
-style callbacks or B<callback(a, b, cb_arg)> for old style.
-
-BN_generate_prime (deprecated) works in the same way as
-BN_generate_prime_ex but expects an old style callback function
-directly in the B<callback> parameter, and an argument to pass to it in
-the B<cb_arg>. Similarly BN_is_prime and BN_is_prime_fasttest are
-deprecated and can be compared to BN_is_prime_ex and
-BN_is_prime_fasttest_ex respectively.
-
-=head1 RETURN VALUES
-
-BN_generate_prime_ex() return 1 on success or 0 on error.
-
-BN_is_prime_ex(), BN_is_prime_fasttest_ex(), BN_is_prime() and
-BN_is_prime_fasttest() return 0 if the number is composite, 1 if it is
-prime with an error probability of less than 0.25^B<nchecks>, and
--1 on error.
-
-BN_generate_prime() returns the prime number on success, B<NULL> otherwise.
-
-Callback functions should return 1 on success or 0 on error.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>
-
-=head1 HISTORY
-
-The B<cb_arg> arguments to BN_generate_prime() and to BN_is_prime()
-were added in SSLeay 0.9.0. The B<ret> argument to BN_generate_prime()
-was added in SSLeay 0.9.1.
-BN_is_prime_fasttest() was added in OpenSSL 0.9.5.
-
-=cut
diff --git a/doc/crypto/BN_mod_inverse.pod b/doc/crypto/BN_mod_inverse.pod
deleted file mode 100644
index 3ea3975c7422..000000000000
--- a/doc/crypto/BN_mod_inverse.pod
+++ /dev/null
@@ -1,36 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_mod_inverse - compute inverse modulo n
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
- BN_CTX *ctx);
-
-=head1 DESCRIPTION
-
-BN_mod_inverse() computes the inverse of B<a> modulo B<n>
-places the result in B<r> (C<(a*r)%n==1>). If B<r> is NULL,
-a new B<BIGNUM> is created.
-
-B<ctx> is a previously allocated B<BN_CTX> used for temporary
-variables. B<r> may be the same B<BIGNUM> as B<a> or B<n>.
-
-=head1 RETURN VALUES
-
-BN_mod_inverse() returns the B<BIGNUM> containing the inverse, and
-NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
-
-=head1 HISTORY
-
-BN_mod_inverse() is available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/BN_mod_mul_montgomery.pod b/doc/crypto/BN_mod_mul_montgomery.pod
deleted file mode 100644
index 6b16351b92e4..000000000000
--- a/doc/crypto/BN_mod_mul_montgomery.pod
+++ /dev/null
@@ -1,101 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_mod_mul_montgomery, BN_MONT_CTX_new, BN_MONT_CTX_init,
-BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy,
-BN_from_montgomery, BN_to_montgomery - Montgomery multiplication
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BN_MONT_CTX *BN_MONT_CTX_new(void);
- void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
- void BN_MONT_CTX_free(BN_MONT_CTX *mont);
-
- int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
- BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
-
- int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
- BN_MONT_CTX *mont, BN_CTX *ctx);
-
- int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
- BN_CTX *ctx);
-
- int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
- BN_CTX *ctx);
-
-=head1 DESCRIPTION
-
-These functions implement Montgomery multiplication. They are used
-automatically when L<BN_mod_exp(3)|BN_mod_exp(3)> is called with suitable input,
-but they may be useful when several operations are to be performed
-using the same modulus.
-
-BN_MONT_CTX_new() allocates and initializes a B<BN_MONT_CTX> structure.
-BN_MONT_CTX_init() initializes an existing uninitialized B<BN_MONT_CTX>.
-
-BN_MONT_CTX_set() sets up the I<mont> structure from the modulus I<m>
-by precomputing its inverse and a value R.
-
-BN_MONT_CTX_copy() copies the B<BN_MONT_CTX> I<from> to I<to>.
-
-BN_MONT_CTX_free() frees the components of the B<BN_MONT_CTX>, and, if
-it was created by BN_MONT_CTX_new(), also the structure itself.
-
-BN_mod_mul_montgomery() computes Mont(I<a>,I<b>):=I<a>*I<b>*R^-1 and places
-the result in I<r>.
-
-BN_from_montgomery() performs the Montgomery reduction I<r> = I<a>*R^-1.
-
-BN_to_montgomery() computes Mont(I<a>,R^2), i.e. I<a>*R.
-Note that I<a> must be non-negative and smaller than the modulus.
-
-For all functions, I<ctx> is a previously allocated B<BN_CTX> used for
-temporary variables.
-
-The B<BN_MONT_CTX> structure is defined as follows:
-
- typedef struct bn_mont_ctx_st
- {
- int ri; /* number of bits in R */
- BIGNUM RR; /* R^2 (used to convert to Montgomery form) */
- BIGNUM N; /* The modulus */
- BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1
- * (Ni is only stored for bignum algorithm) */
- BN_ULONG n0; /* least significant word of Ni */
- int flags;
- } BN_MONT_CTX;
-
-BN_to_montgomery() is a macro.
-
-=head1 RETURN VALUES
-
-BN_MONT_CTX_new() returns the newly allocated B<BN_MONT_CTX>, and NULL
-on error.
-
-BN_MONT_CTX_init() and BN_MONT_CTX_free() have no return values.
-
-For the other functions, 1 is returned for success, 0 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 WARNING
-
-The inputs must be reduced modulo B<m>, otherwise the result will be
-outside the expected range.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
-L<BN_CTX_new(3)|BN_CTX_new(3)>
-
-=head1 HISTORY
-
-BN_MONT_CTX_new(), BN_MONT_CTX_free(), BN_MONT_CTX_set(),
-BN_mod_mul_montgomery(), BN_from_montgomery() and BN_to_montgomery()
-are available in all versions of SSLeay and OpenSSL.
-
-BN_MONT_CTX_init() and BN_MONT_CTX_copy() were added in SSLeay 0.9.1b.
-
-=cut
diff --git a/doc/crypto/BN_mod_mul_reciprocal.pod b/doc/crypto/BN_mod_mul_reciprocal.pod
deleted file mode 100644
index 74a216ddc2ad..000000000000
--- a/doc/crypto/BN_mod_mul_reciprocal.pod
+++ /dev/null
@@ -1,81 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_mod_mul_reciprocal, BN_div_recp, BN_RECP_CTX_new, BN_RECP_CTX_init,
-BN_RECP_CTX_free, BN_RECP_CTX_set - modular multiplication using
-reciprocal
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BN_RECP_CTX *BN_RECP_CTX_new(void);
- void BN_RECP_CTX_init(BN_RECP_CTX *recp);
- void BN_RECP_CTX_free(BN_RECP_CTX *recp);
-
- int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
-
- int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *a, BN_RECP_CTX *recp,
- BN_CTX *ctx);
-
- int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
- BN_RECP_CTX *recp, BN_CTX *ctx);
-
-=head1 DESCRIPTION
-
-BN_mod_mul_reciprocal() can be used to perform an efficient
-L<BN_mod_mul(3)|BN_mod_mul(3)> operation when the operation will be performed
-repeatedly with the same modulus. It computes B<r>=(B<a>*B<b>)%B<m>
-using B<recp>=1/B<m>, which is set as described below. B<ctx> is a
-previously allocated B<BN_CTX> used for temporary variables.
-
-BN_RECP_CTX_new() allocates and initializes a B<BN_RECP> structure.
-BN_RECP_CTX_init() initializes an existing uninitialized B<BN_RECP>.
-
-BN_RECP_CTX_free() frees the components of the B<BN_RECP>, and, if it
-was created by BN_RECP_CTX_new(), also the structure itself.
-
-BN_RECP_CTX_set() stores B<m> in B<recp> and sets it up for computing
-1/B<m> and shifting it left by BN_num_bits(B<m>)+1 to make it an
-integer. The result and the number of bits it was shifted left will
-later be stored in B<recp>.
-
-BN_div_recp() divides B<a> by B<m> using B<recp>. It places the quotient
-in B<dv> and the remainder in B<rem>.
-
-The B<BN_RECP_CTX> structure is defined as follows:
-
- typedef struct bn_recp_ctx_st
- {
- BIGNUM N; /* the divisor */
- BIGNUM Nr; /* the reciprocal */
- int num_bits;
- int shift;
- int flags;
- } BN_RECP_CTX;
-
-It cannot be shared between threads.
-
-=head1 RETURN VALUES
-
-BN_RECP_CTX_new() returns the newly allocated B<BN_RECP_CTX>, and NULL
-on error.
-
-BN_RECP_CTX_init() and BN_RECP_CTX_free() have no return values.
-
-For the other functions, 1 is returned for success, 0 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
-L<BN_CTX_new(3)|BN_CTX_new(3)>
-
-=head1 HISTORY
-
-B<BN_RECP_CTX> was added in SSLeay 0.9.0. Before that, the function
-BN_reciprocal() was used instead, and the BN_mod_mul_reciprocal()
-arguments were different.
-
-=cut
diff --git a/doc/crypto/BN_new.pod b/doc/crypto/BN_new.pod
deleted file mode 100644
index d446603191af..000000000000
--- a/doc/crypto/BN_new.pod
+++ /dev/null
@@ -1,55 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_new, BN_init, BN_clear, BN_free, BN_clear_free - allocate and free BIGNUMs
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- BIGNUM *BN_new(void);
-
- void BN_init(BIGNUM *);
-
- void BN_clear(BIGNUM *a);
-
- void BN_free(BIGNUM *a);
-
- void BN_clear_free(BIGNUM *a);
-
-=head1 DESCRIPTION
-
-BN_new() allocates and initializes a B<BIGNUM> structure. BN_init()
-initializes an existing uninitialized B<BIGNUM>.
-
-BN_clear() is used to destroy sensitive data such as keys when they
-are no longer needed. It erases the memory used by B<a> and sets it
-to the value 0.
-
-BN_free() frees the components of the B<BIGNUM>, and if it was created
-by BN_new(), also the structure itself. BN_clear_free() additionally
-overwrites the data before the memory is returned to the system.
-If B<a> is NULL, nothing is done.
-
-=head1 RETURN VALUES
-
-BN_new() returns a pointer to the B<BIGNUM> initialised to the value 0.
-If the allocation fails,
-it returns B<NULL> and sets an error code that can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-BN_init(), BN_clear(), BN_free() and BN_clear_free() have no return
-values.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-BN_new(), BN_clear(), BN_free() and BN_clear_free() are available in
-all versions on SSLeay and OpenSSL. BN_init() was added in SSLeay
-0.9.1b.
-
-=cut
diff --git a/doc/crypto/BN_num_bytes.pod b/doc/crypto/BN_num_bytes.pod
deleted file mode 100644
index a6a2e3f81988..000000000000
--- a/doc/crypto/BN_num_bytes.pod
+++ /dev/null
@@ -1,57 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_num_bits, BN_num_bytes, BN_num_bits_word - get BIGNUM size
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_num_bytes(const BIGNUM *a);
-
- int BN_num_bits(const BIGNUM *a);
-
- int BN_num_bits_word(BN_ULONG w);
-
-=head1 DESCRIPTION
-
-BN_num_bytes() returns the size of a B<BIGNUM> in bytes.
-
-BN_num_bits_word() returns the number of significant bits in a word.
-If we take 0x00000432 as an example, it returns 11, not 16, not 32.
-Basically, except for a zero, it returns I<floor(log2(w))+1>.
-
-BN_num_bits() returns the number of significant bits in a B<BIGNUM>,
-following the same principle as BN_num_bits_word().
-
-BN_num_bytes() is a macro.
-
-=head1 RETURN VALUES
-
-The size.
-
-=head1 NOTES
-
-Some have tried using BN_num_bits() on individual numbers in RSA keys,
-DH keys and DSA keys, and found that they don't always come up with
-the number of bits they expected (something like 512, 1024, 2048,
-...). This is because generating a number with some specific number
-of bits doesn't always set the highest bits, thereby making the number
-of I<significant> bits a little lower. If you want to know the "key
-size" of such a key, either use functions like RSA_size(), DH_size()
-and DSA_size(), or use BN_num_bytes() and multiply with 8 (although
-there's no real guarantee that will match the "key size", just a lot
-more probability).
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<DH_size(3)|DH_size(3)>, L<DSA_size(3)|DSA_size(3)>,
-L<RSA_size(3)|RSA_size(3)>
-
-=head1 HISTORY
-
-BN_num_bytes(), BN_num_bits() and BN_num_bits_word() are available in
-all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod
deleted file mode 100644
index a1513a952654..000000000000
--- a/doc/crypto/BN_rand.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_rand, BN_pseudo_rand, BN_rand_range, BN_pseudo_rand_range - generate pseudo-random number
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
-
- int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
-
- int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
-
- int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
-
-=head1 DESCRIPTION
-
-BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> in length and stores it in B<rnd>.
-If B<bits> is less than zero, or too small to
-accomodate the requirements specified by the B<top> and B<bottom>
-parameters, an error is returned.
-If B<top> is -1, the
-most significant bit of the random number can be zero. If B<top> is 0,
-it is set to 1, and if B<top> is 1, the two most significant bits of
-the number will be set to 1, so that the product of two such random
-numbers will always have 2*B<bits> length. If B<bottom> is true, the
-number will be odd. The value of B<bits> must be zero or greater. If B<bits> is
-1 then B<top> cannot also be 1.
-
-BN_pseudo_rand() does the same, but pseudo-random numbers generated by
-this function are not necessarily unpredictable. They can be used for
-non-cryptographic purposes and for certain purposes in cryptographic
-protocols, but usually not for key generation etc.
-
-BN_rand_range() generates a cryptographically strong pseudo-random
-number B<rnd> in the range 0 E<lt>= B<rnd> E<lt> B<range>.
-BN_pseudo_rand_range() does the same, but is based on BN_pseudo_rand(),
-and hence numbers generated by it are not necessarily unpredictable.
-
-The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
-
-=head1 RETURN VALUES
-
-The functions return 1 on success, 0 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
-
-=head1 HISTORY
-
-BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
-and the function BN_rand_range() were added in OpenSSL 0.9.6a.
-BN_pseudo_rand_range() was added in OpenSSL 0.9.6c.
-
-=cut
diff --git a/doc/crypto/BN_set_bit.pod b/doc/crypto/BN_set_bit.pod
deleted file mode 100644
index a32cca2cee6b..000000000000
--- a/doc/crypto/BN_set_bit.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift,
-BN_lshift1, BN_rshift, BN_rshift1 - bit operations on BIGNUMs
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_set_bit(BIGNUM *a, int n);
- int BN_clear_bit(BIGNUM *a, int n);
-
- int BN_is_bit_set(const BIGNUM *a, int n);
-
- int BN_mask_bits(BIGNUM *a, int n);
-
- int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
- int BN_lshift1(BIGNUM *r, BIGNUM *a);
-
- int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
- int BN_rshift1(BIGNUM *r, BIGNUM *a);
-
-=head1 DESCRIPTION
-
-BN_set_bit() sets bit B<n> in B<a> to 1 (C<a|=(1E<lt>E<lt>n)>). The
-number is expanded if necessary.
-
-BN_clear_bit() sets bit B<n> in B<a> to 0 (C<a&=~(1E<lt>E<lt>n)>). An
-error occurs if B<a> is shorter than B<n> bits.
-
-BN_is_bit_set() tests if bit B<n> in B<a> is set.
-
-BN_mask_bits() truncates B<a> to an B<n> bit number
-(C<a&=~((~0)E<gt>E<gt>n)>). An error occurs if B<a> already is
-shorter than B<n> bits.
-
-BN_lshift() shifts B<a> left by B<n> bits and places the result in
-B<r> (C<r=a*2^n>). Note that B<n> must be non-negative. BN_lshift1() shifts
-B<a> left by one and places the result in B<r> (C<r=2*a>).
-
-BN_rshift() shifts B<a> right by B<n> bits and places the result in
-B<r> (C<r=a/2^n>). Note that B<n> must be non-negative. BN_rshift1() shifts
-B<a> right by one and places the result in B<r> (C<r=a/2>).
-
-For the shift functions, B<r> and B<a> may be the same variable.
-
-=head1 RETURN VALUES
-
-BN_is_bit_set() returns 1 if the bit is set, 0 otherwise.
-
-All other functions return 1 for success, 0 on error. The error codes
-can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>, L<BN_add(3)|BN_add(3)>
-
-=head1 HISTORY
-
-BN_set_bit(), BN_clear_bit(), BN_is_bit_set(), BN_mask_bits(),
-BN_lshift(), BN_lshift1(), BN_rshift(), and BN_rshift1() are available
-in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/BN_swap.pod b/doc/crypto/BN_swap.pod
deleted file mode 100644
index 79efaa144634..000000000000
--- a/doc/crypto/BN_swap.pod
+++ /dev/null
@@ -1,23 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_swap - exchange BIGNUMs
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- void BN_swap(BIGNUM *a, BIGNUM *b);
-
-=head1 DESCRIPTION
-
-BN_swap() exchanges the values of I<a> and I<b>.
-
-L<bn(3)|bn(3)>
-
-=head1 HISTORY
-
-BN_swap was added in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/BN_zero.pod b/doc/crypto/BN_zero.pod
deleted file mode 100644
index 8aa9c142b725..000000000000
--- a/doc/crypto/BN_zero.pod
+++ /dev/null
@@ -1,62 +0,0 @@
-=pod
-
-=head1 NAME
-
-BN_zero, BN_one, BN_value_one, BN_set_word, BN_get_word - BIGNUM assignment
-operations
-
-=head1 SYNOPSIS
-
- #include <openssl/bn.h>
-
- int BN_zero(BIGNUM *a);
- int BN_one(BIGNUM *a);
-
- const BIGNUM *BN_value_one(void);
-
- int BN_set_word(BIGNUM *a, BN_ULONG w);
- BN_ULONG BN_get_word(BIGNUM *a);
-
-=head1 DESCRIPTION
-
-B<BN_ULONG> is a macro that will be an unsigned integral type optimied
-for the most efficient implementation on the local platform.
-
-BN_zero(), BN_one() and BN_set_word() set B<a> to the values 0, 1 and
-B<w> respectively. BN_zero() and BN_one() are macros.
-
-BN_value_one() returns a B<BIGNUM> constant of value 1. This constant
-is useful for use in comparisons and assignment.
-
-BN_get_word() returns B<a>, if it can be represented as a B<BN_ULONG>.
-
-=head1 RETURN VALUES
-
-BN_get_word() returns the value B<a>, or all-bits-set if B<a> cannot
-be represented as a B<BN_ULONG>.
-
-BN_zero(), BN_one() and BN_set_word() return 1 on success, 0 otherwise.
-BN_value_one() returns the constant.
-
-=head1 BUGS
-
-If a B<BIGNUM> is equal to the value of all-bits-set, it will collide
-with the error condition returned by BN_get_word() which uses that
-as an error value.
-
-B<BN_ULONG> should probably be a typedef.
-
-=head1 SEE ALSO
-
-L<bn(3)|bn(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
-
-=head1 HISTORY
-
-BN_zero(), BN_one() and BN_set_word() are available in all versions of
-SSLeay and OpenSSL. BN_value_one() and BN_get_word() were added in
-SSLeay 0.8.
-
-BN_value_one() was changed to return a true const BIGNUM * in OpenSSL
-0.9.7.
-
-=cut
diff --git a/doc/crypto/CMS_add0_cert.pod b/doc/crypto/CMS_add0_cert.pod
deleted file mode 100644
index 8678ca18a586..000000000000
--- a/doc/crypto/CMS_add0_cert.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
-CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_get1_crls, - CMS certificate and CRL utility functions
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert);
- int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert);
- STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms);
-
- int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl);
- int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl);
- STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms);
-
-
-=head1 DESCRIPTION
-
-CMS_add0_cert() and CMS_add1_cert() add certificate B<cert> to B<cms>.
-must be of type signed data or enveloped data.
-
-CMS_get1_certs() returns all certificates in B<cms>.
-
-CMS_add0_crl() and CMS_add1_crl() add CRL B<crl> to B<cms>. CMS_get1_crls()
-returns any CRLs in B<cms>.
-
-=head1 NOTES
-
-The CMS_ContentInfo structure B<cms> must be of type signed data or enveloped
-data or an error will be returned.
-
-For signed data certificates and CRLs are added to the B<certificates> and
-B<crls> fields of SignedData structure. For enveloped data they are added to
-B<OriginatorInfo>.
-
-As the B<0> implies CMS_add0_cert() adds B<cert> internally to B<cms> and it
-must not be freed up after the call as opposed to CMS_add1_cert() where B<cert>
-must be freed up.
-
-The same certificate or CRL must not be added to the same cms structure more
-than once.
-
-=head1 RETURN VALUES
-
-CMS_add0_cert(), CMS_add1_cert() and CMS_add0_crl() and CMS_add1_crl() return
-1 for success and 0 for failure.
-
-CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs
-or NULL if there are none or an error occurs. The only error which will occur
-in practice is if the B<cms> type is invalid.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_encrypt(3)|CMS_encrypt(3)>
-
-=head1 HISTORY
-
-CMS_add0_cert(), CMS_add1_cert(), CMS_get1_certs(), CMS_add0_crl()
-and CMS_get1_crls() were all first added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_add1_recipient_cert.pod b/doc/crypto/CMS_add1_recipient_cert.pod
deleted file mode 100644
index d7d8e2532c87..000000000000
--- a/doc/crypto/CMS_add1_recipient_cert.pod
+++ /dev/null
@@ -1,62 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipients to a CMS enveloped data structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags);
-
- CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, unsigned char *key, size_t keylen, unsigned char *id, size_t idlen, ASN1_GENERALIZEDTIME *date, ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType);
-
-=head1 DESCRIPTION
-
-CMS_add1_recipient_cert() adds recipient B<recip> to CMS_ContentInfo enveloped
-data structure B<cms> as a KeyTransRecipientInfo structure.
-
-CMS_add0_recipient_key() adds symmetric key B<key> of length B<keylen> using
-wrapping algorithm B<nid>, identifier B<id> of length B<idlen> and optional
-values B<date>, B<otherTypeId> and B<otherType> to CMS_ContentInfo enveloped
-data structure B<cms> as a KEKRecipientInfo structure.
-
-The CMS_ContentInfo structure should be obtained from an initial call to
-CMS_encrypt() with the flag B<CMS_PARTIAL> set.
-
-=head1 NOTES
-
-The main purpose of this function is to provide finer control over a CMS
-enveloped data structure where the simpler CMS_encrypt() function defaults are
-not appropriate. For example if one or more KEKRecipientInfo structures
-need to be added. New attributes can also be added using the returned
-CMS_RecipientInfo structure and the CMS attribute utility functions.
-
-OpenSSL will by default identify recipient certificates using issuer name
-and serial number. If B<CMS_USE_KEYID> is set it will use the subject key
-identifier value instead. An error occurs if all recipient certificates do not
-have a subject key identifier extension.
-
-Currently only AES based key wrapping algorithms are supported for B<nid>,
-specifically: NID_id_aes128_wrap, NID_id_aes192_wrap and NID_id_aes256_wrap.
-If B<nid> is set to B<NID_undef> then an AES wrap algorithm will be used
-consistent with B<keylen>.
-
-=head1 RETURN VALUES
-
-CMS_add1_recipient_cert() and CMS_add0_recipient_key() return an internal
-pointer to the CMS_RecipientInfo structure just added or NULL if an error
-occurs.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<CMS_final(3)|CMS_final(3)>,
-
-=head1 HISTORY
-
-CMS_add1_recipient_cert() and CMS_add0_recipient_key() were added to OpenSSL
-0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_add1_signer.pod b/doc/crypto/CMS_add1_signer.pod
deleted file mode 100644
index a055b82695ae..000000000000
--- a/doc/crypto/CMS_add1_signer.pod
+++ /dev/null
@@ -1,101 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo signed data structure.
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, unsigned int flags);
-
- int CMS_SignerInfo_sign(CMS_SignerInfo *si);
-
-
-=head1 DESCRIPTION
-
-CMS_add1_signer() adds a signer with certificate B<signcert> and private
-key B<pkey> using message digest B<md> to CMS_ContentInfo SignedData
-structure B<cms>.
-
-The CMS_ContentInfo structure should be obtained from an initial call to
-CMS_sign() with the flag B<CMS_PARTIAL> set or in the case or re-signing a
-valid CMS_ContentInfo SignedData structure.
-
-If the B<md> parameter is B<NULL> then the default digest for the public
-key algorithm will be used.
-
-Unless the B<CMS_REUSE_DIGEST> flag is set the returned CMS_ContentInfo
-structure is not complete and must be finalized either by streaming (if
-applicable) or a call to CMS_final().
-
-The CMS_SignerInfo_sign() function will explicitly sign a CMS_SignerInfo
-structure, its main use is when B<CMS_REUSE_DIGEST> and B<CMS_PARTIAL> flags
-are both set.
-
-=head1 NOTES
-
-The main purpose of CMS_add1_signer() is to provide finer control
-over a CMS signed data structure where the simpler CMS_sign() function defaults
-are not appropriate. For example if multiple signers or non default digest
-algorithms are needed. New attributes can also be added using the returned
-CMS_SignerInfo structure and the CMS attribute utility functions or the
-CMS signed receipt request functions.
-
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter.
-
-If B<CMS_REUSE_DIGEST> is set then an attempt is made to copy the content
-digest value from the CMS_ContentInfo structure: to add a signer to an existing
-structure. An error occurs if a matching digest value cannot be found to copy.
-The returned CMS_ContentInfo structure will be valid and finalized when this
-flag is set.
-
-If B<CMS_PARTIAL> is set in addition to B<CMS_REUSE_DIGEST> then the
-CMS_SignerInfo structure will not be finalized so additional attributes
-can be added. In this case an explicit call to CMS_SignerInfo_sign() is
-needed to finalize it.
-
-If B<CMS_NOCERTS> is set the signer's certificate will not be included in the
-CMS_ContentInfo structure, the signer's certificate must still be supplied in
-the B<signcert> parameter though. This can reduce the size of the signature if
-the signers certificate can be obtained by other means: for example a
-previously signed message.
-
-The SignedData structure includes several CMS signedAttributes including the
-signing time, the CMS content type and the supported list of ciphers in an
-SMIMECapabilities attribute. If B<CMS_NOATTR> is set then no signedAttributes
-will be used. If B<CMS_NOSMIMECAP> is set then just the SMIMECapabilities are
-omitted.
-
-OpenSSL will by default identify signing certificates using issuer name
-and serial number. If B<CMS_USE_KEYID> is set it will use the subject key
-identifier value instead. An error occurs if the signing certificate does not
-have a subject key identifier extension.
-
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms in preference order: 256 bit AES, Gost R3411-94, Gost 28147-89, 192
-bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
-If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
-not loaded.
-
-CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo
-structure just added, this can be used to set additional attributes
-before it is finalized.
-
-=head1 RETURN VALUES
-
-CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo
-structure just added or NULL if an error occurs.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_final(3)|CMS_final(3)>,
-
-=head1 HISTORY
-
-CMS_add1_signer() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_compress.pod b/doc/crypto/CMS_compress.pod
deleted file mode 100644
index 0a0715271d31..000000000000
--- a/doc/crypto/CMS_compress.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-
-=head1 NAME
-
-CMS_compress - create a CMS CompressedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_compress() creates and returns a CMS CompressedData structure. B<comp_nid>
-is the compression algorithm to use or B<NID_undef> to use the default
-algorithm (zlib compression). B<in> is the content to be compressed.
-B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-The only currently supported compression algorithm is zlib using the NID
-NID_zlib_compression.
-
-If zlib support is not compiled into OpenSSL then CMS_compress() will return
-an error.
-
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are
-prepended to the data.
-
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<CMS_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If B<CMS_BINARY> is set then
-B<CMS_TEXT> is ignored.
-
-If the B<CMS_STREAM> flag is set a partial B<CMS_ContentInfo> structure is
-returned suitable for streaming I/O: no data is read from the BIO B<in>.
-
-The compressed data is included in the CMS_ContentInfo structure, unless
-B<CMS_DETACHED> is set in which case it is omitted. This is rarely used in
-practice and is not supported by SMIME_write_CMS().
-
-=head1 NOTES
-
-If the flag B<CMS_STREAM> is set the returned B<CMS_ContentInfo> structure is
-B<not> complete and outputting its contents via a function that does not
-properly finalize the B<CMS_ContentInfo> structure will give unpredictable
-results.
-
-Several functions including SMIME_write_CMS(), i2d_CMS_bio_stream(),
-PEM_write_bio_CMS_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_CMS().
-
-Additional compression parameters such as the zlib compression level cannot
-currently be set.
-
-=head1 RETURN VALUES
-
-CMS_compress() returns either a CMS_ContentInfo structure or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_uncompress(3)|CMS_uncompress(3)>
-
-=head1 HISTORY
-
-CMS_compress() was added to OpenSSL 0.9.8
-The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/CMS_decrypt.pod b/doc/crypto/CMS_decrypt.pod
deleted file mode 100644
index 3fa9212af32c..000000000000
--- a/doc/crypto/CMS_decrypt.pod
+++ /dev/null
@@ -1,79 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_decrypt - decrypt content from a CMS envelopedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont, BIO *out, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData
-structure. B<pkey> is the private key of the recipient, B<cert> is the
-recipient's certificate, B<out> is a BIO to write the content to and
-B<flags> is an optional set of flags.
-
-The B<dcont> parameter is used in the rare case where the encrypted content
-is detached. It will normally be set to NULL.
-
-=head1 NOTES
-
-OpenSSL_add_all_algorithms() (or equivalent) should be called before using this
-function or errors about unknown algorithms will occur.
-
-Although the recipients certificate is not needed to decrypt the data it is
-needed to locate the appropriate (of possible several) recipients in the CMS
-structure.
-
-If B<cert> is set to NULL all possible recipients are tried. This case however
-is problematic. To thwart the MMA attack (Bleichenbacher's attack on
-PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
-not. If no recipient succeeds then a random symmetric key is used to decrypt
-the content: this will typically output garbage and may (but is not guaranteed
-to) ultimately return a padding error only. If CMS_decrypt() just returned an
-error when all recipient encrypted keys failed to decrypt an attacker could
-use this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set
-then the above behaviour is modified and an error B<is> returned if no
-recipient encrypted key can be decrypted B<without> generating a random
-content encryption key. Applications should use this flag with
-B<extreme caution> especially in automated gateways as it can leave them
-open to attack.
-
-It is possible to determine the correct recipient key by other means (for
-example looking them up in a database) and setting them in the CMS structure
-in advance using the CMS utility functions such as CMS_set1_pkey(). In this
-case both B<cert> and B<pkey> should be set to NULL.
-
-To process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key()
-and CMS_ReceipientInfo_decrypt() should be called before CMS_decrypt() and
-B<cert> and B<pkey> set to NULL.
-
-The following flags can be passed in the B<flags> parameter.
-
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-
-=head1 RETURN VALUES
-
-CMS_decrypt() returns either 1 for success or 0 for failure.
-The error can be obtained from ERR_get_error(3)
-
-=head1 BUGS
-
-The lack of single pass processing and the need to hold all data in memory as
-mentioned in CMS_verify() also applies to CMS_decrypt().
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-
-=head1 HISTORY
-
-CMS_decrypt() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_encrypt.pod b/doc/crypto/CMS_encrypt.pod
deleted file mode 100644
index 1ee5b275ec82..000000000000
--- a/doc/crypto/CMS_encrypt.pod
+++ /dev/null
@@ -1,96 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_encrypt - create a CMS envelopedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_encrypt() creates and returns a CMS EnvelopedData structure. B<certs>
-is a list of recipient certificates. B<in> is the content to be encrypted.
-B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-Only certificates carrying RSA keys are supported so the recipient certificates
-supplied to this function must all contain RSA public keys, though they do not
-have to be signed using the RSA algorithm.
-
-EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
-because most clients will support it.
-
-The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
-its parameters.
-
-Many browsers implement a "sign and encrypt" option which is simply an S/MIME
-envelopedData containing an S/MIME signed message. This can be readily produced
-by storing the S/MIME signed message in a memory BIO and passing it to
-CMS_encrypt().
-
-The following flags can be passed in the B<flags> parameter.
-
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are
-prepended to the data.
-
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<CMS_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If B<CMS_BINARY> is set then
-B<CMS_TEXT> is ignored.
-
-OpenSSL will by default identify recipient certificates using issuer name
-and serial number. If B<CMS_USE_KEYID> is set it will use the subject key
-identifier value instead. An error occurs if all recipient certificates do not
-have a subject key identifier extension.
-
-If the B<CMS_STREAM> flag is set a partial B<CMS_ContentInfo> structure is
-returned suitable for streaming I/O: no data is read from the BIO B<in>.
-
-If the B<CMS_PARTIAL> flag is set a partial B<CMS_ContentInfo> structure is
-returned to which additional recipients and attributes can be added before
-finalization.
-
-The data being encrypted is included in the CMS_ContentInfo structure, unless
-B<CMS_DETACHED> is set in which case it is omitted. This is rarely used in
-practice and is not supported by SMIME_write_CMS().
-
-=head1 NOTES
-
-If the flag B<CMS_STREAM> is set the returned B<CMS_ContentInfo> structure is
-B<not> complete and outputting its contents via a function that does not
-properly finalize the B<CMS_ContentInfo> structure will give unpredictable
-results.
-
-Several functions including SMIME_write_CMS(), i2d_CMS_bio_stream(),
-PEM_write_bio_CMS_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_CMS().
-
-The recipients specified in B<certs> use a CMS KeyTransRecipientInfo info
-structure. KEKRecipientInfo is also supported using the flag B<CMS_PARTIAL>
-and CMS_add0_recipient_key().
-
-The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients
-added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key().
-
-=head1 RETURN VALUES
-
-CMS_encrypt() returns either a CMS_ContentInfo structure or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_decrypt(3)|CMS_decrypt(3)>
-
-=head1 HISTORY
-
-CMS_decrypt() was added to OpenSSL 0.9.8
-The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/CMS_final.pod b/doc/crypto/CMS_final.pod
deleted file mode 100644
index 36cf96b8a0b7..000000000000
--- a/doc/crypto/CMS_final.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_final - finalise a CMS_ContentInfo structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_final() finalises the structure B<cms>. It's purpose is to perform any
-operations necessary on B<cms> (digest computation for example) and set the
-appropriate fields. The parameter B<data> contains the content to be
-processed. The B<dcont> parameter contains a BIO to write content to after
-processing: this is only used with detached data and will usually be set to
-NULL.
-
-=head1 NOTES
-
-This function will normally be called when the B<CMS_PARTIAL> flag is used. It
-should only be used when streaming is not performed because the streaming
-I/O functions perform finalisation operations internally.
-
-=head1 RETURN VALUES
-
-CMS_final() returns 1 for success or 0 for failure.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_encrypt(3)|CMS_encrypt(3)>
-
-=head1 HISTORY
-
-CMS_final() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_get0_RecipientInfos.pod b/doc/crypto/CMS_get0_RecipientInfos.pod
deleted file mode 100644
index fe49772a86a6..000000000000
--- a/doc/crypto/CMS_get0_RecipientInfos.pod
+++ /dev/null
@@ -1,120 +0,0 @@
-=pod
-
-=head1 NAME
-
-CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_signer_id,CMS_RecipientInfo_ktri_cert_cmp, CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id, CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key, CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt - CMS envelopedData RecipientInfo routines
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms);
- int CMS_RecipientInfo_type(CMS_RecipientInfo *ri);
-
- int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);
- int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
- int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
-
- int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate, ASN1_OBJECT **potherid, ASN1_TYPE **pothertype);
- int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id, size_t idlen);
- int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, size_t keylen);
-
- int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
- int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
-
-=head1 DESCRIPTION
-
-The function CMS_get0_RecipientInfos() returns all the CMS_RecipientInfo
-structures associated with a CMS EnvelopedData structure.
-
-CMS_RecipientInfo_type() returns the type of CMS_RecipientInfo structure B<ri>.
-It will currently return CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
-CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, or CMS_RECIPINFO_OTHER.
-
-CMS_RecipientInfo_ktri_get0_signer_id() retrieves the certificate recipient
-identifier associated with a specific CMS_RecipientInfo structure B<ri>, which
-must be of type CMS_RECIPINFO_TRANS. Either the keyidentifier will be set in
-B<keyid> or B<both> issuer name and serial number in B<issuer> and B<sno>.
-
-CMS_RecipientInfo_ktri_cert_cmp() compares the certificate B<cert> against the
-CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_TRANS.
-It returns zero if the comparison is successful and non zero if not.
-
-CMS_RecipientInfo_set0_pkey() associates the private key B<pkey> with
-the CMS_RecipientInfo structure B<ri>, which must be of type
-CMS_RECIPINFO_TRANS.
-
-CMS_RecipientInfo_kekri_get0_id() retrieves the key information from the
-CMS_RecipientInfo structure B<ri> which must be of type CMS_RECIPINFO_KEK. Any
-of the remaining parameters can be NULL if the application is not interested in
-the value of a field. Where a field is optional and absent NULL will be written
-to the corresponding parameter. The keyEncryptionAlgorithm field is written to
-B<palg>, the B<keyIdentifier> field is written to B<pid>, the B<date> field if
-present is written to B<pdate>, if the B<other> field is present the components
-B<keyAttrId> and B<keyAttr> are written to parameters B<potherid> and
-B<pothertype>.
-
-CMS_RecipientInfo_kekri_id_cmp() compares the ID in the B<id> and B<idlen>
-parameters against the B<keyIdentifier> CMS_RecipientInfo structure B<ri>,
-which must be of type CMS_RECIPINFO_KEK. It returns zero if the comparison is
-successful and non zero if not.
-
-CMS_RecipientInfo_set0_key() associates the symmetric key B<key> of length
-B<keylen> with the CMS_RecipientInfo structure B<ri>, which must be of type
-CMS_RECIPINFO_KEK.
-
-CMS_RecipientInfo_decrypt() attempts to decrypt CMS_RecipientInfo structure
-B<ri> in structure B<cms>. A key must have been associated with the structure
-first.
-
-CMS_RecipientInfo_encrypt() attempts to encrypt CMS_RecipientInfo structure
-B<ri> in structure B<cms>. A key must have been associated with the structure
-first and the content encryption key must be available: for example by a
-previous call to CMS_RecipientInfo_decrypt().
-
-=head1 NOTES
-
-The main purpose of these functions is to enable an application to lookup
-recipient keys using any appropriate technique when the simpler method
-of CMS_decrypt() is not appropriate.
-
-In typical usage and application will retrieve all CMS_RecipientInfo structures
-using CMS_get0_RecipientInfos() and check the type of each using
-CMS_RecpientInfo_type(). Depending on the type the CMS_RecipientInfo structure
-can be ignored or its key identifier data retrieved using an appropriate
-function. Then if the corresponding secret or private key can be obtained by
-any appropriate means it can then associated with the structure and
-CMS_RecpientInfo_decrypt() called. If successful CMS_decrypt() can be called
-with a NULL key to decrypt the enveloped content.
-
-The CMS_RecipientInfo_encrypt() can be used to add a new recipient to an
-existing enveloped data structure. Typically an application will first decrypt
-an appropriate CMS_RecipientInfo structure to make the content encrypt key
-available, it will then add a new recipient using a function such as
-CMS_add1_recipient_cert() and finally encrypt the content encryption key
-using CMS_RecipientInfo_encrypt().
-
-=head1 RETURN VALUES
-
-CMS_get0_RecipientInfos() returns all CMS_RecipientInfo structures, or NULL if
-an error occurs.
-
-CMS_RecipientInfo_ktri_get0_signer_id(), CMS_RecipientInfo_set0_pkey(),
-CMS_RecipientInfo_kekri_get0_id(), CMS_RecipientInfo_set0_key() and
-CMS_RecipientInfo_decrypt() return 1 for success or 0 if an error occurs.
-CMS_RecipientInfo_encrypt() return 1 for success or 0 if an error occurs.
-
-CMS_RecipientInfo_ktri_cert_cmp() and CMS_RecipientInfo_kekri_cmp() return 0
-for a successful comparison and non zero otherwise.
-
-Any error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_decrypt(3)|CMS_decrypt(3)>
-
-=head1 HISTORY
-
-These functions were first was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_get0_SignerInfos.pod b/doc/crypto/CMS_get0_SignerInfos.pod
deleted file mode 100644
index b46c0e07ab3d..000000000000
--- a/doc/crypto/CMS_get0_SignerInfos.pod
+++ /dev/null
@@ -1,81 +0,0 @@
-=pod
-
-=head1 NAME
-
-CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_get0_signature, CMS_SignerInfo_cert_cmp, CMS_set1_signer_cert - CMS signedData signer functions.
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms);
-
- int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);
- ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si);
- int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert);
- void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer);
-
-=head1 DESCRIPTION
-
-The function CMS_get0_SignerInfos() returns all the CMS_SignerInfo structures
-associated with a CMS signedData structure.
-
-CMS_SignerInfo_get0_signer_id() retrieves the certificate signer identifier
-associated with a specific CMS_SignerInfo structure B<si>. Either the
-keyidentifier will be set in B<keyid> or B<both> issuer name and serial number
-in B<issuer> and B<sno>.
-
-CMS_SignerInfo_get0_signature() retrieves the signature associated with
-B<si> in a pointer to an ASN1_OCTET_STRING structure. This pointer returned
-corresponds to the internal signature value if B<si> so it may be read or
-modified.
-
-CMS_SignerInfo_cert_cmp() compares the certificate B<cert> against the signer
-identifier B<si>. It returns zero if the comparison is successful and non zero
-if not.
-
-CMS_SignerInfo_set1_signer_cert() sets the signers certificate of B<si> to
-B<signer>.
-
-=head1 NOTES
-
-The main purpose of these functions is to enable an application to lookup
-signers certificates using any appropriate technique when the simpler method
-of CMS_verify() is not appropriate.
-
-In typical usage and application will retrieve all CMS_SignerInfo structures
-using CMS_get0_SignerInfo() and retrieve the identifier information using
-CMS. It will then obtain the signer certificate by some unspecified means
-(or return and error if it cannot be found) and set it using
-CMS_SignerInfo_set1_signer_cert().
-
-Once all signer certificates have been set CMS_verify() can be used.
-
-Although CMS_get0_SignerInfos() can return NULL is an error occur B<or> if
-there are no signers this is not a problem in practice because the only
-error which can occur is if the B<cms> structure is not of type signedData
-due to application error.
-
-=head1 RETURN VALUES
-
-CMS_get0_SignerInfos() returns all CMS_SignerInfo structures, or NULL there
-are no signers or an error occurs.
-
-CMS_SignerInfo_get0_signer_id() returns 1 for success and 0 for failure.
-
-CMS_SignerInfo_cert_cmp() returns 0 for a successful comparison and non
-zero otherwise.
-
-CMS_SignerInfo_set1_signer_cert() does not return a value.
-
-Any error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_verify(3)|CMS_verify(3)>
-
-=head1 HISTORY
-
-These functions were first was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_get0_type.pod b/doc/crypto/CMS_get0_type.pod
deleted file mode 100644
index 3ed92bdbbe93..000000000000
--- a/doc/crypto/CMS_get0_type.pod
+++ /dev/null
@@ -1,77 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content - get and set CMS content types and content
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms);
- int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid);
- const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms);
- ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms);
-
-=head1 DESCRIPTION
-
-CMS_get0_type() returns the content type of a CMS_ContentInfo structure as
-and ASN1_OBJECT pointer. An application can then decide how to process the
-CMS_ContentInfo structure based on this value.
-
-CMS_set1_eContentType() sets the embedded content type of a CMS_ContentInfo
-structure. It should be called with CMS functions with the B<CMS_PARTIAL>
-flag and B<before> the structure is finalised, otherwise the results are
-undefined.
-
-ASN1_OBJECT *CMS_get0_eContentType() returns a pointer to the embedded
-content type.
-
-CMS_get0_content() returns a pointer to the B<ASN1_OCTET_STRING> pointer
-containing the embedded content.
-
-=head1 NOTES
-
-As the B<0> implies CMS_get0_type(), CMS_get0_eContentType() and
-CMS_get0_content() return internal pointers which should B<not> be freed up.
-CMS_set1_eContentType() copies the supplied OID and it B<should> be freed up
-after use.
-
-The B<ASN1_OBJECT> values returned can be converted to an integer B<NID> value
-using OBJ_obj2nid(). For the currently supported content types the following
-values are returned:
-
- NID_pkcs7_data
- NID_pkcs7_signed
- NID_pkcs7_digest
- NID_id_smime_ct_compressedData:
- NID_pkcs7_encrypted
- NID_pkcs7_enveloped
-
-The return value of CMS_get0_content() is a pointer to the B<ASN1_OCTET_STRING>
-content pointer. That means that for example:
-
- ASN1_OCTET_STRING **pconf = CMS_get0_content(cms);
-
-B<*pconf> could be NULL if there is no embedded content. Applications can
-access, modify or create the embedded content in a B<CMS_ContentInfo> structure
-using this function. Applications usually will not need to modify the
-embedded content as it is normally set by higher level functions.
-
-=head1 RETURN VALUES
-
-CMS_get0_type() and CMS_get0_eContentType() return and ASN1_OBJECT structure.
-
-CMS_set1_eContentType() returns 1 for success or 0 if an error occurred. The
-error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-CMS_get0_type(), CMS_set1_eContentType() and CMS_get0_eContentType() were all
-first added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_get1_ReceiptRequest.pod b/doc/crypto/CMS_get1_ReceiptRequest.pod
deleted file mode 100644
index f546376a1e68..000000000000
--- a/doc/crypto/CMS_get1_ReceiptRequest.pod
+++ /dev/null
@@ -1,69 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values - CMS signed receipt request functions.
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo);
- int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr);
- int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
- void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist, STACK_OF(GENERAL_NAMES) **prto);
-
-=head1 DESCRIPTION
-
-CMS_ReceiptRequest_create0() creates a signed receipt request structure. The
-B<signedContentIdentifier> field is set using B<id> and B<idlen>, or it is set
-to 32 bytes of pseudo random data if B<id> is NULL. If B<receiptList> is NULL
-the allOrFirstTier option in B<receiptsFrom> is used and set to the value of
-the B<allorfirst> parameter. If B<receiptList> is not NULL the B<receiptList>
-option in B<receiptsFrom> is used. The B<receiptsTo> parameter specifies the
-B<receiptsTo> field value.
-
-The CMS_add1_ReceiptRequest() function adds a signed receipt request B<rr>
-to SignerInfo structure B<si>.
-
-int CMS_get1_ReceiptRequest() looks for a signed receipt request in B<si>, if
-any is found it is decoded and written to B<prr>.
-
-CMS_ReceiptRequest_get0_values() retrieves the values of a receipt request.
-The signedContentIdentifier is copied to B<pcid>. If the B<allOrFirstTier>
-option of B<receiptsFrom> is used its value is copied to B<pallorfirst>
-otherwise the B<receiptList> field is copied to B<plist>. The B<receiptsTo>
-parameter is copied to B<prto>.
-
-=head1 NOTES
-
-For more details of the meaning of the fields see RFC2634.
-
-The contents of a signed receipt should only be considered meaningful if the
-corresponding CMS_ContentInfo structure can be successfully verified using
-CMS_verify().
-
-=head1 RETURN VALUES
-
-CMS_ReceiptRequest_create0() returns a signed receipt request structure or
-NULL if an error occurred.
-
-CMS_add1_ReceiptRequest() returns 1 for success or 0 is an error occurred.
-
-CMS_get1_ReceiptRequest() returns 1 is a signed receipt request is found and
-decoded. It returns 0 if a signed receipt request is not present and -1 if
-it is present but malformed.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_sign_receipt(3)|CMS_sign_receipt(3)>, L<CMS_verify(3)|CMS_verify(3)>
-L<CMS_verify_receipt(3)|CMS_verify_receipt(3)>
-
-=head1 HISTORY
-
-CMS_ReceiptRequest_create0(), CMS_add1_ReceiptRequest(),
-CMS_get1_ReceiptRequest() and CMS_ReceiptRequest_get0_values() were added to
-OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_sign.pod b/doc/crypto/CMS_sign.pod
deleted file mode 100644
index 2cc72de32720..000000000000
--- a/doc/crypto/CMS_sign.pod
+++ /dev/null
@@ -1,121 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_sign - create a CMS SignedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_sign() creates and returns a CMS SignedData structure. B<signcert> is
-the certificate to sign with, B<pkey> is the corresponding private key.
-B<certs> is an optional additional set of certificates to include in the CMS
-structure (for example any intermediate CAs in the chain). Any or all of
-these parameters can be B<NULL>, see B<NOTES> below.
-
-The data to be signed is read from BIO B<data>.
-
-B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter.
-
-Many S/MIME clients expect the signed content to include valid MIME headers. If
-the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are prepended
-to the data.
-
-If B<CMS_NOCERTS> is set the signer's certificate will not be included in the
-CMS_ContentInfo structure, the signer's certificate must still be supplied in
-the B<signcert> parameter though. This can reduce the size of the signature if
-the signers certificate can be obtained by other means: for example a
-previously signed message.
-
-The data being signed is included in the CMS_ContentInfo structure, unless
-B<CMS_DETACHED> is set in which case it is omitted. This is used for
-CMS_ContentInfo detached signatures which are used in S/MIME plaintext signed
-messages for example.
-
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<CMS_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it.
-
-The SignedData structure includes several CMS signedAttributes including the
-signing time, the CMS content type and the supported list of ciphers in an
-SMIMECapabilities attribute. If B<CMS_NOATTR> is set then no signedAttributes
-will be used. If B<CMS_NOSMIMECAP> is set then just the SMIMECapabilities are
-omitted.
-
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms in preference order: 256 bit AES, Gost R3411-94, Gost 28147-89, 192
-bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
-If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
-not loaded.
-
-OpenSSL will by default identify signing certificates using issuer name
-and serial number. If B<CMS_USE_KEYID> is set it will use the subject key
-identifier value instead. An error occurs if the signing certificate does not
-have a subject key identifier extension.
-
-If the flags B<CMS_STREAM> is set then the returned B<CMS_ContentInfo>
-structure is just initialized ready to perform the signing operation. The
-signing is however B<not> performed and the data to be signed is not read from
-the B<data> parameter. Signing is deferred until after the data has been
-written. In this way data can be signed in a single pass.
-
-If the B<CMS_PARTIAL> flag is set a partial B<CMS_ContentInfo> structure is
-output to which additional signers and capabilities can be added before
-finalization.
-
-If the flag B<CMS_STREAM> is set the returned B<CMS_ContentInfo> structure is
-B<not> complete and outputting its contents via a function that does not
-properly finalize the B<CMS_ContentInfo> structure will give unpredictable
-results.
-
-Several functions including SMIME_write_CMS(), i2d_CMS_bio_stream(),
-PEM_write_bio_CMS_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_CMS().
-
-If a signer is specified it will use the default digest for the signing
-algorithm. This is B<SHA1> for both RSA and DSA keys.
-
-If B<signcert> and B<pkey> are NULL then a certificates only CMS structure is
-output.
-
-The function CMS_sign() is a basic CMS signing function whose output will be
-suitable for many purposes. For finer control of the output format the
-B<certs>, B<signcert> and B<pkey> parameters can all be B<NULL> and the
-B<CMS_PARTIAL> flag set. Then one or more signers can be added using the
-function CMS_sign_add1_signer(), non default digests can be used and custom
-attributes added. B<CMS_final()> must then be called to finalize the
-structure if streaming is not enabled.
-
-=head1 BUGS
-
-Some attributes such as counter signatures are not supported.
-
-=head1 RETURN VALUES
-
-CMS_sign() returns either a valid CMS_ContentInfo structure or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_verify(3)|CMS_verify(3)>
-
-=head1 HISTORY
-
-CMS_sign() was added to OpenSSL 0.9.8
-
-The B<CMS_STREAM> flag is only supported for detached data in OpenSSL 0.9.8,
-it is supported for embedded data in OpenSSL 1.0.0 and later.
-
-=cut
diff --git a/doc/crypto/CMS_sign_receipt.pod b/doc/crypto/CMS_sign_receipt.pod
deleted file mode 100644
index cae1f8338400..000000000000
--- a/doc/crypto/CMS_sign_receipt.pod
+++ /dev/null
@@ -1,45 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_sign_receipt - create a CMS signed receipt
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_sign_receipt() creates and returns a CMS signed receipt structure. B<si> is
-the B<CMS_SignerInfo> structure containing the signed receipt request.
-B<signcert> is the certificate to sign with, B<pkey> is the corresponding
-private key. B<certs> is an optional additional set of certificates to include
-in the CMS structure (for example any intermediate CAs in the chain).
-
-B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-This functions behaves in a similar way to CMS_sign() except the flag values
-B<CMS_DETACHED>, B<CMS_BINARY>, B<CMS_NOATTR>, B<CMS_TEXT> and B<CMS_STREAM>
-are not supported since they do not make sense in the context of signed
-receipts.
-
-=head1 RETURN VALUES
-
-CMS_sign_receipt() returns either a valid CMS_ContentInfo structure or NULL if
-an error occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<CMS_verify_receipt(3)|CMS_verify_receipt(3)>,
-L<CMS_sign(3)|CMS_sign(3)>
-
-=head1 HISTORY
-
-CMS_sign_receipt() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_uncompress.pod b/doc/crypto/CMS_uncompress.pod
deleted file mode 100644
index c6056b027da5..000000000000
--- a/doc/crypto/CMS_uncompress.pod
+++ /dev/null
@@ -1,54 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_uncompress - uncompress a CMS CompressedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_uncompress() extracts and uncompresses the content from a CMS
-CompressedData structure B<cms>. B<data> is a BIO to write the content to and
-B<flags> is an optional set of flags.
-
-The B<dcont> parameter is used in the rare case where the compressed content
-is detached. It will normally be set to NULL.
-
-=head1 NOTES
-
-The only currently supported compression algorithm is zlib: if the structure
-indicates the use of any other algorithm an error is returned.
-
-If zlib support is not compiled into OpenSSL then CMS_uncompress() will always
-return an error.
-
-The following flags can be passed in the B<flags> parameter.
-
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-
-=head1 RETURN VALUES
-
-CMS_uncompress() returns either 1 for success or 0 for failure. The error can
-be obtained from ERR_get_error(3)
-
-=head1 BUGS
-
-The lack of single pass processing and the need to hold all data in memory as
-mentioned in CMS_verify() also applies to CMS_decompress().
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_compress(3)|CMS_compress(3)>
-
-=head1 HISTORY
-
-CMS_uncompress() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_verify.pod b/doc/crypto/CMS_verify.pod
deleted file mode 100644
index 7a2c1ee25154..000000000000
--- a/doc/crypto/CMS_verify.pod
+++ /dev/null
@@ -1,126 +0,0 @@
-=pod
-
-=head1 NAME
-
-CMS_verify, CMS_get0_signers - verify a CMS SignedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, unsigned int flags);
-
- STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms);
-
-=head1 DESCRIPTION
-
-CMS_verify() verifies a CMS SignedData structure. B<cms> is the CMS_ContentInfo
-structure to verify. B<certs> is a set of certificates in which to search for
-the signing certificate(s). B<store> is a trusted certificate store used for
-chain verification. B<indata> is the detached content if the content is not
-present in B<cms>. The content is written to B<out> if it is not NULL.
-
-B<flags> is an optional set of flags, which can be used to modify the verify
-operation.
-
-CMS_get0_signers() retrieves the signing certificate(s) from B<cms>, it must
-be called after a successful CMS_verify() operation.
-
-=head1 VERIFY PROCESS
-
-Normally the verify process proceeds as follows.
-
-Initially some sanity checks are performed on B<cms>. The type of B<cms> must
-be SignedData. There must be at least one signature on the data and if
-the content is detached B<indata> cannot be B<NULL>.
-
-An attempt is made to locate all the signing certificate(s), first looking in
-the B<certs> parameter (if it is not NULL) and then looking in any
-certificates contained in the B<cms> structure itself. If any signing
-certificate cannot be located the operation fails.
-
-Each signing certificate is chain verified using the B<smimesign> purpose and
-the supplied trusted certificate store. Any internal certificates in the message
-are used as untrusted CAs. If CRL checking is enabled in B<store> any internal
-CRLs are used in addition to attempting to look them up in B<store>. If any
-chain verify fails an error code is returned.
-
-Finally the signed content is read (and written to B<out> is it is not NULL)
-and the signature's checked.
-
-If all signature's verify correctly then the function is successful.
-
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter to change the default verify behaviour.
-
-If B<CMS_NOINTERN> is set the certificates in the message itself are not
-searched when locating the signing certificate(s). This means that all the
-signing certificates must be in the B<certs> parameter.
-
-If B<CMS_NOCRL> is set and CRL checking is enabled in B<store> then any
-CRLs in the message itself are ignored.
-
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-
-If B<CMS_NO_SIGNER_CERT_VERIFY> is set the signing certificates are not
-verified.
-
-If B<CMS_NO_ATTR_VERIFY> is set the signed attributes signature is not
-verified.
-
-If B<CMS_NO_CONTENT_VERIFY> is set then the content digest is not checked.
-
-=head1 NOTES
-
-One application of B<CMS_NOINTERN> is to only accept messages signed by
-a small number of certificates. The acceptable certificates would be passed
-in the B<certs> parameter. In this case if the signer is not one of the
-certificates supplied in B<certs> then the verify will fail because the
-signer cannot be found.
-
-In some cases the standard techniques for looking up and validating
-certificates are not appropriate: for example an application may wish to
-lookup certificates in a database or perform customised verification. This
-can be achieved by setting and verifying the signers certificates manually
-using the signed data utility functions.
-
-Care should be taken when modifying the default verify behaviour, for example
-setting B<CMS_NO_CONTENT_VERIFY> will totally disable all content verification
-and any modified content will be considered valid. This combination is however
-useful if one merely wishes to write the content to B<out> and its validity
-is not considered important.
-
-Chain verification should arguably be performed using the signing time rather
-than the current time. However since the signing time is supplied by the
-signer it cannot be trusted without additional evidence (such as a trusted
-timestamp).
-
-=head1 RETURN VALUES
-
-CMS_verify() returns 1 for a successful verification and zero if an error
-occurred.
-
-CMS_get0_signers() returns all signers or NULL if an error occurred.
-
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 BUGS
-
-The trusted certificate store is not searched for the signing certificate,
-this is primarily due to the inadequacies of the current B<X509_STORE>
-functionality.
-
-The lack of single pass processing means that the signed content must all
-be held in memory if it is not detached.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>
-
-=head1 HISTORY
-
-CMS_verify() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CMS_verify_receipt.pod b/doc/crypto/CMS_verify_receipt.pod
deleted file mode 100644
index 9283e0e04b89..000000000000
--- a/doc/crypto/CMS_verify_receipt.pod
+++ /dev/null
@@ -1,47 +0,0 @@
-=pod
-
-=head1 NAME
-
- CMS_verify_receipt - verify a CMS signed receipt
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags);
-
-=head1 DESCRIPTION
-
-CMS_verify_receipt() verifies a CMS signed receipt. B<rcms> is the signed
-receipt to verify. B<ocms> is the original SignedData structure containing the
-receipt request. B<certs> is a set of certificates in which to search for the
-signing certificate. B<store> is a trusted certificate store (used for chain
-verification).
-
-B<flags> is an optional set of flags, which can be used to modify the verify
-operation.
-
-=head1 NOTES
-
-This functions behaves in a similar way to CMS_verify() except the flag values
-B<CMS_DETACHED>, B<CMS_BINARY>, B<CMS_TEXT> and B<CMS_STREAM> are not
-supported since they do not make sense in the context of signed receipts.
-
-=head1 RETURN VALUES
-
-CMS_verify_receipt() returns 1 for a successful verification and zero if an
-error occurred.
-
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<CMS_sign_receipt(3)|CMS_sign_receipt(3)>,
-L<CMS_verify(3)|CMS_verify(3)>,
-
-=head1 HISTORY
-
-CMS_verify_receipt() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/CONF_modules_free.pod b/doc/crypto/CONF_modules_free.pod
deleted file mode 100644
index 347020c5fe70..000000000000
--- a/doc/crypto/CONF_modules_free.pod
+++ /dev/null
@@ -1,47 +0,0 @@
-=pod
-
-=head1 NAME
-
- CONF_modules_free, CONF_modules_finish, CONF_modules_unload -
- OpenSSL configuration cleanup functions
-
-=head1 SYNOPSIS
-
- #include <openssl/conf.h>
-
- void CONF_modules_free(void);
- void CONF_modules_finish(void);
- void CONF_modules_unload(int all);
-
-=head1 DESCRIPTION
-
-CONF_modules_free() closes down and frees up all memory allocated by all
-configuration modules.
-
-CONF_modules_finish() calls each configuration modules B<finish> handler
-to free up any configuration that module may have performed.
-
-CONF_modules_unload() finishes and unloads configuration modules. If
-B<all> is set to B<0> only modules loaded from DSOs will be unloads. If
-B<all> is B<1> all modules, including builtin modules will be unloaded.
-
-=head1 NOTES
-
-Normally applications will only call CONF_modules_free() at application to
-tidy up any configuration performed.
-
-=head1 RETURN VALUE
-
-None of the functions return a value.
-
-=head1 SEE ALSO
-
-L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>
-
-=head1 HISTORY
-
-CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish()
-first appeared in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/CONF_modules_load_file.pod b/doc/crypto/CONF_modules_load_file.pod
deleted file mode 100644
index cc0b537b8ea5..000000000000
--- a/doc/crypto/CONF_modules_load_file.pod
+++ /dev/null
@@ -1,137 +0,0 @@
-=pod
-
-=head1 NAME
-
- CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
-
-=head1 SYNOPSIS
-
- #include <openssl/conf.h>
-
- int CONF_modules_load_file(const char *filename, const char *appname,
- unsigned long flags);
- int CONF_modules_load(const CONF *cnf, const char *appname,
- unsigned long flags);
-
-=head1 DESCRIPTION
-
-The function CONF_modules_load_file() configures OpenSSL using file
-B<filename> and application name B<appname>. If B<filename> is NULL
-the standard OpenSSL configuration file is used. If B<appname> is
-NULL the standard OpenSSL application name B<openssl_conf> is used.
-The behaviour can be cutomized using B<flags>.
-
-CONF_modules_load() is idential to CONF_modules_load_file() except it
-reads configuration information from B<cnf>.
-
-=head1 NOTES
-
-The following B<flags> are currently recognized:
-
-B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual
-configuration modules are ignored. If not set the first module error is
-considered fatal and no further modules are loaded.
-
-Normally any modules errors will add error information to the error queue. If
-B<CONF_MFLAGS_SILENT> is set no error information is added.
-
-If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is
-disabled.
-
-B<CONF_MFLAGS_IGNORE_MISSING_FILE> if set will make CONF_load_modules_file()
-ignore missing configuration files. Normally a missing configuration file
-return an error.
-
-B<CONF_MFLAGS_DEFAULT_SECTION> if set and B<appname> is not NULL will use the
-default section pointed to by B<openssl_conf> if B<appname> does not exist.
-
-Applications should call these functions after loading builtin modules using
-OPENSSL_load_builtin_modules(), any ENGINEs for example using
-ENGINE_load_builtin_engines(), any algorithms for example
-OPENSSL_add_all_algorithms() and (if the application uses libssl)
-SSL_library_init().
-
-By using CONF_modules_load_file() with appropriate flags an application can
-customise application configuration to best suit its needs. In some cases the
-use of a configuration file is optional and its absence is not an error: in
-this case B<CONF_MFLAGS_IGNORE_MISSING_FILE> would be set.
-
-Errors during configuration may also be handled differently by different
-applications. For example in some cases an error may simply print out a warning
-message and the application continue. In other cases an application might
-consider a configuration file error as fatal and exit immediately.
-
-Applications can use the CONF_modules_load() function if they wish to load a
-configuration file themselves and have finer control over how errors are
-treated.
-
-=head1 EXAMPLES
-
-Load a configuration file and print out any errors and exit (missing file
-considered fatal):
-
- if (CONF_modules_load_file(NULL, NULL, 0) <= 0) {
- fprintf(stderr, "FATAL: error loading configuration file\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
-Load default configuration file using the section indicated by "myapp",
-tolerate missing files, but exit on other errors:
-
- if (CONF_modules_load_file(NULL, "myapp",
- CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
- fprintf(stderr, "FATAL: error loading configuration file\n");
- ERR_print_errors_fp(stderr);
- exit(1);
- }
-
-Load custom configuration file and section, only print warnings on error,
-missing configuration file ignored:
-
- if (CONF_modules_load_file("/something/app.cnf", "myapp",
- CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
- fprintf(stderr, "WARNING: error loading configuration file\n");
- ERR_print_errors_fp(stderr);
- }
-
-Load and parse configuration file manually, custom error handling:
-
- FILE *fp;
- CONF *cnf = NULL;
- long eline;
- fp = fopen("/somepath/app.cnf", "r");
- if (fp == NULL) {
- fprintf(stderr, "Error opening configuration file\n");
- /* Other missing configuration file behaviour */
- } else {
- cnf = NCONF_new(NULL);
- if (NCONF_load_fp(cnf, fp, &eline) == 0) {
- fprintf(stderr, "Error on line %ld of configuration file\n", eline);
- ERR_print_errors_fp(stderr);
- /* Other malformed configuration file behaviour */
- } else if (CONF_modules_load(cnf, "appname", 0) <= 0) {
- fprintf(stderr, "Error configuring application\n");
- ERR_print_errors_fp(stderr);
- /* Other configuration error behaviour */
- }
- fclose(fp);
- NCONF_free(cnf);
- }
-
-=head1 RETURN VALUES
-
-These functions return 1 for success and a zero or negative value for
-failure. If module errors are not ignored the return code will reflect the
-return value of the failing module (this will always be zero or negative).
-
-=head1 SEE ALSO
-
-L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_free(3)|CONF_free(3)>, L<err(3)|err(3)>
-
-=head1 HISTORY
-
-CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/CRYPTO_set_ex_data.pod b/doc/crypto/CRYPTO_set_ex_data.pod
deleted file mode 100644
index 7409c02aac20..000000000000
--- a/doc/crypto/CRYPTO_set_ex_data.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-
-=head1 NAME
-
-CRYPTO_set_ex_data, CRYPTO_get_ex_data - internal application specific data functions
-
-=head1 SYNOPSIS
-
- #include <openssl/crypto.h>
-
- int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg);
-
- void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx);
-
-=head1 DESCRIPTION
-
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate application
-specific data attached to a specific structure.
-
-These functions should only be used by applications to manipulate
-B<CRYPTO_EX_DATA> structures passed to the B<new_func()>, B<free_func()> and
-B<dup_func()> callbacks: as passed to B<RSA_get_ex_new_index()> for example.
-
-B<CRYPTO_set_ex_data()> is used to set application specific data, the data is
-supplied in the B<arg> parameter and its precise meaning is up to the
-application.
-
-B<CRYPTO_get_ex_data()> is used to retrieve application specific data. The data
-is returned to the application, this will be the same value as supplied to
-a previous B<CRYPTO_set_ex_data()> call.
-
-=head1 RETURN VALUES
-
-B<CRYPTO_set_ex_data()> returns 1 on success or 0 on failure.
-
-B<CRYPTO_get_ex_data()> returns the application data or 0 on failure. 0 may also
-be valid application data but currently it can only fail if given an invalid B<idx>
-parameter.
-
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
-L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>
-
-=head1 HISTORY
-
-CRYPTO_set_ex_data() and CRYPTO_get_ex_data() have been available since SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/DH_generate_key.pod b/doc/crypto/DH_generate_key.pod
deleted file mode 100644
index 81f09fdf45ea..000000000000
--- a/doc/crypto/DH_generate_key.pod
+++ /dev/null
@@ -1,50 +0,0 @@
-=pod
-
-=head1 NAME
-
-DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
-
- int DH_generate_key(DH *dh);
-
- int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
-
-=head1 DESCRIPTION
-
-DH_generate_key() performs the first step of a Diffie-Hellman key
-exchange by generating private and public DH values. By calling
-DH_compute_key(), these are combined with the other party's public
-value to compute the shared key.
-
-DH_generate_key() expects B<dh> to contain the shared parameters
-B<dh-E<gt>p> and B<dh-E<gt>g>. It generates a random private DH value
-unless B<dh-E<gt>priv_key> is already set, and computes the
-corresponding public value B<dh-E<gt>pub_key>, which can then be
-published.
-
-DH_compute_key() computes the shared secret from the private DH value
-in B<dh> and the other party's public value in B<pub_key> and stores
-it in B<key>. B<key> must point to B<DH_size(dh)> bytes of memory.
-
-=head1 RETURN VALUES
-
-DH_generate_key() returns 1 on success, 0 otherwise.
-
-DH_compute_key() returns the size of the shared secret on success, -1
-on error.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
-
-=head1 HISTORY
-
-DH_generate_key() and DH_compute_key() are available in all versions
-of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod
deleted file mode 100644
index 7f81a04d915e..000000000000
--- a/doc/crypto/DH_generate_parameters.pod
+++ /dev/null
@@ -1,82 +0,0 @@
-=pod
-
-=head1 NAME
-
-
-DH_generate_parameters_ex, DH_generate_parameters,
-DH_check - generate and check Diffie-Hellman parameters
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
-
- int DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb);
-
- int DH_check(DH *dh, int *codes);
-
-Deprecated:
-
- DH *DH_generate_parameters(int prime_len, int generator,
- void (*callback)(int, int, void *), void *cb_arg);
-
-=head1 DESCRIPTION
-
-DH_generate_parameters_ex() generates Diffie-Hellman parameters that can
-be shared among a group of users, and stores them in the provided B<DH>
-structure. The pseudo-random number generator must be
-seeded prior to calling DH_generate_parameters().
-
-B<prime_len> is the length in bits of the safe prime to be generated.
-B<generator> is a small number E<gt> 1, typically 2 or 5.
-
-A callback function may be used to provide feedback about the progress
-of the key generation. If B<cb> is not B<NULL>, it will be
-called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
-number is generated, and when a prime has been found, B<BN_GENCB_call(cb, 3, 0)>
-is called. See L<BN_generate_prime(3)|BN_generate_prime(3)> for information on
-the BN_GENCB_call() function.
-
-DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
-a safe prime, and that B<g> is a suitable generator. In the case of an
-error, the bit flags DH_CHECK_P_NOT_SAFE_PRIME or
-DH_NOT_SUITABLE_GENERATOR are set in B<*codes>.
-DH_UNABLE_TO_CHECK_GENERATOR is set if the generator cannot be
-checked, i.e. it does not equal 2 or 5.
-
-=head1 RETURN VALUES
-
-DH_generate_parameters_ex() and DH_check() return 1 if the check could be
-performed, 0 otherwise.
-
-DH_generate_parameters() (deprecated) returns a pointer to the DH structure, or
-NULL if the parameter generation fails.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTES
-
-DH_generate_parameters_ex() and DH_generate_parameters() may run for several
-hours before finding a suitable prime.
-
-The parameters generated by DH_generate_parameters_ex() and DH_generate_parameters()
-are not to be used in signature schemes.
-
-=head1 BUGS
-
-If B<generator> is not 2 or 5, B<dh-E<gt>g>=B<generator> is not
-a usable generator.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DH_free(3)|DH_free(3)>
-
-=head1 HISTORY
-
-DH_check() is available in all versions of SSLeay and OpenSSL.
-The B<cb_arg> argument to DH_generate_parameters() was added in SSLeay 0.9.0.
-
-In versions before OpenSSL 0.9.5, DH_CHECK_P_NOT_STRONG_PRIME is used
-instead of DH_CHECK_P_NOT_SAFE_PRIME.
-
-=cut
diff --git a/doc/crypto/DH_get_ex_new_index.pod b/doc/crypto/DH_get_ex_new_index.pod
deleted file mode 100644
index fa5eab26502a..000000000000
--- a/doc/crypto/DH_get_ex_new_index.pod
+++ /dev/null
@@ -1,36 +0,0 @@
-=pod
-
-=head1 NAME
-
-DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
-
- int DH_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int DH_set_ex_data(DH *d, int idx, void *arg);
-
- char *DH_get_ex_data(DH *d, int idx);
-
-=head1 DESCRIPTION
-
-These functions handle application specific data in DH
-structures. Their usage is identical to that of
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
-as described in L<RSA_get_ex_new_index(3)>.
-
-=head1 SEE ALSO
-
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dh(3)|dh(3)>
-
-=head1 HISTORY
-
-DH_get_ex_new_index(), DH_set_ex_data() and DH_get_ex_data() are
-available since OpenSSL 0.9.5.
-
-=cut
diff --git a/doc/crypto/DH_new.pod b/doc/crypto/DH_new.pod
deleted file mode 100644
index 60c930093e02..000000000000
--- a/doc/crypto/DH_new.pod
+++ /dev/null
@@ -1,40 +0,0 @@
-=pod
-
-=head1 NAME
-
-DH_new, DH_free - allocate and free DH objects
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
-
- DH* DH_new(void);
-
- void DH_free(DH *dh);
-
-=head1 DESCRIPTION
-
-DH_new() allocates and initializes a B<DH> structure.
-
-DH_free() frees the B<DH> structure and its components. The values are
-erased before the memory is returned to the system.
-
-=head1 RETURN VALUES
-
-If the allocation fails, DH_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
-a pointer to the newly allocated structure.
-
-DH_free() returns no value.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
-L<DH_generate_key(3)|DH_generate_key(3)>
-
-=head1 HISTORY
-
-DH_new() and DH_free() are available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/DH_set_method.pod b/doc/crypto/DH_set_method.pod
deleted file mode 100644
index d5cdc3be0ce6..000000000000
--- a/doc/crypto/DH_set_method.pod
+++ /dev/null
@@ -1,129 +0,0 @@
-=pod
-
-=head1 NAME
-
-DH_set_default_method, DH_get_default_method,
-DH_set_method, DH_new_method, DH_OpenSSL - select DH method
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
- #include <openssl/engine.h>
-
- void DH_set_default_method(const DH_METHOD *meth);
-
- const DH_METHOD *DH_get_default_method(void);
-
- int DH_set_method(DH *dh, const DH_METHOD *meth);
-
- DH *DH_new_method(ENGINE *engine);
-
- const DH_METHOD *DH_OpenSSL(void);
-
-=head1 DESCRIPTION
-
-A B<DH_METHOD> specifies the functions that OpenSSL uses for Diffie-Hellman
-operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
-important information about how these DH API functions are affected by the use
-of B<ENGINE> API calls.
-
-Initially, the default DH_METHOD is the OpenSSL internal implementation, as
-returned by DH_OpenSSL().
-
-DH_set_default_method() makes B<meth> the default method for all DH
-structures created later. B<NB>: This is true only whilst no ENGINE has been set
-as a default for DH, so this function is no longer recommended.
-
-DH_get_default_method() returns a pointer to the current default DH_METHOD.
-However, the meaningfulness of this result is dependent on whether the ENGINE
-API is being used, so this function is no longer recommended.
-
-DH_set_method() selects B<meth> to perform all operations using the key B<dh>.
-This will replace the DH_METHOD used by the DH key and if the previous method
-was supplied by an ENGINE, the handle to that ENGINE will be released during the
-change. It is possible to have DH keys that only work with certain DH_METHOD
-implementations (eg. from an ENGINE module that supports embedded
-hardware-protected keys), and in such cases attempting to change the DH_METHOD
-for the key can have unexpected results.
-
-DH_new_method() allocates and initializes a DH structure so that B<engine> will
-be used for the DH operations. If B<engine> is NULL, the default ENGINE for DH
-operations is used, and if no default ENGINE is set, the DH_METHOD controlled by
-DH_set_default_method() is used.
-
-=head1 THE DH_METHOD STRUCTURE
-
- typedef struct dh_meth_st
- {
- /* name of the implementation */
- const char *name;
-
- /* generate private and public DH values for key agreement */
- int (*generate_key)(DH *dh);
-
- /* compute shared secret */
- int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh);
-
- /* compute r = a ^ p mod m (May be NULL for some implementations) */
- int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx,
- BN_MONT_CTX *m_ctx);
-
- /* called at DH_new */
- int (*init)(DH *dh);
-
- /* called at DH_free */
- int (*finish)(DH *dh);
-
- int flags;
-
- char *app_data; /* ?? */
-
- } DH_METHOD;
-
-=head1 RETURN VALUES
-
-DH_OpenSSL() and DH_get_default_method() return pointers to the respective
-B<DH_METHOD>s.
-
-DH_set_default_method() returns no value.
-
-DH_set_method() returns non-zero if the provided B<meth> was successfully set as
-the method for B<dh> (including unloading the ENGINE handle if the previous
-method was supplied by an ENGINE).
-
-DH_new_method() returns NULL and sets an error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
-returns a pointer to the newly allocated structure.
-
-=head1 NOTES
-
-As of version 0.9.7, DH_METHOD implementations are grouped together with other
-algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
-default ENGINE is specified for DH functionality using an ENGINE API function,
-that will override any DH defaults set using the DH API (ie.
-DH_set_default_method()). For this reason, the ENGINE API is the recommended way
-to control default implementations for use in DH and other cryptographic
-algorithms.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
-
-=head1 HISTORY
-
-DH_set_default_method(), DH_get_default_method(), DH_set_method(),
-DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
-
-DH_set_default_openssl_method() and DH_get_default_openssl_method() replaced
-DH_set_default_method() and DH_get_default_method() respectively, and
-DH_set_method() and DH_new_method() were altered to use B<ENGINE>s rather than
-B<DH_METHOD>s during development of the engine version of OpenSSL 0.9.6. For
-0.9.7, the handling of defaults in the ENGINE API was restructured so that this
-change was reversed, and behaviour of the other functions resembled more closely
-the previous behaviour. The behaviour of defaults in the ENGINE API now
-transparently overrides the behaviour of defaults in the DH API without
-requiring changing these function prototypes.
-
-=cut
diff --git a/doc/crypto/DH_size.pod b/doc/crypto/DH_size.pod
deleted file mode 100644
index 97f26fda7855..000000000000
--- a/doc/crypto/DH_size.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-
-=head1 NAME
-
-DH_size - get Diffie-Hellman prime size
-
-=head1 SYNOPSIS
-
- #include <openssl/dh.h>
-
- int DH_size(DH *dh);
-
-=head1 DESCRIPTION
-
-This function returns the Diffie-Hellman size in bytes. It can be used
-to determine how much memory must be allocated for the shared secret
-computed by DH_compute_key().
-
-B<dh-E<gt>p> must not be B<NULL>.
-
-=head1 RETURN VALUE
-
-The size in bytes.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<DH_generate_key(3)|DH_generate_key(3)>
-
-=head1 HISTORY
-
-DH_size() is available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/DSA_SIG_new.pod b/doc/crypto/DSA_SIG_new.pod
deleted file mode 100644
index 3ac614003816..000000000000
--- a/doc/crypto/DSA_SIG_new.pod
+++ /dev/null
@@ -1,40 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_SIG_new, DSA_SIG_free - allocate and free DSA signature objects
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- DSA_SIG *DSA_SIG_new(void);
-
- void DSA_SIG_free(DSA_SIG *a);
-
-=head1 DESCRIPTION
-
-DSA_SIG_new() allocates and initializes a B<DSA_SIG> structure.
-
-DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
-values are erased before the memory is returned to the system.
-
-=head1 RETURN VALUES
-
-If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an
-error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
-to the newly allocated structure.
-
-DSA_SIG_free() returns no value.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DSA_do_sign(3)|DSA_do_sign(3)>
-
-=head1 HISTORY
-
-DSA_SIG_new() and DSA_SIG_free() were added in OpenSSL 0.9.3.
-
-=cut
diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod
deleted file mode 100644
index 5dfc733b20e2..000000000000
--- a/doc/crypto/DSA_do_sign.pod
+++ /dev/null
@@ -1,47 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_do_sign, DSA_do_verify - raw DSA signature operations
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
-
- int DSA_do_verify(const unsigned char *dgst, int dgst_len,
- DSA_SIG *sig, DSA *dsa);
-
-=head1 DESCRIPTION
-
-DSA_do_sign() computes a digital signature on the B<len> byte message
-digest B<dgst> using the private key B<dsa> and returns it in a
-newly allocated B<DSA_SIG> structure.
-
-L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
-of the signing operation in case signature generation is
-time-critical.
-
-DSA_do_verify() verifies that the signature B<sig> matches a given
-message digest B<dgst> of size B<len>. B<dsa> is the signer's public
-key.
-
-=head1 RETURN VALUES
-
-DSA_do_sign() returns the signature, NULL on error. DSA_do_verify()
-returns 1 for a valid signature, 0 for an incorrect signature and -1
-on error. The error codes can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
-L<DSA_sign(3)|DSA_sign(3)>
-
-=head1 HISTORY
-
-DSA_do_sign() and DSA_do_verify() were added in OpenSSL 0.9.3.
-
-=cut
diff --git a/doc/crypto/DSA_dup_DH.pod b/doc/crypto/DSA_dup_DH.pod
deleted file mode 100644
index 7f6f0d1115ad..000000000000
--- a/doc/crypto/DSA_dup_DH.pod
+++ /dev/null
@@ -1,36 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_dup_DH - create a DH structure out of DSA structure
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- DH * DSA_dup_DH(const DSA *r);
-
-=head1 DESCRIPTION
-
-DSA_dup_DH() duplicates DSA parameters/keys as DH parameters/keys. q
-is lost during that conversion, but the resulting DH parameters
-contain its length.
-
-=head1 RETURN VALUE
-
-DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The
-error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTE
-
-Be careful to avoid small subgroup attacks when using this.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-DSA_dup_DH() was added in OpenSSL 0.9.4.
-
-=cut
diff --git a/doc/crypto/DSA_generate_key.pod b/doc/crypto/DSA_generate_key.pod
deleted file mode 100644
index af83ccfaa16b..000000000000
--- a/doc/crypto/DSA_generate_key.pod
+++ /dev/null
@@ -1,34 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_generate_key - generate DSA key pair
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- int DSA_generate_key(DSA *a);
-
-=head1 DESCRIPTION
-
-DSA_generate_key() expects B<a> to contain DSA parameters. It generates
-a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>.
-
-The PRNG must be seeded prior to calling DSA_generate_key().
-
-=head1 RETURN VALUE
-
-DSA_generate_key() returns 1 on success, 0 otherwise.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
-
-=head1 HISTORY
-
-DSA_generate_key() is available since SSLeay 0.8.
-
-=cut
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
deleted file mode 100644
index b1a4d201b75c..000000000000
--- a/doc/crypto/DSA_generate_parameters.pod
+++ /dev/null
@@ -1,121 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_generate_parameters_ex, DSA_generate_parameters - generate DSA parameters
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- int DSA_generate_parameters_ex(DSA *dsa, int bits,
- const unsigned char *seed,int seed_len,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
-
-Deprecated:
-
- DSA *DSA_generate_parameters(int bits, unsigned char *seed,
- int seed_len, int *counter_ret, unsigned long *h_ret,
- void (*callback)(int, int, void *), void *cb_arg);
-
-=head1 DESCRIPTION
-
-DSA_generate_parameters_ex() generates primes p and q and a generator g
-for use in the DSA and stores the result in B<dsa>.
-
-B<bits> is the length of the prime to be generated; the DSS allows a
-maximum of 1024 bits.
-
-If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
-generated at random. Otherwise, the seed is used to generate
-them. If the given seed does not yield a prime q, a new random
-seed is chosen.
-
-DSA_generate_parameters_ex() places the iteration count in
-*B<counter_ret> and a counter used for finding a generator in
-*B<h_ret>, unless these are B<NULL>.
-
-A callback function may be used to provide feedback about the progress
-of the key generation. If B<cb> is not B<NULL>, it will be
-called as shown below. For information on the BN_GENCB structure and the
-BN_GENCB_call function discussed below, refer to
-L<BN_generate_prime(3)|BN_generate_prime(3)>.
-
-=over 4
-
-=item *
-
-When a candidate for q is generated, B<BN_GENCB_call(cb, 0, m++)> is called
-(m is 0 for the first candidate).
-
-=item *
-
-When a candidate for q has passed a test by trial division,
-B<BN_GENCB_call(cb, 1, -1)> is called.
-While a candidate for q is tested by Miller-Rabin primality tests,
-B<BN_GENCB_call(cb, 1, i)> is called in the outer loop
-(once for each witness that confirms that the candidate may be prime);
-i is the loop counter (starting at 0).
-
-=item *
-
-When a prime q has been found, B<BN_GENCB_call(cb, 2, 0)> and
-B<BN_GENCB_call(cb, 3, 0)> are called.
-
-=item *
-
-Before a candidate for p (other than the first) is generated and tested,
-B<BN_GENCB_call(cb, 0, counter)> is called.
-
-=item *
-
-When a candidate for p has passed the test by trial division,
-B<BN_GENCB_call(cb, 1, -1)> is called.
-While it is tested by the Miller-Rabin primality test,
-B<BN_GENCB_call(cb, 1, i)> is called in the outer loop
-(once for each witness that confirms that the candidate may be prime).
-i is the loop counter (starting at 0).
-
-=item *
-
-When p has been found, B<BN_GENCB_call(cb, 2, 1)> is called.
-
-=item *
-
-When the generator has been found, B<BN_GENCB_call(cb, 3, 1)> is called.
-
-=back
-
-DSA_generate_parameters() (deprecated) works in much the same way as for DSA_generate_parameters_ex, except that no B<dsa> parameter is passed and
-instead a newly allocated B<DSA> structure is returned. Additionally "old
-style" callbacks are used instead of the newer BN_GENCB based approach.
-Refer to L<BN_generate_prime(3)|BN_generate_prime(3)> for further information.
-
-=head1 RETURN VALUE
-
-DSA_generate_parameters_ex() returns a 1 on success, or 0 otherwise.
-
-DSA_generate_parameters() returns a pointer to the DSA structure, or
-B<NULL> if the parameter generation fails.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 BUGS
-
-Seed lengths E<gt> 20 are not supported.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_free(3)|DSA_free(3)>, L<BN_generate_prime(3)|BN_generate_prime(3)>
-
-=head1 HISTORY
-
-DSA_generate_parameters() appeared in SSLeay 0.8. The B<cb_arg>
-argument was added in SSLeay 0.9.0.
-In versions up to OpenSSL 0.9.4, B<callback(1, ...)> was called
-in the inner loop of the Miller-Rabin test whenever it reached the
-squaring step (the parameters to B<callback> did not reveal how many
-witnesses had been tested); since OpenSSL 0.9.5, B<callback(1, ...)>
-is called as in BN_is_prime(3), i.e. once for each witness.
-=cut
diff --git a/doc/crypto/DSA_get_ex_new_index.pod b/doc/crypto/DSA_get_ex_new_index.pod
deleted file mode 100644
index fb6efc118269..000000000000
--- a/doc/crypto/DSA_get_ex_new_index.pod
+++ /dev/null
@@ -1,36 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- int DSA_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int DSA_set_ex_data(DSA *d, int idx, void *arg);
-
- char *DSA_get_ex_data(DSA *d, int idx);
-
-=head1 DESCRIPTION
-
-These functions handle application specific data in DSA
-structures. Their usage is identical to that of
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data()
-as described in L<RSA_get_ex_new_index(3)>.
-
-=head1 SEE ALSO
-
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dsa(3)|dsa(3)>
-
-=head1 HISTORY
-
-DSA_get_ex_new_index(), DSA_set_ex_data() and DSA_get_ex_data() are
-available since OpenSSL 0.9.5.
-
-=cut
diff --git a/doc/crypto/DSA_new.pod b/doc/crypto/DSA_new.pod
deleted file mode 100644
index 48e9b82a09c8..000000000000
--- a/doc/crypto/DSA_new.pod
+++ /dev/null
@@ -1,42 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_new, DSA_free - allocate and free DSA objects
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- DSA* DSA_new(void);
-
- void DSA_free(DSA *dsa);
-
-=head1 DESCRIPTION
-
-DSA_new() allocates and initializes a B<DSA> structure. It is equivalent to
-calling DSA_new_method(NULL).
-
-DSA_free() frees the B<DSA> structure and its components. The values are
-erased before the memory is returned to the system.
-
-=head1 RETURN VALUES
-
-If the allocation fails, DSA_new() returns B<NULL> and sets an error
-code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
-to the newly allocated structure.
-
-DSA_free() returns no value.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
-L<DSA_generate_key(3)|DSA_generate_key(3)>
-
-=head1 HISTORY
-
-DSA_new() and DSA_free() are available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/DSA_set_method.pod b/doc/crypto/DSA_set_method.pod
deleted file mode 100644
index 9c1434bd8d42..000000000000
--- a/doc/crypto/DSA_set_method.pod
+++ /dev/null
@@ -1,143 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_set_default_method, DSA_get_default_method,
-DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
- #include <openssl/engine.h>
-
- void DSA_set_default_method(const DSA_METHOD *meth);
-
- const DSA_METHOD *DSA_get_default_method(void);
-
- int DSA_set_method(DSA *dsa, const DSA_METHOD *meth);
-
- DSA *DSA_new_method(ENGINE *engine);
-
- DSA_METHOD *DSA_OpenSSL(void);
-
-=head1 DESCRIPTION
-
-A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
-operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
-important information about how these DSA API functions are affected by the use
-of B<ENGINE> API calls.
-
-Initially, the default DSA_METHOD is the OpenSSL internal implementation,
-as returned by DSA_OpenSSL().
-
-DSA_set_default_method() makes B<meth> the default method for all DSA
-structures created later. B<NB>: This is true only whilst no ENGINE has
-been set as a default for DSA, so this function is no longer recommended.
-
-DSA_get_default_method() returns a pointer to the current default
-DSA_METHOD. However, the meaningfulness of this result is dependent on
-whether the ENGINE API is being used, so this function is no longer
-recommended.
-
-DSA_set_method() selects B<meth> to perform all operations using the key
-B<rsa>. This will replace the DSA_METHOD used by the DSA key and if the
-previous method was supplied by an ENGINE, the handle to that ENGINE will
-be released during the change. It is possible to have DSA keys that only
-work with certain DSA_METHOD implementations (eg. from an ENGINE module
-that supports embedded hardware-protected keys), and in such cases
-attempting to change the DSA_METHOD for the key can have unexpected
-results.
-
-DSA_new_method() allocates and initializes a DSA structure so that B<engine>
-will be used for the DSA operations. If B<engine> is NULL, the default engine
-for DSA operations is used, and if no default ENGINE is set, the DSA_METHOD
-controlled by DSA_set_default_method() is used.
-
-=head1 THE DSA_METHOD STRUCTURE
-
-struct
- {
- /* name of the implementation */
- const char *name;
-
- /* sign */
- DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen,
- DSA *dsa);
-
- /* pre-compute k^-1 and r */
- int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- BIGNUM **rp);
-
- /* verify */
- int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
- DSA_SIG *sig, DSA *dsa);
-
- /* compute rr = a1^p1 * a2^p2 mod m (May be NULL for some
- implementations) */
- int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1,
- BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
- BN_CTX *ctx, BN_MONT_CTX *in_mont);
-
- /* compute r = a ^ p mod m (May be NULL for some implementations) */
- int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a,
- const BIGNUM *p, const BIGNUM *m,
- BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-
- /* called at DSA_new */
- int (*init)(DSA *DSA);
-
- /* called at DSA_free */
- int (*finish)(DSA *DSA);
-
- int flags;
-
- char *app_data; /* ?? */
-
- } DSA_METHOD;
-
-=head1 RETURN VALUES
-
-DSA_OpenSSL() and DSA_get_default_method() return pointers to the respective
-B<DSA_METHOD>s.
-
-DSA_set_default_method() returns no value.
-
-DSA_set_method() returns non-zero if the provided B<meth> was successfully set as
-the method for B<dsa> (including unloading the ENGINE handle if the previous
-method was supplied by an ENGINE).
-
-DSA_new_method() returns NULL and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
-fails. Otherwise it returns a pointer to the newly allocated structure.
-
-=head1 NOTES
-
-As of version 0.9.7, DSA_METHOD implementations are grouped together with other
-algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
-default ENGINE is specified for DSA functionality using an ENGINE API function,
-that will override any DSA defaults set using the DSA API (ie.
-DSA_set_default_method()). For this reason, the ENGINE API is the recommended way
-to control default implementations for use in DSA and other cryptographic
-algorithms.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
-
-=head1 HISTORY
-
-DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
-DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
-
-DSA_set_default_openssl_method() and DSA_get_default_openssl_method() replaced
-DSA_set_default_method() and DSA_get_default_method() respectively, and
-DSA_set_method() and DSA_new_method() were altered to use B<ENGINE>s rather than
-B<DSA_METHOD>s during development of the engine version of OpenSSL 0.9.6. For
-0.9.7, the handling of defaults in the ENGINE API was restructured so that this
-change was reversed, and behaviour of the other functions resembled more closely
-the previous behaviour. The behaviour of defaults in the ENGINE API now
-transparently overrides the behaviour of defaults in the DSA API without
-requiring changing these function prototypes.
-
-=cut
diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod
deleted file mode 100644
index 97389e8ec885..000000000000
--- a/doc/crypto/DSA_sign.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- int DSA_sign(int type, const unsigned char *dgst, int len,
- unsigned char *sigret, unsigned int *siglen, DSA *dsa);
-
- int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp,
- BIGNUM **rp);
-
- int DSA_verify(int type, const unsigned char *dgst, int len,
- unsigned char *sigbuf, int siglen, DSA *dsa);
-
-=head1 DESCRIPTION
-
-DSA_sign() computes a digital signature on the B<len> byte message
-digest B<dgst> using the private key B<dsa> and places its ASN.1 DER
-encoding at B<sigret>. The length of the signature is places in
-*B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory.
-
-DSA_sign_setup() may be used to precompute part of the signing
-operation in case signature generation is time-critical. It expects
-B<dsa> to contain DSA parameters. It places the precomputed values
-in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing
-the old ones unless *B<kinvp> and *B<rp> are NULL. These values may
-be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>.
-B<ctx> is a pre-allocated B<BN_CTX> or NULL.
-
-DSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
-matches a given message digest B<dgst> of size B<len>.
-B<dsa> is the signer's public key.
-
-The B<type> parameter is ignored.
-
-The PRNG must be seeded before DSA_sign() (or DSA_sign_setup())
-is called.
-
-=head1 RETURN VALUES
-
-DSA_sign() and DSA_sign_setup() return 1 on success, 0 on error.
-DSA_verify() returns 1 for a valid signature, 0 for an incorrect
-signature and -1 on error. The error codes can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 CONFORMING TO
-
-US Federal Information Processing Standard FIPS 186 (Digital Signature
-Standard, DSS), ANSI X9.30
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_do_sign(3)|DSA_do_sign(3)>
-
-=head1 HISTORY
-
-DSA_sign() and DSA_verify() are available in all versions of SSLeay.
-DSA_sign_setup() was added in SSLeay 0.8.
-
-=cut
diff --git a/doc/crypto/DSA_size.pod b/doc/crypto/DSA_size.pod
deleted file mode 100644
index ba4f650361c3..000000000000
--- a/doc/crypto/DSA_size.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-
-=head1 NAME
-
-DSA_size - get DSA signature size
-
-=head1 SYNOPSIS
-
- #include <openssl/dsa.h>
-
- int DSA_size(const DSA *dsa);
-
-=head1 DESCRIPTION
-
-This function returns the size of an ASN.1 encoded DSA signature in
-bytes. It can be used to determine how much memory must be allocated
-for a DSA signature.
-
-B<dsa-E<gt>q> must not be B<NULL>.
-
-=head1 RETURN VALUE
-
-The size in bytes.
-
-=head1 SEE ALSO
-
-L<dsa(3)|dsa(3)>, L<DSA_sign(3)|DSA_sign(3)>
-
-=head1 HISTORY
-
-DSA_size() is available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/EC_GFp_simple_method.pod b/doc/crypto/EC_GFp_simple_method.pod
deleted file mode 100644
index aff20ac175b7..000000000000
--- a/doc/crypto/EC_GFp_simple_method.pod
+++ /dev/null
@@ -1,60 +0,0 @@
-=pod
-
-=head1 NAME
-
-EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method, EC_GF2m_simple_method, EC_METHOD_get_field_type - Functions for obtaining B<EC_METHOD> objects.
-
-=head1 SYNOPSIS
-
- #include <openssl/ec.h>
-
- const EC_METHOD *EC_GFp_simple_method(void);
- const EC_METHOD *EC_GFp_mont_method(void);
- const EC_METHOD *EC_GFp_nist_method(void);
- const EC_METHOD *EC_GFp_nistp224_method(void);
- const EC_METHOD *EC_GFp_nistp256_method(void);
- const EC_METHOD *EC_GFp_nistp521_method(void);
-
- const EC_METHOD *EC_GF2m_simple_method(void);
-
- int EC_METHOD_get_field_type(const EC_METHOD *meth);
-
-=head1 DESCRIPTION
-
-The Elliptic Curve library provides a number of different implementations through a single common interface.
-When constructing a curve using EC_GROUP_new (see L<EC_GROUP_new(3)|EC_GROUP_new(3)>) an
-implementation method must be provided. The functions described here all return a const pointer to an
-B<EC_METHOD> structure that can be passed to EC_GROUP_NEW. It is important that the correct implementation
-type for the form of curve selected is used.
-
-For F2^m curves there is only one implementation choice, i.e. EC_GF2_simple_method.
-
-For Fp curves the lowest common denominator implementation is the EC_GFp_simple_method implementation. All
-other implementations are based on this one. EC_GFp_mont_method builds on EC_GFp_simple_method but adds the
-use of montgomery multiplication (see L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>). EC_GFp_nist_method
-offers an implementation optimised for use with NIST recommended curves (NIST curves are available through
-EC_GROUP_new_by_curve_name as described in L<EC_GROUP_new(3)|EC_GROUP_new(3)>).
-
-The functions EC_GFp_nistp224_method, EC_GFp_nistp256_method and EC_GFp_nistp521_method offer 64 bit
-optimised implementations for the NIST P224, P256 and P521 curves respectively. Note, however, that these
-implementations are not available on all platforms.
-
-EC_METHOD_get_field_type identifies what type of field the EC_METHOD structure supports, which will be either
-F2^m or Fp. If the field type is Fp then the value B<NID_X9_62_prime_field> is returned. If the field type is
-F2^m then the value B<NID_X9_62_characteristic_two_field> is returned. These values are defined in the
-obj_mac.h header file.
-
-=head1 RETURN VALUES
-
-All EC_GFp* functions and EC_GF2m_simple_method always return a const pointer to an EC_METHOD structure.
-
-EC_METHOD_get_field_type returns an integer that identifies the type of field the EC_METHOD structure supports.
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>
-
-=cut
diff --git a/doc/crypto/EC_GROUP_copy.pod b/doc/crypto/EC_GROUP_copy.pod
deleted file mode 100644
index 49dc01ced147..000000000000
--- a/doc/crypto/EC_GROUP_copy.pod
+++ /dev/null
@@ -1,174 +0,0 @@
-=pod
-
-=head1 NAME
-
-EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator, EC_GROUP_get0_generator, EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_set_curve_name, EC_GROUP_get_curve_name, EC_GROUP_set_asn1_flag, EC_GROUP_get_asn1_flag, EC_GROUP_set_point_conversion_form, EC_GROUP_get_point_conversion_form, EC_GROUP_get0_seed, EC_GROUP_get_seed_len, EC_GROUP_set_seed, EC_GROUP_get_degree, EC_GROUP_check, EC_GROUP_check_discriminant, EC_GROUP_cmp, EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis, EC_GROUP_get_pentanomial_basis - Functions for manipulating B<EC_GROUP> objects.
-
-=head1 SYNOPSIS
-
- #include <openssl/ec.h>
- #include <openssl/bn.h>
-
- int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src);
- EC_GROUP *EC_GROUP_dup(const EC_GROUP *src);
-
- const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
-
- int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
- const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);
-
- int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx);
- int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx);
-
- void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
- int EC_GROUP_get_curve_name(const EC_GROUP *group);
-
- void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
- int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
-
- void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
- point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
-
- unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
- size_t EC_GROUP_get_seed_len(const EC_GROUP *);
- size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
-
- int EC_GROUP_get_degree(const EC_GROUP *group);
-
- int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx);
-
- int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx);
-
- int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
-
- int EC_GROUP_get_basis_type(const EC_GROUP *);
- int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
- int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
- unsigned int *k2, unsigned int *k3);
-
-=head1 DESCRIPTION
-
-EC_GROUP_copy copies the curve B<src> into B<dst>. Both B<src> and B<dst> must use the same EC_METHOD.
-
-EC_GROUP_dup creates a new EC_GROUP object and copies the content from B<src> to the newly created
-EC_GROUP object.
-
-EC_GROUP_method_of obtains the EC_METHOD of B<group>.
-
-EC_GROUP_set_generator sets curve paramaters that must be agreed by all participants using the curve. These
-paramaters include the B<generator>, the B<order> and the B<cofactor>. The B<generator> is a well defined point on the
-curve chosen for cryptographic operations. Integers used for point multiplications will be between 0 and
-n-1 where n is the B<order>. The B<order> multipied by the B<cofactor> gives the number of points on the curve.
-
-EC_GROUP_get0_generator returns the generator for the identified B<group>.
-
-The functions EC_GROUP_get_order and EC_GROUP_get_cofactor populate the provided B<order> and B<cofactor> parameters
-with the respective order and cofactors for the B<group>.
-
-The functions EC_GROUP_set_curve_name and EC_GROUP_get_curve_name, set and get the NID for the curve respectively
-(see L<EC_GROUP_new(3)|EC_GROUP_new(3)>). If a curve does not have a NID associated with it, then EC_GROUP_get_curve_name
-will return 0.
-
-The asn1_flag value on a curve is used to determine whether there is a specific ASN1 OID to describe the curve or not.
-If the asn1_flag is 1 then this is a named curve with an associated ASN1 OID. If not then asn1_flag is 0. The functions
-EC_GROUP_get_asn1_flag and EC_GROUP_set_asn1_flag get and set the status of the asn1_flag for the curve. If set then
-the curve_name must also be set.
-
-The point_coversion_form for a curve controls how EC_POINT data is encoded as ASN1 as defined in X9.62 (ECDSA).
-point_conversion_form_t is an enum defined as follows:
-
- typedef enum {
- /** the point is encoded as z||x, where the octet z specifies
- * which solution of the quadratic equation y is */
- POINT_CONVERSION_COMPRESSED = 2,
- /** the point is encoded as z||x||y, where z is the octet 0x02 */
- POINT_CONVERSION_UNCOMPRESSED = 4,
- /** the point is encoded as z||x||y, where the octet z specifies
- * which solution of the quadratic equation y is */
- POINT_CONVERSION_HYBRID = 6
- } point_conversion_form_t;
-
-
-For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by
-the octets for x, followed by the octets for y.
-
-For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For
-POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of
-the two possible solutions for y has been used, followed by the octets for x.
-
-For POINT_CONVERSION_HYBRID the point is encoded as an octet signifying the HYBRID form has been used AND which of the two
-possible solutions for y has been used, followed by the octets for x, followed by the octets for y.
-
-The functions EC_GROUP_set_point_conversion_form and EC_GROUP_get_point_conversion_form set and get the point_conversion_form
-for the curve respectively.
-
-ANSI X9.62 (ECDSA standard) defines a method of generating the curve parameter b from a random number. This provides advantages
-in that a parameter obtained in this way is highly unlikely to be susceptible to special purpose attacks, or have any trapdoors in it.
-If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL EC library
-does not use this seed value but does enable you to inspect it using EC_GROUP_get0_seed. This returns a pointer to a memory block
-containing the seed that was used. The length of the memory block can be obtained using EC_GROUP_get_seed_len. A number of the
-builtin curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using
-EC_GROUP_set_seed and passing a pointer to a memory block, along with the length of the seed. Again, the EC library will not use
-this seed value, although it will be preserved in any ASN1 based communications.
-
-EC_GROUP_get_degree gets the degree of the field. For Fp fields this will be the number of bits in p. For F2^m fields this will be
-the value m.
-
-The function EC_GROUP_check_discriminant calculates the discriminant for the curve and verifies that it is valid.
-For a curve defined over Fp the discriminant is given by the formula 4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is
-simply b. In either case for the curve to be valid the discriminant must be non zero.
-
-The function EC_GROUP_check performs a number of checks on a curve to verify that it is valid. Checks performed include
-verifying that the discriminant is non zero; that a generator has been defined; that the generator is on the curve and has
-the correct order.
-
-EC_GROUP_cmp compares B<a> and B<b> to determine whether they represent the same curve or not.
-
-The functions EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis and EC_GROUP_get_pentanomial_basis should only be called for curves
-defined over an F2^m field. Addition and multiplication operations within an F2^m field are performed using an irreducible polynomial
-function f(x). This function is either a trinomial of the form:
-
-f(x) = x^m + x^k + 1 with m > k >= 1
-
-or a pentanomial of the form:
-
-f(x) = x^m + x^k3 + x^k2 + x^k1 + 1 with m > k3 > k2 > k1 >= 1
-
-The function EC_GROUP_get_basis_type returns a NID identifying whether a trinomial or pentanomial is in use for the field. The
-function EC_GROUP_get_trinomial_basis must only be called where f(x) is of the trinomial form, and returns the value of B<k>. Similary
-the function EC_GROUP_get_pentanomial_basis must only be called where f(x) is of the pentanomial form, and returns the values of B<k1>,
-B<k2> and B<k3> respectively.
-
-=head1 RETURN VALUES
-
-The following functions return 1 on success or 0 on error: EC_GROUP_copy, EC_GROUP_set_generator, EC_GROUP_check,
-EC_GROUP_check_discriminant, EC_GROUP_get_trinomial_basis and EC_GROUP_get_pentanomial_basis.
-
-EC_GROUP_dup returns a pointer to the duplicated curve, or NULL on error.
-
-EC_GROUP_method_of returns the EC_METHOD implementation in use for the given curve or NULL on error.
-
-EC_GROUP_get0_generator returns the generator for the given curve or NULL on error.
-
-EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_get_curve_name, EC_GROUP_get_asn1_flag, EC_GROUP_get_point_conversion_form
-and EC_GROUP_get_degree return the order, cofactor, curve name (NID), ASN1 flag, point_conversion_form and degree for the
-specified curve respectively. If there is no curve name associated with a curve then EC_GROUP_get_curve_name will return 0.
-
-EC_GROUP_get0_seed returns a pointer to the seed that was used to generate the parameter b, or NULL if the seed is not
-specified. EC_GROUP_get_seed_len returns the length of the seed or 0 if the seed is not specified.
-
-EC_GROUP_set_seed returns the length of the seed that has been set. If the supplied seed is NULL, or the supplied seed length is
-0, the return value will be 1. On error 0 is returned.
-
-EC_GROUP_cmp returns 0 if the curves are equal, 1 if they are not equal, or -1 on error.
-
-EC_GROUP_get_basis_type returns the values NID_X9_62_tpBasis or NID_X9_62_ppBasis (as defined in <openssl/obj_mac.h>) for a
-trinomial or pentanomial respectively. Alternatively in the event of an error a 0 is returned.
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-
-=cut
diff --git a/doc/crypto/EC_GROUP_new.pod b/doc/crypto/EC_GROUP_new.pod
deleted file mode 100644
index ff55bf33a3c9..000000000000
--- a/doc/crypto/EC_GROUP_new.pod
+++ /dev/null
@@ -1,95 +0,0 @@
-=pod
-
-=head1 NAME
-
-EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_new_curve_GFp, EC_GROUP_new_curve_GF2m, EC_GROUP_new_by_curve_name, EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m, EC_get_builtin_curves - Functions for creating and destroying B<EC_GROUP> objects.
-
-=head1 SYNOPSIS
-
- #include <openssl/ec.h>
- #include <openssl/bn.h>
-
- EC_GROUP *EC_GROUP_new(const EC_METHOD *meth);
- void EC_GROUP_free(EC_GROUP *group);
- void EC_GROUP_clear_free(EC_GROUP *group);
-
- EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
-
- int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
-
- size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems);
-
-=head1 DESCRIPTION
-
-Within the library there are two forms of elliptic curve that are of interest. The first form is those defined over the
-prime field Fp. The elements of Fp are the integers 0 to p-1, where p is a prime number. This gives us a revised
-elliptic curve equation as follows:
-
-y^2 mod p = x^3 +ax + b mod p
-
-The second form is those defined over a binary field F2^m where the elements of the field are integers of length at
-most m bits. For this form the elliptic curve equation is modified to:
-
-y^2 + xy = x^3 + ax^2 + b (where b != 0)
-
-Operations in a binary field are performed relative to an B<irreducible polynomial>. All such curves with OpenSSL
-use a trinomial or a pentanomial for this parameter.
-
-A new curve can be constructed by calling EC_GROUP_new, using the implementation provided by B<meth> (see
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>). It is then necessary to call either EC_GROUP_set_curve_GFp or
-EC_GROUP_set_curve_GF2m as appropriate to create a curve defined over Fp or over F2^m respectively.
-
-EC_GROUP_set_curve_GFp sets the curve parameters B<p>, B<a> and B<b> for a curve over Fp stored in B<group>.
-EC_group_get_curve_GFp obtains the previously set curve parameters.
-
-EC_GROUP_set_curve_GF2m sets the equivalent curve parameters for a curve over F2^m. In this case B<p> represents
-the irreducible polybnomial - each bit represents a term in the polynomial. Therefore there will either be three
-or five bits set dependant on whether the polynomial is a trinomial or a pentanomial.
-EC_group_get_curve_GF2m obtains the previously set curve parameters.
-
-The functions EC_GROUP_new_curve_GFp and EC_GROUP_new_curve_GF2m are shortcuts for calling EC_GROUP_new and the
-appropriate EC_group_set_curve function. An appropriate default implementation method will be used.
-
-Whilst the library can be used to create any curve using the functions described above, there are also a number of
-predefined curves that are available. In order to obtain a list of all of the predefined curves, call the function
-EC_get_builtin_curves. The parameter B<r> should be an array of EC_builtin_curve structures of size B<nitems>. The function
-will populate the B<r> array with information about the builtin curves. If B<nitems> is less than the total number of
-curves available, then the first B<nitems> curves will be returned. Otherwise the total number of curves will be
-provided. The return value is the total number of curves available (whether that number has been populated in B<r> or
-not). Passing a NULL B<r>, or setting B<nitems> to 0 will do nothing other than return the total number of curves available.
-The EC_builtin_curve structure is defined as follows:
-
- typedef struct {
- int nid;
- const char *comment;
- } EC_builtin_curve;
-
-Each EC_builtin_curve item has a unique integer id (B<nid>), and a human readable comment string describing the curve.
-
-In order to construct a builtin curve use the function EC_GROUP_new_by_curve_name and provide the B<nid> of the curve to
-be constructed.
-
-EC_GROUP_free frees the memory associated with the EC_GROUP.
-
-EC_GROUP_clear_free destroys any sensitive data held within the EC_GROUP and then frees its memory.
-
-=head1 RETURN VALUES
-
-All EC_GROUP_new* functions return a pointer to the newly constructed group, or NULL on error.
-
-EC_get_builtin_curves returns the number of builtin curves that are available.
-
-EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m return 1 on success or 0 on error.
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-
-=cut
diff --git a/doc/crypto/EC_KEY_new.pod b/doc/crypto/EC_KEY_new.pod
deleted file mode 100644
index 0fa2de1721b7..000000000000
--- a/doc/crypto/EC_KEY_new.pod
+++ /dev/null
@@ -1,108 +0,0 @@
-=pod
-
-=head1 NAME
-
-EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_by_curve_name, EC_KEY_free, EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key, EC_KEY_get_enc_flags, EC_KEY_set_enc_flags, EC_KEY_get_conv_form, EC_KEY_set_conv_form, EC_KEY_get_key_method_data, EC_KEY_insert_key_method_data, EC_KEY_set_asn1_flag, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates - Functions for creating, destroying and manipulating B<EC_KEY> objects.
-
-=head1 SYNOPSIS
-
- #include <openssl/ec.h>
- #include <openssl/bn.h>
-
- EC_KEY *EC_KEY_new(void);
- int EC_KEY_get_flags(const EC_KEY *key);
- void EC_KEY_set_flags(EC_KEY *key, int flags);
- void EC_KEY_clear_flags(EC_KEY *key, int flags);
- EC_KEY *EC_KEY_new_by_curve_name(int nid);
- void EC_KEY_free(EC_KEY *key);
- EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
- EC_KEY *EC_KEY_dup(const EC_KEY *src);
- int EC_KEY_up_ref(EC_KEY *key);
- const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
- int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
- const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
- int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
- const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
- int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
- point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
- void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
- void *EC_KEY_get_key_method_data(EC_KEY *key,
- void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
- void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
- void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
- void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
- int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
- int EC_KEY_generate_key(EC_KEY *key);
- int EC_KEY_check_key(const EC_KEY *key);
- int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
-
-=head1 DESCRIPTION
-
-An EC_KEY represents a public key and (optionaly) an associated private key. A new EC_KEY (with no associated curve) can be constructed by calling EC_KEY_new.
-The reference count for the newly created EC_KEY is initially set to 1. A curve can be associated with the EC_KEY by calling
-EC_KEY_set_group.
-
-Alternatively a new EC_KEY can be constructed by calling EC_KEY_new_by_curve_name and supplying the nid of the associated curve. Refer to L<EC_GROUP_new(3)|EC_GROUP_new(3)> for a description of curve names. This function simply wraps calls to EC_KEY_new and
-EC_GROUP_new_by_curve_name.
-
-Calling EC_KEY_free decrements the reference count for the EC_KEY object, and if it has dropped to zero then frees the memory associated
-with it.
-
-EC_KEY_copy copies the contents of the EC_KEY in B<src> into B<dest>.
-
-EC_KEY_dup creates a new EC_KEY object and copies B<ec_key> into it.
-
-EC_KEY_up_ref increments the reference count associated with the EC_KEY object.
-
-EC_KEY_generate_key generates a new public and private key for the supplied B<eckey> object. B<eckey> must have an EC_GROUP object
-associated with it before calling this function. The private key is a random integer (0 < priv_key < order, where order is the order
-of the EC_GROUP object). The public key is an EC_POINT on the curve calculated by multiplying the generator for the curve by the
-private key.
-
-EC_KEY_check_key performs various sanity checks on the EC_KEY object to confirm that it is valid.
-
-EC_KEY_set_public_key_affine_coordinates sets the public key for B<key> based on its affine co-ordinates, i.e. it constructs an EC_POINT
-object based on the supplied B<x> and B<y> values and sets the public key to be this EC_POINT. It will also performs certain sanity checks
-on the key to confirm that it is valid.
-
-The functions EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, and EC_KEY_set_public_key get and set the EC_GROUP object, the private key and the EC_POINT public key for the B<key> respectively.
-
-The functions EC_KEY_get_conv_form and EC_KEY_set_conv_form get and set the point_conversion_form for the B<key>. For a description
-of point_conversion_forms please refer to L<EC_POINT_new(3)|EC_POINT_new(3)>.
-
-EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the
-elliptic curve scheme being used with the EC_KEY object. This data is treated as a "black box" by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the B<data> parameter, which must have associated functions for duplicating, freeing and "clear_freeing" the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and "clear_freeing" the data item must be provided again, and they must be the same as they were when the data item was inserted.
-
-EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flags are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state.
-
-EC_KEY_set_asn1_flag sets the asn1_flag on the underlying EC_GROUP object (if set). Refer to L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for further information on the asn1_flag.
-
-EC_KEY_precompute_mult stores multiples of the underlying EC_GROUP generator for faster point multiplication. See also L<EC_POINT_add(3)|EC_POINT_add(3)>.
-
-
-=head1 RETURN VALUES
-
-EC_KEY_new, EC_KEY_new_by_curve_name and EC_KEY_dup return a pointer to the newly created EC_KEY object, or NULL on error.
-
-EC_KEY_get_flags returns the flags associated with the EC_KEY object as an integer.
-
-EC_KEY_copy returns a pointer to the destination key, or NULL on error.
-
-EC_KEY_up_ref, EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key and EC_KEY_set_public_key_affine_coordinates return 1 on success or 0 on error.
-
-EC_KEY_get0_group returns the EC_GROUP associated with the EC_KEY.
-
-EC_KEY_get0_private_key returns the private key associated with the EC_KEY.
-
-EC_KEY_get_conv_form return the point_conversion_form for the EC_KEY.
-
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>,
-L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>, L<EC_POINT_new(3)|EC_POINT_new(3)>,
-L<EC_POINT_add(3)|EC_POINT_add(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>,
-L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-
-=cut
diff --git a/doc/crypto/EC_POINT_add.pod b/doc/crypto/EC_POINT_add.pod
deleted file mode 100644
index ae9264084321..000000000000
--- a/doc/crypto/EC_POINT_add.pod
+++ /dev/null
@@ -1,72 +0,0 @@
-=pod
-
-=head1 NAME
-
-EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp, EC_POINT_make_affine, EC_POINTs_make_affine, EC_POINTs_mul, EC_POINT_mul, EC_GROUP_precompute_mult, EC_GROUP_have_precompute_mult - Functions for performing mathematical operations and tests on B<EC_POINT> objects.
-
-=head1 SYNOPSIS
-
- #include <openssl/ec.h>
- #include <openssl/bn.h>
-
- int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
- int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx);
- int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx);
- int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p);
- int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx);
- int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
- int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
- int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
- int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx);
- int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
- int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
- int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
-
-
-=head1 DESCRIPTION
-
-EC_POINT_add adds the two points B<a> and B<b> and places the result in B<r>. Similarly EC_POINT_dbl doubles the point B<a> and places the
-result in B<r>. In both cases it is valid for B<r> to be one of B<a> or B<b>.
-
-EC_POINT_invert calculates the inverse of the supplied point B<a>. The result is placed back in B<a>.
-
-The function EC_POINT_is_at_infinity tests whether the supplied point is at infinity or not.
-
-EC_POINT_is_on_curve tests whether the supplied point is on the curve or not.
-
-EC_POINT_cmp compares the two supplied points and tests whether or not they are equal.
-
-The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the EC_POINT(s) into the affine
-co-ordinate system. In the case of EC_POINTs_make_affine the value B<num> provides the number of points in the array B<points> to be
-forced.
-
-EC_POINT_mul calculates the value generator * B<n> + B<q> * B<m> and stores the result in B<r>. The value B<n> may be NULL in which case the result is just B<q> * B<m>.
-
-EC_POINTs_mul calculates the value generator * B<n> + B<q[0]> * B<m[0]> + ... + B<q[num-1]> * B<m[num-1]>. As for EC_POINT_mul the value
-B<n> may be NULL.
-
-The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst
-EC_GROUP_have_precompute_mult tests whether precomputation has already been done. See L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for information
-about the generator.
-
-
-=head1 RETURN VALUES
-
-The following functions return 1 on success or 0 on error: EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_make_affine,
-EC_POINTs_make_affine, EC_POINTs_make_affine, EC_POINT_mul, EC_POINTs_mul and EC_GROUP_precompute_mult.
-
-EC_POINT_is_at_infinity returns 1 if the point is at infinity, or 0 otherwise.
-
-EC_POINT_is_on_curve returns 1 if the point is on the curve, 0 if not, or -1 on error.
-
-EC_POINT_cmp returns 1 if the points are not equal, 0 if they are, or -1 on error.
-
-EC_GROUP_have_precompute_mult return 1 if a precomputation has been done, or 0 if not.
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-
-=cut
diff --git a/doc/crypto/EC_POINT_new.pod b/doc/crypto/EC_POINT_new.pod
deleted file mode 100644
index 858baf424460..000000000000
--- a/doc/crypto/EC_POINT_new.pod
+++ /dev/null
@@ -1,128 +0,0 @@
-=pod
-
-=head1 NAME
-
-EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy, EC_POINT_dup, EC_POINT_method_of, EC_POINT_set_to_infinity, EC_POINT_set_Jprojective_coordinates, EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m, EC_POINT_set_compressed_coordinates_GF2m, EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex, EC_POINT_hex2point - Functions for creating, destroying and manipulating B<EC_POINT> objects.
-
-=head1 SYNOPSIS
-
- #include <openssl/ec.h>
- #include <openssl/bn.h>
-
- EC_POINT *EC_POINT_new(const EC_GROUP *group);
- void EC_POINT_free(EC_POINT *point);
- void EC_POINT_clear_free(EC_POINT *point);
- int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src);
- EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group);
- const EC_METHOD *EC_POINT_method_of(const EC_POINT *point);
- int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
- int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
- const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx);
- int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
- const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx);
- int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
- const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
- const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
- const BIGNUM *x, int y_bit, BN_CTX *ctx);
- int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
- const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
- const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
- int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
- const BIGNUM *x, int y_bit, BN_CTX *ctx);
- size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
- point_conversion_form_t form,
- unsigned char *buf, size_t len, BN_CTX *ctx);
- int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p,
- const unsigned char *buf, size_t len, BN_CTX *ctx);
- BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *,
- point_conversion_form_t form, BIGNUM *, BN_CTX *);
- EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *,
- EC_POINT *, BN_CTX *);
- char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *,
- point_conversion_form_t form, BN_CTX *);
- EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *,
- EC_POINT *, BN_CTX *);
-
-
-=head1 DESCRIPTION
-
-An EC_POINT represents a point on a curve. A new point is constructed by calling the function EC_POINT_new and providing the B<group>
-object that the point relates to.
-
-EC_POINT_free frees the memory associated with the EC_POINT.
-
-EC_POINT_clear_free destroys any sensitive data held within the EC_POINT and then frees its memory.
-
-EC_POINT_copy copies the point B<src> into B<dst>. Both B<src> and B<dst> must use the same EC_METHOD.
-
-EC_POINT_dup creates a new EC_POINT object and copies the content from B<src> to the newly created
-EC_POINT object.
-
-EC_POINT_method_of obtains the EC_METHOD associated with B<point>.
-
-A valid point on a curve is the special point at infinity. A point is set to be at infinity by calling EC_POINT_set_to_infinity.
-
-The affine co-ordinates for a point describe a point in terms of its x and y position. The functions
-EC_POINT_set_affine_coordinates_GFp and EC_POINT_set_affine_coordinates_GF2m set the B<x> and B<y> co-ordinates for the point
-B<p> defined over the curve given in B<group>.
-
-As well as the affine co-ordinates, a point can alternatively be described in terms of its Jacobian
-projective co-ordinates (for Fp curves only). Jacobian projective co-ordinates are expressed as three values x, y and z. Working in
-this co-ordinate system provides more efficient point multiplication operations.
-A mapping exists between Jacobian projective co-ordinates and affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian projective to affine co-ordinates is simple. The co-ordinate (x, y) is
-mapped to (x, y, 1). To set or get the projective co-ordinates use EC_POINT_set_Jprojective_coordinates_GFp and
-EC_POINT_get_Jprojective_coordinates_GFp respectively.
-
-Points can also be described in terms of their compressed co-ordinates. For a point (x, y), for any given value for x such that the point is
-on the curve there will only ever be two possible values for y. Therefore a point can be set using the EC_POINT_set_compressed_coordinates_GFp
-and EC_POINT_set_compressed_coordinates_GF2m functions where B<x> is the x co-ordinate and B<y_bit> is a value 0 or 1 to identify which of
-the two possible values for y should be used.
-
-In addition EC_POINTs can be converted to and from various external
-representations. Supported representations are octet strings, BIGNUMs and
-hexadecimal. Octet strings are stored in a buffer along with an associated
-buffer length. A point held in a BIGNUM is calculated by converting the point to
-an octet string and then converting that octet string into a BIGNUM integer.
-Points in hexadecimal format are stored in a NULL terminated character string
-where each character is one of the printable values 0-9 or A-F (or a-f).
-
-The functions EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex and EC_POINT_hex2point convert
-from and to EC_POINTs for the formats: octet string, BIGNUM and hexadecimal respectively.
-
-The function EC_POINT_point2oct must be supplied with a buffer long enough to store the octet string. The return value provides the number of
-octets stored. Calling the function with a NULL buffer will not perform the conversion but will still return the required buffer length.
-
-The function EC_POINT_point2hex will allocate sufficient memory to store the hexadecimal string. It is the caller's responsibility to free
-this memory with a subsequent call to OPENSSL_free().
-
-=head1 RETURN VALUES
-
-EC_POINT_new and EC_POINT_dup return the newly allocated EC_POINT or NULL on error.
-
-The following functions return 1 on success or 0 on error: EC_POINT_copy, EC_POINT_set_to_infinity, EC_POINT_set_Jprojective_coordinates_GFp,
-EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp,
-EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m,
-EC_POINT_set_compressed_coordinates_GF2m and EC_POINT_oct2point.
-
-EC_POINT_method_of returns the EC_METHOD associated with the supplied EC_POINT.
-
-EC_POINT_point2oct returns the length of the required buffer, or 0 on error.
-
-EC_POINT_point2bn returns the pointer to the BIGNUM supplied, or NULL on error.
-
-EC_POINT_bn2point returns the pointer to the EC_POINT supplied, or NULL on error.
-
-EC_POINT_point2hex returns a pointer to the hex string, or NULL on error.
-
-EC_POINT_hex2point returns the pointer to the EC_POINT supplied, or NULL on error.
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
-
-=cut
diff --git a/doc/crypto/ERR_GET_LIB.pod b/doc/crypto/ERR_GET_LIB.pod
deleted file mode 100644
index 2a129da036cc..000000000000
--- a/doc/crypto/ERR_GET_LIB.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON - get library, function and
-reason code
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- int ERR_GET_LIB(unsigned long e);
-
- int ERR_GET_FUNC(unsigned long e);
-
- int ERR_GET_REASON(unsigned long e);
-
-=head1 DESCRIPTION
-
-The error code returned by ERR_get_error() consists of a library
-number, function code and reason code. ERR_GET_LIB(), ERR_GET_FUNC()
-and ERR_GET_REASON() can be used to extract these.
-
-The library number and function code describe where the error
-occurred, the reason code is the information about what went wrong.
-
-Each sub-library of OpenSSL has a unique library number; function and
-reason codes are unique within each sub-library. Note that different
-libraries may use the same value to signal different functions and
-reasons.
-
-B<ERR_R_...> reason codes such as B<ERR_R_MALLOC_FAILURE> are globally
-unique. However, when checking for sub-library specific reason codes,
-be sure to also compare the library number.
-
-ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are macros.
-
-=head1 RETURN VALUES
-
-The library number, function code and reason code respectively.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are available in
-all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/ERR_clear_error.pod b/doc/crypto/ERR_clear_error.pod
deleted file mode 100644
index 566e1f4e317f..000000000000
--- a/doc/crypto/ERR_clear_error.pod
+++ /dev/null
@@ -1,29 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_clear_error - clear the error queue
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- void ERR_clear_error(void);
-
-=head1 DESCRIPTION
-
-ERR_clear_error() empties the current thread's error queue.
-
-=head1 RETURN VALUES
-
-ERR_clear_error() has no return value.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-ERR_clear_error() is available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/ERR_error_string.pod b/doc/crypto/ERR_error_string.pod
deleted file mode 100644
index cdfa7fe1fe72..000000000000
--- a/doc/crypto/ERR_error_string.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_error_string, ERR_error_string_n, ERR_lib_error_string,
-ERR_func_error_string, ERR_reason_error_string - obtain human-readable
-error message
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- char *ERR_error_string(unsigned long e, char *buf);
- void ERR_error_string_n(unsigned long e, char *buf, size_t len);
-
- const char *ERR_lib_error_string(unsigned long e);
- const char *ERR_func_error_string(unsigned long e);
- const char *ERR_reason_error_string(unsigned long e);
-
-=head1 DESCRIPTION
-
-ERR_error_string() generates a human-readable string representing the
-error code I<e>, and places it at I<buf>. I<buf> must be at least 120
-bytes long. If I<buf> is B<NULL>, the error string is placed in a
-static buffer.
-ERR_error_string_n() is a variant of ERR_error_string() that writes
-at most I<len> characters (including the terminating 0)
-and truncates the string if necessary.
-For ERR_error_string_n(), I<buf> may not be B<NULL>.
-
-The string will have the following format:
-
- error:[error code]:[library name]:[function name]:[reason string]
-
-I<error code> is an 8 digit hexadecimal number, I<library name>,
-I<function name> and I<reason string> are ASCII text.
-
-ERR_lib_error_string(), ERR_func_error_string() and
-ERR_reason_error_string() return the library name, function
-name and reason string respectively.
-
-The OpenSSL error strings should be loaded by calling
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)> or, for SSL
-applications, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-first.
-If there is no text string registered for the given error code,
-the error string will contain the numeric code.
-
-L<ERR_print_errors(3)|ERR_print_errors(3)> can be used to print
-all error codes currently in the queue.
-
-=head1 RETURN VALUES
-
-ERR_error_string() returns a pointer to a static buffer containing the
-string if I<buf> B<== NULL>, I<buf> otherwise.
-
-ERR_lib_error_string(), ERR_func_error_string() and
-ERR_reason_error_string() return the strings, and B<NULL> if
-none is registered for the error code.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-L<ERR_print_errors(3)|ERR_print_errors(3)>
-
-=head1 HISTORY
-
-ERR_error_string() is available in all versions of SSLeay and OpenSSL.
-ERR_error_string_n() was added in OpenSSL 0.9.6.
-
-=cut
diff --git a/doc/crypto/ERR_get_error.pod b/doc/crypto/ERR_get_error.pod
deleted file mode 100644
index 01e196c95fda..000000000000
--- a/doc/crypto/ERR_get_error.pod
+++ /dev/null
@@ -1,79 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_get_error, ERR_peek_error, ERR_peek_last_error,
-ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line,
-ERR_get_error_line_data, ERR_peek_error_line_data,
-ERR_peek_last_error_line_data - obtain error code and data
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- unsigned long ERR_get_error(void);
- unsigned long ERR_peek_error(void);
- unsigned long ERR_peek_last_error(void);
-
- unsigned long ERR_get_error_line(const char **file, int *line);
- unsigned long ERR_peek_error_line(const char **file, int *line);
- unsigned long ERR_peek_last_error_line(const char **file, int *line);
-
- unsigned long ERR_get_error_line_data(const char **file, int *line,
- const char **data, int *flags);
- unsigned long ERR_peek_error_line_data(const char **file, int *line,
- const char **data, int *flags);
- unsigned long ERR_peek_last_error_line_data(const char **file, int *line,
- const char **data, int *flags);
-
-=head1 DESCRIPTION
-
-ERR_get_error() returns the earliest error code from the thread's error
-queue and removes the entry. This function can be called repeatedly
-until there are no more error codes to return.
-
-ERR_peek_error() returns the earliest error code from the thread's
-error queue without modifying it.
-
-ERR_peek_last_error() returns the latest error code from the thread's
-error queue without modifying it.
-
-See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
-location and reason of the error, and
-L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
-messages.
-
-ERR_get_error_line(), ERR_peek_error_line() and
-ERR_peek_last_error_line() are the same as the above, but they
-additionally store the file name and line number where
-the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
-
-ERR_get_error_line_data(), ERR_peek_error_line_data() and
-ERR_peek_last_error_line_data() store additional data and flags
-associated with the error code in *B<data>
-and *B<flags>, unless these are B<NULL>. *B<data> contains a string
-if *B<flags>&B<ERR_TXT_STRING> is true.
-
-An application B<MUST NOT> free the *B<data> pointer (or any other pointers
-returned by these functions) with OPENSSL_free() as freeing is handled
-automatically by the error library.
-
-=head1 RETURN VALUES
-
-The error code, or 0 if there is no error in the queue.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>
-
-=head1 HISTORY
-
-ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and
-ERR_peek_error_line() are available in all versions of SSLeay and
-OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data()
-were added in SSLeay 0.9.0.
-ERR_peek_last_error(), ERR_peek_last_error_line() and
-ERR_peek_last_error_line_data() were added in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/ERR_load_crypto_strings.pod b/doc/crypto/ERR_load_crypto_strings.pod
deleted file mode 100644
index 9bdec75a4638..000000000000
--- a/doc/crypto/ERR_load_crypto_strings.pod
+++ /dev/null
@@ -1,46 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings -
-load and free error strings
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- void ERR_load_crypto_strings(void);
- void ERR_free_strings(void);
-
- #include <openssl/ssl.h>
-
- void SSL_load_error_strings(void);
-
-=head1 DESCRIPTION
-
-ERR_load_crypto_strings() registers the error strings for all
-B<libcrypto> functions. SSL_load_error_strings() does the same,
-but also registers the B<libssl> error strings.
-
-One of these functions should be called before generating
-textual error messages. However, this is not required when memory
-usage is an issue.
-
-ERR_free_strings() frees all previously loaded error strings.
-
-=head1 RETURN VALUES
-
-ERR_load_crypto_strings(), SSL_load_error_strings() and
-ERR_free_strings() return no values.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>
-
-=head1 HISTORY
-
-ERR_load_error_strings(), SSL_load_error_strings() and
-ERR_free_strings() are available in all versions of SSLeay and
-OpenSSL.
-
-=cut
diff --git a/doc/crypto/ERR_load_strings.pod b/doc/crypto/ERR_load_strings.pod
deleted file mode 100644
index 5acdd0edbc5e..000000000000
--- a/doc/crypto/ERR_load_strings.pod
+++ /dev/null
@@ -1,54 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_load_strings, ERR_PACK, ERR_get_next_error_library - load
-arbitrary error strings
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
-
- int ERR_get_next_error_library(void);
-
- unsigned long ERR_PACK(int lib, int func, int reason);
-
-=head1 DESCRIPTION
-
-ERR_load_strings() registers error strings for library number B<lib>.
-
-B<str> is an array of error string data:
-
- typedef struct ERR_string_data_st
- {
- unsigned long error;
- char *string;
- } ERR_STRING_DATA;
-
-The error code is generated from the library number and a function and
-reason code: B<error> = ERR_PACK(B<lib>, B<func>, B<reason>).
-ERR_PACK() is a macro.
-
-The last entry in the array is {0,0}.
-
-ERR_get_next_error_library() can be used to assign library numbers
-to user libraries at runtime.
-
-=head1 RETURN VALUE
-
-ERR_load_strings() returns no value. ERR_PACK() return the error code.
-ERR_get_next_error_library() returns a new library number.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
-
-=head1 HISTORY
-
-ERR_load_error_strings() and ERR_PACK() are available in all versions
-of SSLeay and OpenSSL. ERR_get_next_error_library() was added in
-SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/ERR_print_errors.pod b/doc/crypto/ERR_print_errors.pod
deleted file mode 100644
index b100a5fa2b30..000000000000
--- a/doc/crypto/ERR_print_errors.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_print_errors, ERR_print_errors_fp - print error messages
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- void ERR_print_errors(BIO *bp);
- void ERR_print_errors_fp(FILE *fp);
-
-=head1 DESCRIPTION
-
-ERR_print_errors() is a convenience function that prints the error
-strings for all errors that OpenSSL has recorded to B<bp>, thus
-emptying the error queue.
-
-ERR_print_errors_fp() is the same, except that the output goes to a
-B<FILE>.
-
-
-The error strings will have the following format:
-
- [pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
-
-I<error code> is an 8 digit hexadecimal number. I<library name>,
-I<function name> and I<reason string> are ASCII text, as is I<optional
-text message> if one was set for the respective error code.
-
-If there is no text string registered for the given error code,
-the error string will contain the numeric code.
-
-=head1 RETURN VALUES
-
-ERR_print_errors() and ERR_print_errors_fp() return no values.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-
-=head1 HISTORY
-
-ERR_print_errors() and ERR_print_errors_fp()
-are available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/ERR_put_error.pod b/doc/crypto/ERR_put_error.pod
deleted file mode 100644
index acd241fbe476..000000000000
--- a/doc/crypto/ERR_put_error.pod
+++ /dev/null
@@ -1,44 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_put_error, ERR_add_error_data - record an error
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- void ERR_put_error(int lib, int func, int reason, const char *file,
- int line);
-
- void ERR_add_error_data(int num, ...);
-
-=head1 DESCRIPTION
-
-ERR_put_error() adds an error code to the thread's error queue. It
-signals that the error of reason code B<reason> occurred in function
-B<func> of library B<lib>, in line number B<line> of B<file>.
-This function is usually called by a macro.
-
-ERR_add_error_data() associates the concatenation of its B<num> string
-arguments with the error code added last.
-
-L<ERR_load_strings(3)|ERR_load_strings(3)> can be used to register
-error strings so that the application can a generate human-readable
-error messages for the error code.
-
-=head1 RETURN VALUES
-
-ERR_put_error() and ERR_add_error_data() return
-no values.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
-
-=head1 HISTORY
-
-ERR_put_error() is available in all versions of SSLeay and OpenSSL.
-ERR_add_error_data() was added in SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/ERR_remove_state.pod b/doc/crypto/ERR_remove_state.pod
deleted file mode 100644
index a4d38c17fd6b..000000000000
--- a/doc/crypto/ERR_remove_state.pod
+++ /dev/null
@@ -1,45 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_remove_thread_state, ERR_remove_state - free a thread's error queue
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
-
-Deprecated:
-
- void ERR_remove_state(unsigned long pid);
-
-=head1 DESCRIPTION
-
-ERR_remove_thread_state() frees the error queue associated with thread B<tid>.
-If B<tid> == B<NULL>, the current thread will have its error queue removed.
-
-Since error queue data structures are allocated automatically for new
-threads, they must be freed when threads are terminated in order to
-avoid memory leaks.
-
-ERR_remove_state is deprecated and has been replaced by
-ERR_remove_thread_state. Since threads in OpenSSL are no longer identified
-by unsigned long values any argument to this function is ignored. Calling
-ERR_remove_state is equivalent to B<ERR_remove_thread_state(NULL)>.
-
-=head1 RETURN VALUE
-
-ERR_remove_thread_state and ERR_remove_state() return no value.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>
-
-=head1 HISTORY
-
-ERR_remove_state() is available in all versions of SSLeay and OpenSSL. It
-was deprecated in OpenSSL 1.0.0 when ERR_remove_thread_state was introduced
-and thread IDs were introduced to identify threads instead of 'unsigned long'.
-
-=cut
diff --git a/doc/crypto/ERR_set_mark.pod b/doc/crypto/ERR_set_mark.pod
deleted file mode 100644
index d3ca4f2e770b..000000000000
--- a/doc/crypto/ERR_set_mark.pod
+++ /dev/null
@@ -1,38 +0,0 @@
-=pod
-
-=head1 NAME
-
-ERR_set_mark, ERR_pop_to_mark - set marks and pop errors until mark
-
-=head1 SYNOPSIS
-
- #include <openssl/err.h>
-
- int ERR_set_mark(void);
-
- int ERR_pop_to_mark(void);
-
-=head1 DESCRIPTION
-
-ERR_set_mark() sets a mark on the current topmost error record if there
-is one.
-
-ERR_pop_to_mark() will pop the top of the error stack until a mark is found.
-The mark is then removed. If there is no mark, the whole stack is removed.
-
-=head1 RETURN VALUES
-
-ERR_set_mark() returns 0 if the error stack is empty, otherwise 1.
-
-ERR_pop_to_mark() returns 0 if there was no mark in the error stack, which
-implies that the stack became empty, otherwise 1.
-
-=head1 SEE ALSO
-
-L<err(3)|err(3)>
-
-=head1 HISTORY
-
-ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
-
-=cut
diff --git a/doc/crypto/EVP_BytesToKey.pod b/doc/crypto/EVP_BytesToKey.pod
deleted file mode 100644
index a9b6bb0c731f..000000000000
--- a/doc/crypto/EVP_BytesToKey.pod
+++ /dev/null
@@ -1,70 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_BytesToKey - password based encryption routine
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
- const unsigned char *salt,
- const unsigned char *data, int datal, int count,
- unsigned char *key,unsigned char *iv);
-
-=head1 DESCRIPTION
-
-EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
-the cipher to derive the key and IV for. B<md> is the message digest to use.
-The B<salt> parameter is used as a salt in the derivation: it should point to
-an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
-B<datal> bytes which is used to derive the keying data. B<count> is the
-iteration count to use. The derived key and IV will be written to B<key>
-and B<iv> respectively.
-
-=head1 NOTES
-
-A typical application of this function is to derive keying material for an
-encryption algorithm from a password in the B<data> parameter.
-
-Increasing the B<count> parameter slows down the algorithm which makes it
-harder for an attacker to peform a brute force attack using a large number
-of candidate passwords.
-
-If the total key and IV length is less than the digest length and
-B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
-otherwise a non standard extension is used to derive the extra data.
-
-Newer applications should use a more modern algorithm such as PBKDF2 as
-defined in PKCS#5v2.1 and provided by PKCS5_PBKDF2_HMAC.
-
-=head1 KEY DERIVATION ALGORITHM
-
-The key and IV is derived by concatenating D_1, D_2, etc until
-enough data is available for the key and IV. D_i is defined as:
-
- D_i = HASH^count(D_(i-1) || data || salt)
-
-where || denotes concatentaion, D_0 is empty, HASH is the digest
-algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
-is HASH(HASH(data)) and so on.
-
-The initial bytes are used for the key and the subsequent bytes for
-the IV.
-
-=head1 RETURN VALUES
-
-If B<data> is NULL, then EVP_BytesToKey() returns the number of bytes
-needed to store the derived key.
-Otherwise, EVP_BytesToKey() returns the size of the derived key in bytes,
-or 0 on error.
-
-=head1 SEE ALSO
-
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
-
-=head1 HISTORY
-
-=cut
diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod
deleted file mode 100644
index 0895e8c392fa..000000000000
--- a/doc/crypto/EVP_DigestInit.pod
+++ /dev/null
@@ -1,282 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
-EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex, EVP_DigestInit, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type,
-EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
-EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1,
-EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
-EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
-EVP digest routines
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
- EVP_MD_CTX *EVP_MD_CTX_create(void);
-
- int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
- int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,
- unsigned int *s);
-
- int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
- void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
-
- int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
-
- int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
- unsigned int *s);
-
- int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);
-
- #define EVP_MAX_MD_SIZE 64 /* SHA512 */
-
- int EVP_MD_type(const EVP_MD *md);
- int EVP_MD_pkey_type(const EVP_MD *md);
- int EVP_MD_size(const EVP_MD *md);
- int EVP_MD_block_size(const EVP_MD *md);
-
- const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
- #define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e))
- #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest)
- #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest)
-
- const EVP_MD *EVP_md_null(void);
- const EVP_MD *EVP_md2(void);
- const EVP_MD *EVP_md5(void);
- const EVP_MD *EVP_sha(void);
- const EVP_MD *EVP_sha1(void);
- const EVP_MD *EVP_dss(void);
- const EVP_MD *EVP_dss1(void);
- const EVP_MD *EVP_mdc2(void);
- const EVP_MD *EVP_ripemd160(void);
-
- const EVP_MD *EVP_sha224(void);
- const EVP_MD *EVP_sha256(void);
- const EVP_MD *EVP_sha384(void);
- const EVP_MD *EVP_sha512(void);
-
- const EVP_MD *EVP_get_digestbyname(const char *name);
- #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
- #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
-
-=head1 DESCRIPTION
-
-The EVP digest routines are a high level interface to message digests.
-
-EVP_MD_CTX_init() initializes digest context B<ctx>.
-
-EVP_MD_CTX_create() allocates, initializes and returns a digest context.
-
-EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
-B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
-function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
-If B<impl> is NULL then the default implementation of digest B<type> is used.
-
-EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
-digest context B<ctx>. This function can be called several times on the
-same B<ctx> to hash additional data.
-
-EVP_DigestFinal_ex() retrieves the digest value from B<ctx> and places
-it in B<md>. If the B<s> parameter is not NULL then the number of
-bytes of data written (i.e. the length of the digest) will be written
-to the integer at B<s>, at most B<EVP_MAX_MD_SIZE> bytes will be written.
-After calling EVP_DigestFinal_ex() no additional calls to EVP_DigestUpdate()
-can be made, but EVP_DigestInit_ex() can be called to initialize a new
-digest operation.
-
-EVP_MD_CTX_cleanup() cleans up digest context B<ctx>, it should be called
-after a digest context is no longer needed.
-
-EVP_MD_CTX_destroy() cleans up digest context B<ctx> and frees up the
-space allocated to it, it should be called only on a context created
-using EVP_MD_CTX_create().
-
-EVP_MD_CTX_copy_ex() can be used to copy the message digest state from
-B<in> to B<out>. This is useful if large amounts of data are to be
-hashed which only differ in the last few bytes. B<out> must be initialized
-before calling this function.
-
-EVP_DigestInit() behaves in the same way as EVP_DigestInit_ex() except
-the passed context B<ctx> does not have to be initialized, and it always
-uses the default digest implementation.
-
-EVP_DigestFinal() is similar to EVP_DigestFinal_ex() except the digest
-context B<ctx> is automatically cleaned up.
-
-EVP_MD_CTX_copy() is similar to EVP_MD_CTX_copy_ex() except the destination
-B<out> does not have to be initialized.
-
-EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest
-when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure, i.e. the size of the
-hash.
-
-EVP_MD_block_size() and EVP_MD_CTX_block_size() return the block size of the
-message digest when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure.
-
-EVP_MD_type() and EVP_MD_CTX_type() return the NID of the OBJECT IDENTIFIER
-representing the given message digest when passed an B<EVP_MD> structure.
-For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is
-normally used when setting ASN1 OIDs.
-
-EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
-B<EVP_MD_CTX>.
-
-EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
-with this digest. For example EVP_sha1() is associated with RSA so this will
-return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms
-are no longer linked this function is only retained for compatibility
-reasons.
-
-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
-EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
-structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2
-and RIPEMD160 digest algorithms respectively.
-
-EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
-algorithms but using DSS (DSA) for the signature algorithm. Note: there is
-no need to use these pseudo-digests in OpenSSL 1.0.0 and later, they are
-however retained for compatibility.
-
-EVP_md_null() is a "null" message digest that does nothing: i.e. the hash it
-returns is of zero length.
-
-EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
-return an B<EVP_MD> structure when passed a digest name, a digest NID or
-an ASN1_OBJECT structure respectively. The digest table must be initialized
-using, for example, OpenSSL_add_all_digests() for these functions to work.
-
-=head1 RETURN VALUES
-
-EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for
-success and 0 for failure.
-
-EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure.
-
-EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
-corresponding OBJECT IDENTIFIER or NID_undef if none exists.
-
-EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
-EVP_MD_CTX_block_size() return the digest or block size in bytes.
-
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
-EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
-corresponding EVP_MD structures.
-
-EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj()
-return either an B<EVP_MD> structure or NULL if an error occurs.
-
-=head1 NOTES
-
-The B<EVP> interface to message digests should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the digest used and much more flexible.
-
-New applications should use the SHA2 digest algorithms such as SHA256.
-The other digest algorithms are still in common use.
-
-For most applications the B<impl> parameter to EVP_DigestInit_ex() will be
-set to NULL to use the default digest implementation.
-
-The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are
-obsolete but are retained to maintain compatibility with existing code. New
-applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and
-EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context
-instead of initializing and cleaning it up on each call and allow non default
-implementations of digests to be specified.
-
-In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use
-memory leaks will occur.
-
-Stack allocation of EVP_MD_CTX structures is common, for example:
-
- EVP_MD_CTX mctx;
- EVP_MD_CTX_init(&mctx);
-
-This will cause binary compatibility issues if the size of EVP_MD_CTX
-structure changes (this will only happen with a major release of OpenSSL).
-Applications wishing to avoid this should use EVP_MD_CTX_create() instead:
-
- EVP_MD_CTX *mctx;
- mctx = EVP_MD_CTX_create();
-
-
-=head1 EXAMPLE
-
-This example digests the data "Test Message\n" and "Hello World\n", using the
-digest name passed on the command line.
-
- #include <stdio.h>
- #include <openssl/evp.h>
-
- main(int argc, char *argv[])
- {
- EVP_MD_CTX *mdctx;
- const EVP_MD *md;
- char mess1[] = "Test Message\n";
- char mess2[] = "Hello World\n";
- unsigned char md_value[EVP_MAX_MD_SIZE];
- int md_len, i;
-
- OpenSSL_add_all_digests();
-
- if(!argv[1]) {
- printf("Usage: mdtest digestname\n");
- exit(1);
- }
-
- md = EVP_get_digestbyname(argv[1]);
-
- if(!md) {
- printf("Unknown message digest %s\n", argv[1]);
- exit(1);
- }
-
- mdctx = EVP_MD_CTX_create();
- EVP_DigestInit_ex(mdctx, md, NULL);
- EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
- EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
- EVP_DigestFinal_ex(mdctx, md_value, &md_len);
- EVP_MD_CTX_destroy(mdctx);
-
- printf("Digest is: ");
- for(i = 0; i < md_len; i++)
- printf("%02x", md_value[i]);
- printf("\n");
-
- /* Call this once before exit. */
- EVP_cleanup();
- exit(0);
- }
-
-=head1 SEE ALSO
-
-L<dgst(1)|dgst(1)>,
-L<evp(3)|evp(3)>
-
-=head1 HISTORY
-
-EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
-available in all versions of SSLeay and OpenSSL.
-
-EVP_MD_CTX_init(), EVP_MD_CTX_create(), EVP_MD_CTX_copy_ex(),
-EVP_MD_CTX_cleanup(), EVP_MD_CTX_destroy(), EVP_DigestInit_ex()
-and EVP_DigestFinal_ex() were added in OpenSSL 0.9.7.
-
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(),
-EVP_dss(), EVP_dss1(), EVP_mdc2() and EVP_ripemd160() were
-changed to return truly const EVP_MD * in OpenSSL 0.9.7.
-
-The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
-later, so now EVP_sha1() can be used with RSA and DSA; there is no need to
-use EVP_dss1() any more.
-
-OpenSSL 1.0 and later does not include the MD2 digest algorithm in the
-default configuration due to its security weaknesses.
-
-=cut
diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod
deleted file mode 100644
index 83e65894d9d9..000000000000
--- a/doc/crypto/EVP_DigestSignInit.pod
+++ /dev/null
@@ -1,87 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing functions
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
- const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
- int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
- int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
-
-=head1 DESCRIPTION
-
-The EVP signature routines are a high level interface to digital signatures.
-
-EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from
-ENGINE B<impl> and private key B<pkey>. B<ctx> must be initialized with
-EVP_MD_CTX_init() before calling this function. If B<pctx> is not NULL the
-EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can
-be used to set alternative signing options.
-
-EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the
-signature context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data. This function is currently implemented
-usig a macro.
-
-EVP_DigestSignFinal() signs the data in B<ctx> places the signature in B<sig>.
-If B<sig> is B<NULL> then the maximum size of the output buffer is written to
-the B<siglen> parameter. If B<sig> is not B<NULL> then before the call the
-B<siglen> parameter should contain the length of the B<sig> buffer, if the
-call is successful the signature is written to B<sig> and the amount of data
-written to B<siglen>.
-
-=head1 RETURN VALUES
-
-EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return
-1 for success and 0 or a negative value for failure. In particular a return
-value of -2 indicates the operation is not supported by the public key
-algorithm.
-
-The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTES
-
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-
-In previous versions of OpenSSL there was a link between message digest types
-and public key algorithms. This meant that "clone" digests such as EVP_dss1()
-needed to be used to sign using SHA1 and DSA. This is no longer necessary and
-the use of clone digest is now discouraged.
-
-For some key types and parameters the random number generator must be seeded
-or the operation will fail.
-
-The call to EVP_DigestSignFinal() internally finalizes a copy of the digest
-context. This means that calls to EVP_DigestSignUpdate() and
-EVP_DigestSignFinal() can be called later to digest and sign additional data.
-
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-
-The use of EVP_PKEY_size() with these functions is discouraged because some
-signature operations may have a signature length which depends on the
-parameters set. As a result EVP_PKEY_size() would have to return a value
-which indicates the maximum possible signature for any set of parameters.
-
-=head1 SEE ALSO
-
-L<EVP_DigestVerifyInit(3)|EVP_DigestVerifyInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-
-=head1 HISTORY
-
-EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal()
-were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod
deleted file mode 100644
index 347c51166306..000000000000
--- a/doc/crypto/EVP_DigestVerifyInit.pod
+++ /dev/null
@@ -1,83 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP signature verification functions
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
- const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
- int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
- int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen);
-
-=head1 DESCRIPTION
-
-The EVP signature routines are a high level interface to digital signatures.
-
-EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest
-B<type> from ENGINE B<impl> and public key B<pkey>. B<ctx> must be initialized
-with EVP_MD_CTX_init() before calling this function. If B<pctx> is not NULL the
-EVP_PKEY_CTX of the verification operation will be written to B<*pctx>: this
-can be used to set alternative verification options.
-
-EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
-verification context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data. This function is currently implemented
-using a macro.
-
-EVP_DigestVerifyFinal() verifies the data in B<ctx> against the signature in
-B<sig> of length B<siglen>.
-
-=head1 RETURN VALUES
-
-EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2 indicates
-the operation is not supported by the public key algorithm.
-
-EVP_DigestVerifyFinal() returns 1 for success; any other value indicates
-failure. A return value of zero indicates that the signature did not verify
-successfully (that is, tbs did not match the original data or the signature had
-an invalid form), while other values indicate a more serious error (and
-sometimes also indicate an invalid signature form).
-
-The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTES
-
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-
-In previous versions of OpenSSL there was a link between message digest types
-and public key algorithms. This meant that "clone" digests such as EVP_dss1()
-needed to be used to sign using SHA1 and DSA. This is no longer necessary and
-the use of clone digest is now discouraged.
-
-For some key types and parameters the random number generator must be seeded
-or the operation will fail.
-
-The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest
-context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can
-be called later to digest and verify additional data.
-
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-
-=head1 SEE ALSO
-
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-
-=head1 HISTORY
-
-EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal()
-were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_EncodeInit.pod b/doc/crypto/EVP_EncodeInit.pod
deleted file mode 100644
index c6f12674f632..000000000000
--- a/doc/crypto/EVP_EncodeInit.pod
+++ /dev/null
@@ -1,127 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock,
-EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock - EVP base 64
-encode/decode routines
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
- void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
- const unsigned char *in, int inl);
- void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl);
- int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n);
-
- void EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
- int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
- const unsigned char *in, int inl);
- int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
- char *out, int *outl);
- int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
-
-=head1 DESCRIPTION
-
-The EVP encode routines provide a high level interface to base 64 encoding and
-decoding. Base 64 encoding converts binary data into a printable form that uses
-the characters A-Z, a-z, 0-9, "+" and "/" to represent the data. For every 3
-bytes of binary data provided 4 bytes of base 64 encoded data will be produced
-plus some occasional newlines (see below). If the input data length is not a
-multiple of 3 then the output data will be padded at the end using the "="
-character.
-
-Encoding of binary data is performed in blocks of 48 input bytes (or less for
-the final block). For each 48 byte input block encoded 64 bytes of base 64 data
-is output plus an additional newline character (i.e. 65 bytes in total). The
-final block (which may be less than 48 bytes) will output 4 bytes for every 3
-bytes of input. If the data length is not divisible by 3 then a full 4 bytes is
-still output for the final 1 or 2 bytes of input. Similarly a newline character
-will also be output.
-
-EVP_EncodeInit() initialises B<ctx> for the start of a new encoding operation.
-
-EVP_EncodeUpdate() encode B<inl> bytes of data found in the buffer pointed to by
-B<in>. The output is stored in the buffer B<out> and the number of bytes output
-is stored in B<*outl>. It is the caller's responsibility to ensure that the
-buffer at B<out> is sufficiently large to accommodate the output data. Only full
-blocks of data (48 bytes) will be immediately processed and output by this
-function. Any remainder is held in the B<ctx> object and will be processed by a
-subsequent call to EVP_EncodeUpdate() or EVP_EncodeFinal(). To calculate the
-required size of the output buffer add together the value of B<inl> with the
-amount of unprocessed data held in B<ctx> and divide the result by 48 (ignore
-any remainder). This gives the number of blocks of data that will be processed.
-Ensure the output buffer contains 65 bytes of storage for each block, plus an
-additional byte for a NUL terminator. EVP_EncodeUpdate() may be called
-repeatedly to process large amounts of input data. In the event of an error
-EVP_EncodeUpdate() will set B<*outl> to 0.
-
-EVP_EncodeFinal() must be called at the end of an encoding operation. It will
-process any partial block of data remaining in the B<ctx> object. The output
-data will be stored in B<out> and the length of the data written will be stored
-in B<*outl>. It is the caller's responsibility to ensure that B<out> is
-sufficiently large to accommodate the output data which will never be more than
-65 bytes plus an additional NUL terminator (i.e. 66 bytes in total).
-
-EVP_EncodeBlock() encodes a full block of input data in B<f> and of length
-B<dlen> and stores it in B<t>. For every 3 bytes of input provided 4 bytes of
-output data will be produced. If B<dlen> is not divisible by 3 then the block is
-encoded as a final block of data and the output is padded such that it is always
-divisible by 4. Additionally a NUL terminator character will be added. For
-example if 16 bytes of input data is provided then 24 bytes of encoded data is
-created plus 1 byte for a NUL terminator (i.e. 25 bytes in total). The length of
-the data generated I<without> the NUL terminator is returned from the function.
-
-EVP_DecodeInit() initialises B<ctx> for the start of a new decoding operation.
-
-EVP_DecodeUpdate() decodes B<inl> characters of data found in the buffer pointed
-to by B<in>. The output is stored in the buffer B<out> and the number of bytes
-output is stored in B<*outl>. It is the caller's responsibility to ensure that
-the buffer at B<out> is sufficiently large to accommodate the output data. This
-function will attempt to decode as much data as possible in 4 byte chunks. Any
-whitespace, newline or carriage return characters are ignored. Any partial chunk
-of unprocessed data (1, 2 or 3 bytes) that remains at the end will be held in
-the B<ctx> object and processed by a subsequent call to EVP_DecodeUpdate(). If
-any illegal base 64 characters are encountered or if the base 64 padding
-character "=" is encountered in the middle of the data then the function returns
--1 to indicate an error. A return value of 0 or 1 indicates successful
-processing of the data. A return value of 0 additionally indicates that the last
-input data characters processed included the base 64 padding character "=" and
-therefore no more non-padding character data is expected to be processed. For
-every 4 valid base 64 bytes processed (ignoring whitespace, carriage returns and
-line feeds), 3 bytes of binary output data will be produced (or less at the end
-of the data where the padding character "=" has been used).
-
-EVP_DecodeFinal() must be called at the end of a decoding operation. If there
-is any unprocessed data still in B<ctx> then the input data must not have been
-a multiple of 4 and therefore an error has occurred. The function will return -1
-in this case. Otherwise the function returns 1 on success.
-
-EVP_DecodeBlock() will decode the block of B<n> characters of base 64 data
-contained in B<f> and store the result in B<t>. Any leading whitespace will be
-trimmed as will any trailing whitespace, newlines, carriage returns or EOF
-characters. After such trimming the length of the data in B<f> must be divisbile
-by 4. For every 4 input bytes exactly 3 output bytes will be produced. The
-output will be padded with 0 bits if necessary to ensure that the output is
-always 3 bytes for every 4 input bytes. This function will return the length of
-the data decoded or -1 on error.
-
-=head1 RETURN VALUES
-
-EVP_EncodeBlock() returns the number of bytes encoded excluding the NUL
-terminator.
-
-EVP_DecodeUpdate() returns -1 on error and 0 or 1 on success. If 0 is returned
-then no more non-padding base 64 characters are expected.
-
-EVP_DecodeFinal() returns -1 on error or 1 on success.
-
-EVP_DecodeBlock() returns the length of the data decoded or -1 on error.
-
-=head1 SEE ALSO
-
-L<evp(3)>
-
-=cut
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
deleted file mode 100644
index 4973f0a23ba3..000000000000
--- a/doc/crypto/EVP_EncryptInit.pod
+++ /dev/null
@@ -1,594 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate,
-EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate,
-EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate,
-EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length,
-EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit,
-EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal,
-EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname,
-EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid,
-EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length,
-EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher,
-EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length,
-EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data,
-EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags,
-EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
-EVP_CIPHER_CTX_set_padding, EVP_enc_null, EVP_des_cbc, EVP_des_ecb,
-EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb,
-EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb,
-EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5,
-EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_rc2_cbc,
-EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc,
-EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc,
-EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_rc5_32_12_16_cbc,
-EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ofb,
-EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm,
-EVP_aes_192_ccm, EVP_aes_256_ccm,
-EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1,
-EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256
-- EVP cipher routines
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
-
- int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- ENGINE *impl, const unsigned char *key, const unsigned char *iv);
- int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl, const unsigned char *in, int inl);
- int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl);
-
- int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- ENGINE *impl, const unsigned char *key, const unsigned char *iv);
- int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl, const unsigned char *in, int inl);
- int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
- int *outl);
-
- int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
- int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl, const unsigned char *in, int inl);
- int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
- int *outl);
-
- int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- const unsigned char *key, const unsigned char *iv);
- int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl);
-
- int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- const unsigned char *key, const unsigned char *iv);
- int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
- int *outl);
-
- int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- const unsigned char *key, const unsigned char *iv, int enc);
- int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
- int *outl);
-
- int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
- int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
- int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
- int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
-
- const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
- #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
- #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
-
- #define EVP_CIPHER_nid(e) ((e)->nid)
- #define EVP_CIPHER_block_size(e) ((e)->block_size)
- #define EVP_CIPHER_key_length(e) ((e)->key_len)
- #define EVP_CIPHER_iv_length(e) ((e)->iv_len)
- #define EVP_CIPHER_flags(e) ((e)->flags)
- #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE)
- int EVP_CIPHER_type(const EVP_CIPHER *ctx);
-
- #define EVP_CIPHER_CTX_cipher(e) ((e)->cipher)
- #define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid)
- #define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size)
- #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len)
- #define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len)
- #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
- #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
- #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
- #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags)
- #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE)
-
- int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
- int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
-
-=head1 DESCRIPTION
-
-The EVP cipher routines are a high level interface to certain
-symmetric ciphers.
-
-EVP_CIPHER_CTX_init() initializes cipher contex B<ctx>.
-
-EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption
-with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized
-before calling this function. B<type> is normally supplied
-by a function such as EVP_aes_256_cbc(). If B<impl> is NULL then the
-default implementation is used. B<key> is the symmetric key to use
-and B<iv> is the IV to use (if necessary), the actual number of bytes
-used for the key and IV depends on the cipher. It is possible to set
-all parameters to NULL except B<type> in an initial call and supply
-the remaining parameters in subsequent calls, all of which have B<type>
-set to NULL. This is done when the default cipher parameters are not
-appropriate.
-
-EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
-writes the encrypted version to B<out>. This function can be called
-multiple times to encrypt successive blocks of data. The amount
-of data written depends on the block alignment of the encrypted data:
-as a result the amount of data written may be anything from zero bytes
-to (inl + cipher_block_size - 1) so B<out> should contain sufficient
-room. The actual number of bytes written is placed in B<outl>.
-
-If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
-the "final" data, that is any data that remains in a partial block.
-It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted
-final data is written to B<out> which should have sufficient space for
-one cipher block. The number of bytes written is placed in B<outl>. After
-this function is called the encryption operation is finished and no further
-calls to EVP_EncryptUpdate() should be made.
-
-If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
-data and it will return an error if any data remains in a partial block:
-that is if the total data length is not a multiple of the block size.
-
-EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the
-corresponding decryption operations. EVP_DecryptFinal() will return an
-error code if padding is enabled and the final block is not correctly
-formatted. The parameters and restrictions are identical to the encryption
-operations except that if padding is enabled the decrypted data buffer B<out>
-passed to EVP_DecryptUpdate() should have sufficient room for
-(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in
-which case B<inl> bytes is sufficient.
-
-EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are
-functions that can be used for decryption or encryption. The operation
-performed depends on the value of the B<enc> parameter. It should be set
-to 1 for encryption, 0 for decryption and -1 to leave the value unchanged
-(the actual value of 'enc' being supplied in a previous call).
-
-EVP_CIPHER_CTX_cleanup() clears all information from a cipher context
-and free up any allocated memory associate with it. It should be called
-after all operations using a cipher are complete so sensitive information
-does not remain in memory.
-
-EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
-similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
-EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
-initialized and they always use the default cipher implementation.
-
-EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() are
-identical to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
-EVP_CipherFinal_ex(). In previous releases they also cleaned up
-the B<ctx>, but this is no longer done and EVP_CIPHER_CTX_clean()
-must be called to free any context resources.
-
-EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
-return an EVP_CIPHER structure when passed a cipher name, a NID or an
-ASN1_OBJECT structure.
-
-EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
-passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The actual NID
-value is an internal value which may not have a corresponding OBJECT
-IDENTIFIER.
-
-EVP_CIPHER_CTX_set_padding() enables or disables padding. By default
-encryption operations are padded using standard block padding and the
-padding is checked and removed when decrypting. If the B<pad> parameter
-is zero then no padding is performed, the total amount of data encrypted
-or decrypted must then be a multiple of the block size or an error will
-occur.
-
-EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
-length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
-structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
-for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for a
-given cipher, the value of EVP_CIPHER_CTX_key_length() may be different
-for variable key length ciphers.
-
-EVP_CIPHER_CTX_set_key_length() sets the key length of the cipher ctx.
-If the cipher is a fixed length cipher then attempting to set the key
-length to any value other than the fixed value is an error.
-
-EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
-length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
-It will return zero if the cipher does not use an IV. The constant
-B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
-
-EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
-size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
-structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
-length for all ciphers.
-
-EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
-cipher or context. This "type" is the actual NID of the cipher OBJECT
-IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
-128 bit RC2 have the same NID. If the cipher does not have an object
-identifier or does not have ASN1 support this function will return
-B<NID_undef>.
-
-EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
-an B<EVP_CIPHER_CTX> structure.
-
-EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode:
-EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE or
-EVP_CIPH_OFB_MODE. If the cipher is a stream cipher then
-EVP_CIPH_STREAM_CIPHER is returned.
-
-EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
-on the passed cipher. This will typically include any parameters and an
-IV. The cipher IV (if any) must be set when this call is made. This call
-should be made before the cipher is actually "used" (before any
-EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
-may fail if the cipher does not have any ASN1 support.
-
-EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
-AlgorithmIdentifier "parameter". The precise effect depends on the cipher
-In the case of RC2, for example, it will set the IV and effective key length.
-This function should be called after the base cipher type is set but before
-the key is set. For example EVP_CipherInit() will be called with the IV and
-key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
-EVP_CipherInit() again with all parameters except the key set to NULL. It is
-possible for this function to fail if the cipher does not have any ASN1 support
-or the parameters cannot be set (for example the RC2 effective key length
-is not supported.
-
-EVP_CIPHER_CTX_ctrl() allows various cipher specific parameters to be determined
-and set.
-
-=head1 RETURN VALUES
-
-EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
-return 1 for success and 0 for failure.
-
-EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
-EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
-
-EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
-EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
-
-EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
-
-EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
-return an B<EVP_CIPHER> structure or NULL on error.
-
-EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
-
-EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
-size.
-
-EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
-length.
-
-EVP_CIPHER_CTX_set_padding() always returns 1.
-
-EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
-length or zero if the cipher does not use an IV.
-
-EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
-OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
-
-EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
-
-EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for
-success or zero for failure.
-
-=head1 CIPHER LISTING
-
-All algorithms have a fixed key length unless otherwise stated.
-
-=over 4
-
-=item EVP_enc_null()
-
-Null cipher: does nothing.
-
-=item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)
-
-DES in CBC, ECB, CFB and OFB modes respectively.
-
-=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void)
-
-Two key triple DES in CBC, ECB, CFB and OFB modes respectively.
-
-=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void)
-
-Three key triple DES in CBC, ECB, CFB and OFB modes respectively.
-
-=item EVP_desx_cbc(void)
-
-DESX algorithm in CBC mode.
-
-=item EVP_rc4(void)
-
-RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
-
-=item EVP_rc4_40(void)
-
-RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4()
-and the EVP_CIPHER_CTX_set_key_length() function.
-
-=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)
-
-IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
-
-=item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)
-
-RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
-length cipher with an additional parameter called "effective key bits" or "effective key length".
-By default both are set to 128 bits.
-
-=item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)
-
-RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits.
-These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and
-EVP_CIPHER_CTX_ctrl() to set the key length and effective key length.
-
-=item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);
-
-Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
-length cipher.
-
-=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)
-
-CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
-length cipher.
-
-=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
-
-RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length
-cipher with an additional "number of rounds" parameter. By default the key length is set to 128
-bits and 12 rounds.
-
-=item EVP_aes_128_gcm(void), EVP_aes_192_gcm(void), EVP_aes_256_gcm(void)
-
-AES Galois Counter Mode (GCM) for 128, 192 and 256 bit keys respectively.
-These ciphers require additional control operations to function correctly: see
-L<GCM mode> section below for details.
-
-=item EVP_aes_128_ccm(void), EVP_aes_192_ccm(void), EVP_aes_256_ccm(void)
-
-AES Counter with CBC-MAC Mode (CCM) for 128, 192 and 256 bit keys respectively.
-These ciphers require additional control operations to function correctly: see
-CCM mode section below for details.
-
-=back
-
-=head1 GCM Mode
-
-For GCM mode ciphers the behaviour of the EVP interface is subtly altered and
-several GCM specific ctrl operations are supported.
-
-To specify any additional authenticated data (AAD) a call to EVP_CipherUpdate(),
-EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
-parameter B<out> set to B<NULL>.
-
-When decrypting the return value of EVP_DecryptFinal() or EVP_CipherFinal()
-indicates if the operation was successful. If it does not indicate success
-the authentication operation has failed and any output data B<MUST NOT>
-be used as it is corrupted.
-
-The following ctrls are supported in GCM mode:
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, NULL);
-
-Sets the GCM IV length: this call can only be made before specifying an IV. If
-not called a default IV length is used (96 bits for AES).
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, taglen, tag);
-
-Writes B<taglen> bytes of the tag value to the buffer indicated by B<tag>.
-This call can only be made when encrypting data and B<after> all data has been
-processed (e.g. after an EVP_EncryptFinal() call).
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
-
-Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal
-when decrypting data.
-
-=head1 CCM Mode
-
-The behaviour of CCM mode ciphers is similar to CCM mode but with a few
-additional requirements and different ctrl values.
-
-Like GCM mode any additional authenticated data (AAD) is passed by calling
-EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() with the output
-parameter B<out> set to B<NULL>. Additionally the total plaintext or ciphertext
-length B<MUST> be passed to EVP_CipherUpdate(), EVP_EncryptUpdate() or
-EVP_DecryptUpdate() with the output and input parameters (B<in> and B<out>)
-set to B<NULL> and the length passed in the B<inl> parameter.
-
-The following ctrls are supported in CCM mode:
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, taglen, tag);
-
-This call is made to set the expected B<CCM> tag value when decrypting or
-the length of the tag (with the B<tag> parameter set to NULL) when encrypting.
-The tag length is often referred to as B<M>. If not set a default value is
-used (12 for AES).
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL);
-
-Sets the CCM B<L> value. If not set a default is used (8 for AES).
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, ivlen, NULL);
-
-Sets the CCM nonce (IV) length: this call can only be made before specifying
-an nonce value. The nonce length is given by B<15 - L> so it is 7 by default
-for AES.
-
-
-
-=head1 NOTES
-
-Where possible the B<EVP> interface to symmetric ciphers should be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the cipher used and much more flexible. Additionally, the
-B<EVP> interface will ensure the use of platform specific cryptographic
-acceleration such as AES-NI (the low level interfaces do not provide the
-guarantee).
-
-PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
-length of the encrypted data a multiple of the block size. Padding is always
-added so if the data is already a multiple of the block size B<n> will equal
-the block size. For example if the block size is 8 and 11 bytes are to be
-encrypted then 5 padding bytes of value 5 will be added.
-
-When decrypting the final block is checked to see if it has the correct form.
-
-Although the decryption operation can produce an error if padding is enabled,
-it is not a strong test that the input data or key is correct. A random block
-has better than 1 in 256 chance of being of the correct format and problems with
-the input data earlier on will not produce a final decrypt error.
-
-If padding is disabled then the decryption operation will always succeed if
-the total amount of data decrypted is a multiple of the block size.
-
-The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(),
-EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for
-compatibility with existing code. New code should use EVP_EncryptInit_ex(),
-EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(),
-EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an
-existing context without allocating and freeing it up on each call.
-
-=head1 BUGS
-
-For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is
-a limitation of the current RC5 code rather than the EVP interface.
-
-EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with
-default key lengths. If custom ciphers exceed these values the results are
-unpredictable. This is because it has become standard practice to define a
-generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes.
-
-The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
-for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
-
-=head1 EXAMPLES
-
-Encrypt a string using IDEA:
-
- int do_crypt(char *outfile)
- {
- unsigned char outbuf[1024];
- int outlen, tmplen;
- /* Bogus key and IV: we'd normally set these from
- * another source.
- */
- unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
- unsigned char iv[] = {1,2,3,4,5,6,7,8};
- char intext[] = "Some Crypto Text";
- EVP_CIPHER_CTX ctx;
- FILE *out;
-
- EVP_CIPHER_CTX_init(&ctx);
- EVP_EncryptInit_ex(&ctx, EVP_idea_cbc(), NULL, key, iv);
-
- if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
- {
- /* Error */
- return 0;
- }
- /* Buffer passed to EVP_EncryptFinal() must be after data just
- * encrypted to avoid overwriting it.
- */
- if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen))
- {
- /* Error */
- return 0;
- }
- outlen += tmplen;
- EVP_CIPHER_CTX_cleanup(&ctx);
- /* Need binary mode for fopen because encrypted data is
- * binary data. Also cannot use strlen() on it because
- * it wont be null terminated and may contain embedded
- * nulls.
- */
- out = fopen(outfile, "wb");
- fwrite(outbuf, 1, outlen, out);
- fclose(out);
- return 1;
- }
-
-The ciphertext from the above example can be decrypted using the B<openssl>
-utility with the command line (shown on two lines for clarity):
-
- openssl idea -d <filename
- -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708
-
-General encryption and decryption function example using FILE I/O and AES128
-with a 128-bit key:
-
- int do_crypt(FILE *in, FILE *out, int do_encrypt)
- {
- /* Allow enough space in output buffer for additional block */
- unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
- int inlen, outlen;
- EVP_CIPHER_CTX ctx;
- /* Bogus key and IV: we'd normally set these from
- * another source.
- */
- unsigned char key[] = "0123456789abcdeF";
- unsigned char iv[] = "1234567887654321";
-
- /* Don't set key or IV right away; we want to check lengths */
- EVP_CIPHER_CTX_init(&ctx);
- EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
- do_encrypt);
- OPENSSL_assert(EVP_CIPHER_CTX_key_length(&ctx) == 16);
- OPENSSL_assert(EVP_CIPHER_CTX_iv_length(&ctx) == 16);
-
- /* Now we can set key and IV */
- EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
-
- for(;;)
- {
- inlen = fread(inbuf, 1, 1024, in);
- if(inlen <= 0) break;
- if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
- {
- /* Error */
- EVP_CIPHER_CTX_cleanup(&ctx);
- return 0;
- }
- fwrite(outbuf, 1, outlen, out);
- }
- if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
- {
- /* Error */
- EVP_CIPHER_CTX_cleanup(&ctx);
- return 0;
- }
- fwrite(outbuf, 1, outlen, out);
-
- EVP_CIPHER_CTX_cleanup(&ctx);
- return 1;
- }
-
-
-=head1 SEE ALSO
-
-L<evp(3)|evp(3)>
-
-=head1 HISTORY
-
-EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(),
-EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
-EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
-OpenSSL 0.9.7.
-
-IDEA appeared in OpenSSL 0.9.7 but was often disabled due to
-patent concerns; the last patents expired in 2012.
-
-=cut
diff --git a/doc/crypto/EVP_OpenInit.pod b/doc/crypto/EVP_OpenInit.pod
deleted file mode 100644
index 2e710da945b0..000000000000
--- a/doc/crypto/EVP_OpenInit.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal - EVP envelope decryption
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
- int ekl,unsigned char *iv,EVP_PKEY *priv);
- int EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl, unsigned char *in, int inl);
- int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl);
-
-=head1 DESCRIPTION
-
-The EVP envelope routines are a high level interface to envelope
-decryption. They decrypt a public key encrypted symmetric key and
-then decrypt data using it.
-
-EVP_OpenInit() initializes a cipher context B<ctx> for decryption
-with cipher B<type>. It decrypts the encrypted symmetric key of length
-B<ekl> bytes passed in the B<ek> parameter using the private key B<priv>.
-The IV is supplied in the B<iv> parameter.
-
-EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties
-as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as
-documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
-page.
-
-=head1 NOTES
-
-It is possible to call EVP_OpenInit() twice in the same way as
-EVP_DecryptInit(). The first call should have B<priv> set to NULL
-and (after setting any cipher parameters) it should be called again
-with B<type> set to NULL.
-
-If the cipher passed in the B<type> parameter is a variable length
-cipher then the key length will be set to the value of the recovered
-key length. If the cipher is a fixed length cipher then the recovered
-key length must match the fixed cipher length.
-
-=head1 RETURN VALUES
-
-EVP_OpenInit() returns 0 on error or a non zero integer (actually the
-recovered secret key size) if successful.
-
-EVP_OpenUpdate() returns 1 for success or 0 for failure.
-
-EVP_OpenFinal() returns 0 if the decrypt failed or 1 for success.
-
-=head1 SEE ALSO
-
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_SealInit(3)|EVP_SealInit(3)>
-
-=head1 HISTORY
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/doc/crypto/EVP_PKEY_CTX_ctrl.pod
deleted file mode 100644
index 44b5fdb7f2ec..000000000000
--- a/doc/crypto/EVP_PKEY_CTX_ctrl.pod
+++ /dev/null
@@ -1,134 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str, EVP_PKEY_get_default_digest_nid,
-EVP_PKEY_CTX_set_signature_md, EVP_PKEY_CTX_set_rsa_padding,
-EVP_PKEY_CTX_set_rsa_pss_saltlen, EVP_PKEY_CTX_set_rsa_rsa_keygen_bits,
-EVP_PKEY_CTX_set_rsa_keygen_pubexp, EVP_PKEY_CTX_set_dsa_paramgen_bits,
-EVP_PKEY_CTX_set_dh_paramgen_prime_len,
-EVP_PKEY_CTX_set_dh_paramgen_generator,
-EVP_PKEY_CTX_set_ec_paramgen_curve_nid - algorithm specific control operations
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
- int cmd, int p1, void *p2);
- int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
- const char *value);
-
- int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
-
- #include <openssl/rsa.h>
-
- int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
-
- int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
- int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
- int EVP_PKEY_CTX_set_rsa_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits);
- int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
-
- #include <openssl/dsa.h>
- int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits);
-
- #include <openssl/dh.h>
- int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len);
- int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen);
-
- #include <openssl/ec.h>
- int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
-
-=head1 DESCRIPTION
-
-The function EVP_PKEY_CTX_ctrl() sends a control operation to the context
-B<ctx>. The key type used must match B<keytype> if it is not -1. The parameter
-B<optype> is a mask indicating which operations the control can be applied to.
-The control command is indicated in B<cmd> and any additional arguments in
-B<p1> and B<p2>.
-
-Applications will not normally call EVP_PKEY_CTX_ctrl() directly but will
-instead call one of the algorithm specific macros below.
-
-The function EVP_PKEY_CTX_ctrl_str() allows an application to send an algorithm
-specific control operation to a context B<ctx> in string form. This is
-intended to be used for options specified on the command line or in text
-files. The commands supported are documented in the openssl utility
-command line pages for the option B<-pkeyopt> which is supported by the
-B<pkeyutl>, B<genpkey> and B<req> commands.
-
-All the remaining "functions" are implemented as macros.
-
-The EVP_PKEY_CTX_set_signature_md() macro sets the message digest type used
-in a signature. It can be used with any public key algorithm supporting
-signature operations.
-
-The macro EVP_PKEY_CTX_set_rsa_padding() sets the RSA padding mode for B<ctx>.
-The B<pad> parameter can take the value RSA_PKCS1_PADDING for PKCS#1 padding,
-RSA_SSLV23_PADDING for SSLv23 padding, RSA_NO_PADDING for no padding,
-RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only),
-RSA_X931_PADDING for X9.31 padding (signature operations only) and
-RSA_PKCS1_PSS_PADDING (sign and verify only).
-
-Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md()
-is used. If this macro is called for PKCS#1 padding the plaintext buffer is
-an actual digest value and is encapsulated in a DigestInfo structure according
-to PKCS#1 when signing and this structure is expected (and stripped off) when
-verifying. If this control is not used with RSA and PKCS#1 padding then the
-supplied data is used directly and not encapsulated. In the case of X9.31
-padding for RSA the algorithm identifier byte is added or checked and removed
-if this control is called. If it is not called then the first byte of the plaintext buffer is expected to be the algorithm identifier byte.
-
-The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to
-B<len> as its name implies it is only supported for PSS padding. Two special
-values are supported: -1 sets the salt length to the digest length. When
-signing -2 sets the salt length to the maximum permissible value. When
-verifying -2 causes the salt length to be automatically determined based on the
-B<PSS> block structure. If this macro is not called a salt length value of -2
-is used by default.
-
-The EVP_PKEY_CTX_set_rsa_rsa_keygen_bits() macro sets the RSA key length for
-RSA key genration to B<bits>. If not specified 1024 bits is used.
-
-The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value
-for RSA key generation to B<pubexp> currently it should be an odd integer. The
-B<pubexp> pointer is used internally by this function so it should not be
-modified or free after the call. If this macro is not called then 65537 is used.
-
-The macro EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used
-for DSA parameter generation to B<bits>. If not specified 1024 is used.
-
-The macro EVP_PKEY_CTX_set_dh_paramgen_prime_len() sets the length of the DH
-prime parameter B<p> for DH parameter generation. If this macro is not called
-then 1024 is used.
-
-The EVP_PKEY_CTX_set_dh_paramgen_generator() macro sets DH generator to B<gen>
-for DH parameter generation. If not specified 2 is used.
-
-The EVP_PKEY_CTX_set_ec_paramgen_curve_nid() sets the EC curve for EC parameter
-generation to B<nid>. For EC parameter generation this macro must be called
-or an error occurs because there is no default curve.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_CTX_ctrl() and its macros return a positive value for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_CTX_new.pod b/doc/crypto/EVP_PKEY_CTX_new.pod
deleted file mode 100644
index a9af8675801b..000000000000
--- a/doc/crypto/EVP_PKEY_CTX_new.pod
+++ /dev/null
@@ -1,52 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free - public key algorithm context functions.
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
- EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);
- EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx);
- void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_CTX_new() function allocates public key algorithm context using
-the algorithm specified in B<pkey> and ENGINE B<e>.
-
-The EVP_PKEY_CTX_new_id() function allocates public key algorithm context
-using the algorithm specified by B<id> and ENGINE B<e>. It is normally used
-when no B<EVP_PKEY> structure is associated with the operations, for example
-during parameter generation of key genration for some algorithms.
-
-EVP_PKEY_CTX_dup() duplicates the context B<ctx>.
-
-EVP_PKEY_CTX_free() frees up the context B<ctx>.
-
-=head1 NOTES
-
-The B<EVP_PKEY_CTX> structure is an opaque public key algorithm context used
-by the OpenSSL high level public key API. Contexts B<MUST NOT> be shared between
-threads: that is it is not permissible to use the same context simultaneously
-in two threads.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_CTX_new(), EVP_PKEY_CTX_new_id(), EVP_PKEY_CTX_dup() returns either
-the newly allocated B<EVP_PKEY_CTX> structure of B<NULL> if an error occurred.
-
-EVP_PKEY_CTX_free() does not return a value.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_cmp.pod b/doc/crypto/EVP_PKEY_cmp.pod
deleted file mode 100644
index f8e7ff1039ee..000000000000
--- a/doc/crypto/EVP_PKEY_cmp.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
- int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
-
- int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
- int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
-
-=head1 DESCRIPTION
-
-The function EVP_PKEY_missing_parameters() returns 1 if the public key
-parameters of B<pkey> are missing and 0 if they are present or the algorithm
-doesn't use parameters.
-
-The function EVP_PKEY_copy_parameters() copies the parameters from key
-B<from> to key B<to>. An error is returned if the parameters are missing in
-B<from> or present in both B<from> and B<to> and mismatch. If the parameters
-in B<from> and B<to> are both present and match this function has no effect.
-
-The function EVP_PKEY_cmp_parameters() compares the parameters of keys
-B<a> and B<b>.
-
-The function EVP_PKEY_cmp() compares the public key components and paramters
-(if present) of keys B<a> and B<b>.
-
-=head1 NOTES
-
-The main purpose of the functions EVP_PKEY_missing_parameters() and
-EVP_PKEY_copy_parameters() is to handle public keys in certificates where the
-parameters are sometimes omitted from a public key if they are inherited from
-the CA that signed it.
-
-Since OpenSSL private keys contain public key components too the function
-EVP_PKEY_cmp() can also be used to determine if a private key matches
-a public key.
-
-=head1 RETURN VALUES
-
-The function EVP_PKEY_missing_parameters() returns 1 if the public key
-parameters of B<pkey> are missing and 0 if they are present or the algorithm
-doesn't use parameters.
-
-These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for
-failure.
-
-The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the
-keys match, 0 if they don't match, -1 if the key types are different and
--2 if the operation is not supported.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_decrypt.pod b/doc/crypto/EVP_PKEY_decrypt.pod
deleted file mode 100644
index 847983237b9b..000000000000
--- a/doc/crypto/EVP_PKEY_decrypt.pod
+++ /dev/null
@@ -1,93 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_decrypt_init, EVP_PKEY_decrypt - decrypt using a public key algorithm
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
- unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_decrypt_init() function initializes a public key algorithm
-context using key B<pkey> for a decryption operation.
-
-The EVP_PKEY_decrypt() function performs a public key decryption operation
-using B<ctx>. The data to be decrypted is specified using the B<in> and
-B<inlen> parameters. If B<out> is B<NULL> then the maximum size of the output
-buffer is written to the B<outlen> parameter. If B<out> is not B<NULL> then
-before the call the B<outlen> parameter should contain the length of the
-B<out> buffer, if the call is successful the decrypted data is written to
-B<out> and the amount of data written to B<outlen>.
-
-=head1 NOTES
-
-After the call to EVP_PKEY_decrypt_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-
-The function EVP_PKEY_decrypt() can be called more than once on the same
-context if several operations are performed using the same parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_decrypt_init() and EVP_PKEY_decrypt() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-
-=head1 EXAMPLE
-
-Decrypt data using OAEP (for RSA keys):
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- unsigned char *out, *in;
- size_t outlen, inlen;
- EVP_PKEY *key;
- /* NB: assumes key in, inlen are already set up
- * and that key is an RSA private key
- */
- ctx = EVP_PKEY_CTX_new(key);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_decrypt_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0)
- /* Error */
-
- /* Determine buffer length */
- if (EVP_PKEY_decrypt(ctx, NULL, &outlen, in, inlen) <= 0)
- /* Error */
-
- out = OPENSSL_malloc(outlen);
-
- if (!out)
- /* malloc failure */
-
- if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0)
- /* Error */
-
- /* Decrypted data is outlen bytes written to buffer out */
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_derive.pod b/doc/crypto/EVP_PKEY_derive.pod
deleted file mode 100644
index 27464be5718e..000000000000
--- a/doc/crypto/EVP_PKEY_derive.pod
+++ /dev/null
@@ -1,93 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive - derive public key algorithm shared secret.
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
- int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_derive_init() function initializes a public key algorithm
-context using key B<pkey> for shared secret derivation.
-
-The EVP_PKEY_derive_set_peer() function sets the peer key: this will normally
-be a public key.
-
-The EVP_PKEY_derive() derives a shared secret using B<ctx>.
-If B<key> is B<NULL> then the maximum size of the output buffer is written to
-the B<keylen> parameter. If B<key> is not B<NULL> then before the call the
-B<keylen> parameter should contain the length of the B<key> buffer, if the call
-is successful the shared secret is written to B<key> and the amount of data
-written to B<keylen>.
-
-=head1 NOTES
-
-After the call to EVP_PKEY_derive_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-
-The function EVP_PKEY_derive() can be called more than once on the same
-context if several operations are performed using the same parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_derive_init() and EVP_PKEY_derive() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-
-=head1 EXAMPLE
-
-Derive shared secret (for example DH or EC keys):
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- unsigned char *skey;
- size_t skeylen;
- EVP_PKEY *pkey, *peerkey;
- /* NB: assumes pkey, peerkey have been already set up */
-
- ctx = EVP_PKEY_CTX_new(pkey);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_derive_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_derive_set_peer(ctx, peerkey) <= 0)
- /* Error */
-
- /* Determine buffer length */
- if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0)
- /* Error */
-
- skey = OPENSSL_malloc(skeylen);
-
- if (!skey)
- /* malloc failure */
-
- if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0)
- /* Error */
-
- /* Shared secret is skey bytes written to buffer skey */
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_encrypt.pod b/doc/crypto/EVP_PKEY_encrypt.pod
deleted file mode 100644
index 6799ce1010bd..000000000000
--- a/doc/crypto/EVP_PKEY_encrypt.pod
+++ /dev/null
@@ -1,99 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
- unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_encrypt_init() function initializes a public key algorithm
-context using key B<pkey> for an encryption operation.
-
-The EVP_PKEY_encrypt() function performs a public key encryption operation
-using B<ctx>. The data to be encrypted is specified using the B<in> and
-B<inlen> parameters. If B<out> is B<NULL> then the maximum size of the output
-buffer is written to the B<outlen> parameter. If B<out> is not B<NULL> then
-before the call the B<outlen> parameter should contain the length of the
-B<out> buffer, if the call is successful the encrypted data is written to
-B<out> and the amount of data written to B<outlen>.
-
-=head1 NOTES
-
-After the call to EVP_PKEY_encrypt_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-
-The function EVP_PKEY_encrypt() can be called more than once on the same
-context if several operations are performed using the same parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_encrypt_init() and EVP_PKEY_encrypt() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-
-=head1 EXAMPLE
-
-Encrypt data using OAEP (for RSA keys). See also L<PEM_read_PUBKEY(3)|pem(3)> or
-L<d2i_X509(3)|d2i_X509(3)> for means to load a public key. You may also simply
-set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
- #include <openssl/engine.h>
-
- EVP_PKEY_CTX *ctx;
- ENGINE *eng;
- unsigned char *out, *in;
- size_t outlen, inlen;
- EVP_PKEY *key;
- /* NB: assumes eng, key, in, inlen are already set up,
- * and that key is an RSA public key
- */
- ctx = EVP_PKEY_CTX_new(key,eng);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_encrypt_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0)
- /* Error */
-
- /* Determine buffer length */
- if (EVP_PKEY_encrypt(ctx, NULL, &outlen, in, inlen) <= 0)
- /* Error */
-
- out = OPENSSL_malloc(outlen);
-
- if (!out)
- /* malloc failure */
-
- if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0)
- /* Error */
-
- /* Encrypted data is outlen bytes written to buffer out */
-
-=head1 SEE ALSO
-
-L<d2i_X509(3)|d2i_X509(3)>,
-L<engine(3)|engine(3)>,
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_get_default_digest.pod b/doc/crypto/EVP_PKEY_get_default_digest.pod
deleted file mode 100644
index 8ff597d44adf..000000000000
--- a/doc/crypto/EVP_PKEY_get_default_digest.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_get_default_digest_nid - get default signature digest
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
- int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_get_default_digest_nid() function sets B<pnid> to the default
-message digest NID for the public key signature operations associated with key
-B<pkey>.
-
-=head1 NOTES
-
-For all current standard OpenSSL public key algorithms SHA1 is returned.
-
-=head1 RETURN VALUES
-
-The EVP_PKEY_get_default_digest_nid() function returns 1 if the message digest
-is advisory (that is other digests can be used) and 2 if it is mandatory (other
-digests can not be used). It returns 0 or a negative value for failure. In
-particular a return value of -2 indicates the operation is not supported by the
-public key algorithm.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-
-=head1 HISTORY
-
-This function was first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_keygen.pod b/doc/crypto/EVP_PKEY_keygen.pod
deleted file mode 100644
index fd431ace6dcc..000000000000
--- a/doc/crypto/EVP_PKEY_keygen.pod
+++ /dev/null
@@ -1,161 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data - key and parameter generation functions
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
- int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
-
- typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx);
-
- void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
- EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
-
- int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx);
-
- void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data);
- void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_keygen_init() function initializes a public key algorithm
-context using key B<pkey> for a key genration operation.
-
-The EVP_PKEY_keygen() function performs a key generation operation, the
-generated key is written to B<ppkey>.
-
-The functions EVP_PKEY_paramgen_init() and EVP_PKEY_paramgen() are similar
-except parameters are generated.
-
-The function EVP_PKEY_set_cb() sets the key or parameter generation callback
-to B<cb>. The function EVP_PKEY_CTX_get_cb() returns the key or parameter
-generation callback.
-
-The function EVP_PKEY_CTX_get_keygen_info() returns parameters associated
-with the generation operation. If B<idx> is -1 the total number of
-parameters available is returned. Any non negative value returns the value of
-that parameter. EVP_PKEY_CTX_gen_keygen_info() with a non-negative value for
-B<idx> should only be called within the generation callback.
-
-If the callback returns 0 then the key genration operation is aborted and an
-error occurs. This might occur during a time consuming operation where
-a user clicks on a "cancel" button.
-
-The functions EVP_PKEY_CTX_set_app_data() and EVP_PKEY_CTX_get_app_data() set
-and retrieve an opaque pointer. This can be used to set some application
-defined value which can be retrieved in the callback: for example a handle
-which is used to update a "progress dialog".
-
-=head1 NOTES
-
-After the call to EVP_PKEY_keygen_init() or EVP_PKEY_paramgen_init() algorithm
-specific control operations can be performed to set any appropriate parameters
-for the operation.
-
-The functions EVP_PKEY_keygen() and EVP_PKEY_paramgen() can be called more than
-once on the same context if several operations are performed using the same
-parameters.
-
-The meaning of the parameters passed to the callback will depend on the
-algorithm and the specifiic implementation of the algorithm. Some might not
-give any useful information at all during key or parameter generation. Others
-might not even call the callback.
-
-The operation performed by key or parameter generation depends on the algorithm
-used. In some cases (e.g. EC with a supplied named curve) the "generation"
-option merely sets the appropriate fields in an EVP_PKEY structure.
-
-In OpenSSL an EVP_PKEY structure containing a private key also contains the
-public key components and parameters (if any). An OpenSSL private key is
-equivalent to what some libraries call a "key pair". A private key can be used
-in functions which require the use of a public key or parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_keygen_init(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen() and
-EVP_PKEY_paramgen() return 1 for success and 0 or a negative value for failure.
-In particular a return value of -2 indicates the operation is not supported by
-the public key algorithm.
-
-=head1 EXAMPLES
-
-Generate a 2048 bit RSA key:
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- EVP_PKEY *pkey = NULL;
- ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_keygen_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0)
- /* Error */
-
- /* Generate key */
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
- /* Error */
-
-Generate a key from a set of parameters:
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- EVP_PKEY *pkey = NULL, *param;
- /* Assumed param is set up already */
- ctx = EVP_PKEY_CTX_new(param);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_keygen_init(ctx) <= 0)
- /* Error */
-
- /* Generate key */
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
- /* Error */
-
-Example of generation callback for OpenSSL public key implementations:
-
- /* Application data is a BIO to output status to */
-
- EVP_PKEY_CTX_set_app_data(ctx, status_bio);
-
- static int genpkey_cb(EVP_PKEY_CTX *ctx)
- {
- char c='*';
- BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
- int p;
- p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
- if (p == 0) c='.';
- if (p == 1) c='+';
- if (p == 2) c='*';
- if (p == 3) c='\n';
- BIO_write(b,&c,1);
- (void)BIO_flush(b);
- return 1;
- }
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_meth_new.pod b/doc/crypto/EVP_PKEY_meth_new.pod
deleted file mode 100644
index 041492a8f0fb..000000000000
--- a/doc/crypto/EVP_PKEY_meth_new.pod
+++ /dev/null
@@ -1,376 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find,
-EVP_PKEY_meth_add0, EVP_PKEY_METHOD,
-EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup,
-EVP_PKEY_meth_set_paramgen, EVP_PKEY_meth_set_keygen, EVP_PKEY_meth_set_sign,
-EVP_PKEY_meth_set_verify, EVP_PKEY_meth_set_verify_recover, EVP_PKEY_meth_set_signctx,
-EVP_PKEY_meth_set_verifyctx, EVP_PKEY_meth_set_encrypt, EVP_PKEY_meth_set_decrypt,
-EVP_PKEY_meth_set_derive, EVP_PKEY_meth_set_ctrl,
-EVP_PKEY_meth_get_init, EVP_PKEY_meth_get_copy, EVP_PKEY_meth_get_cleanup,
-EVP_PKEY_meth_get_paramgen, EVP_PKEY_meth_get_keygen, EVP_PKEY_meth_get_sign,
-EVP_PKEY_meth_get_verify, EVP_PKEY_meth_get_verify_recover, EVP_PKEY_meth_get_signctx,
-EVP_PKEY_meth_get_verifyctx, EVP_PKEY_meth_get_encrypt, EVP_PKEY_meth_get_decrypt,
-EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl
-- manipulating EVP_PKEY_METHOD structure
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
-
- EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
- void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth);
- void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
- const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
- int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth);
-
- void EVP_PKEY_meth_set_init(EVP_PKEY_METHOD *pmeth,
- int (*init) (EVP_PKEY_CTX *ctx));
- void EVP_PKEY_meth_set_copy(EVP_PKEY_METHOD *pmeth,
- int (*copy) (EVP_PKEY_CTX *dst,
- EVP_PKEY_CTX *src));
- void EVP_PKEY_meth_set_cleanup(EVP_PKEY_METHOD *pmeth,
- void (*cleanup) (EVP_PKEY_CTX *ctx));
- void EVP_PKEY_meth_set_paramgen(EVP_PKEY_METHOD *pmeth,
- int (*paramgen_init) (EVP_PKEY_CTX *ctx),
- int (*paramgen) (EVP_PKEY_CTX *ctx,
- EVP_PKEY *pkey));
- void EVP_PKEY_meth_set_keygen(EVP_PKEY_METHOD *pmeth,
- int (*keygen_init) (EVP_PKEY_CTX *ctx),
- int (*keygen) (EVP_PKEY_CTX *ctx,
- EVP_PKEY *pkey));
- void EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *pmeth,
- int (*sign_init) (EVP_PKEY_CTX *ctx),
- int (*sign) (EVP_PKEY_CTX *ctx,
- unsigned char *sig, size_t *siglen,
- const unsigned char *tbs,
- size_t tbslen));
- void EVP_PKEY_meth_set_verify(EVP_PKEY_METHOD *pmeth,
- int (*verify_init) (EVP_PKEY_CTX *ctx),
- int (*verify) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig,
- size_t siglen,
- const unsigned char *tbs,
- size_t tbslen));
- void EVP_PKEY_meth_set_verify_recover(EVP_PKEY_METHOD *pmeth,
- int (*verify_recover_init) (EVP_PKEY_CTX
- *ctx),
- int (*verify_recover) (EVP_PKEY_CTX
- *ctx,
- unsigned char
- *sig,
- size_t *siglen,
- const unsigned
- char *tbs,
- size_t tbslen));
- void EVP_PKEY_meth_set_signctx(EVP_PKEY_METHOD *pmeth,
- int (*signctx_init) (EVP_PKEY_CTX *ctx,
- EVP_MD_CTX *mctx),
- int (*signctx) (EVP_PKEY_CTX *ctx,
- unsigned char *sig,
- size_t *siglen,
- EVP_MD_CTX *mctx));
- void EVP_PKEY_meth_set_verifyctx(EVP_PKEY_METHOD *pmeth,
- int (*verifyctx_init) (EVP_PKEY_CTX *ctx,
- EVP_MD_CTX *mctx),
- int (*verifyctx) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig,
- int siglen,
- EVP_MD_CTX *mctx));
- void EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *pmeth,
- int (*encrypt_init) (EVP_PKEY_CTX *ctx),
- int (*encryptfn) (EVP_PKEY_CTX *ctx,
- unsigned char *out,
- size_t *outlen,
- const unsigned char *in,
- size_t inlen));
- void EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *pmeth,
- int (*decrypt_init) (EVP_PKEY_CTX *ctx),
- int (*decrypt) (EVP_PKEY_CTX *ctx,
- unsigned char *out,
- size_t *outlen,
- const unsigned char *in,
- size_t inlen));
- void EVP_PKEY_meth_set_derive(EVP_PKEY_METHOD *pmeth,
- int (*derive_init) (EVP_PKEY_CTX *ctx),
- int (*derive) (EVP_PKEY_CTX *ctx,
- unsigned char *key,
- size_t *keylen));
- void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
- int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
- void *p2),
- int (*ctrl_str) (EVP_PKEY_CTX *ctx,
- const char *type,
- const char *value));
-
- void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
- int (**pinit) (EVP_PKEY_CTX *ctx));
- void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth,
- int (**pcopy) (EVP_PKEY_CTX *dst,
- EVP_PKEY_CTX *src));
- void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth,
- void (**pcleanup) (EVP_PKEY_CTX *ctx));
- void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth,
- int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
- int (**pparamgen) (EVP_PKEY_CTX *ctx,
- EVP_PKEY *pkey));
- void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
- int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
- int (**pkeygen) (EVP_PKEY_CTX *ctx,
- EVP_PKEY *pkey));
- void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
- int (**psign_init) (EVP_PKEY_CTX *ctx),
- int (**psign) (EVP_PKEY_CTX *ctx,
- unsigned char *sig, size_t *siglen,
- const unsigned char *tbs,
- size_t tbslen));
- void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth,
- int (**pverify_init) (EVP_PKEY_CTX *ctx),
- int (**pverify) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig,
- size_t siglen,
- const unsigned char *tbs,
- size_t tbslen));
- void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth,
- int (**pverify_recover_init) (EVP_PKEY_CTX
- *ctx),
- int (**pverify_recover) (EVP_PKEY_CTX
- *ctx,
- unsigned char
- *sig,
- size_t *siglen,
- const unsigned
- char *tbs,
- size_t tbslen));
- void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth,
- int (**psignctx_init) (EVP_PKEY_CTX *ctx,
- EVP_MD_CTX *mctx),
- int (**psignctx) (EVP_PKEY_CTX *ctx,
- unsigned char *sig,
- size_t *siglen,
- EVP_MD_CTX *mctx));
- void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth,
- int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
- EVP_MD_CTX *mctx),
- int (**pverifyctx) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig,
- int siglen,
- EVP_MD_CTX *mctx));
- void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth,
- int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
- int (**pencryptfn) (EVP_PKEY_CTX *ctx,
- unsigned char *out,
- size_t *outlen,
- const unsigned char *in,
- size_t inlen));
- void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
- int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
- int (**pdecrypt) (EVP_PKEY_CTX *ctx,
- unsigned char *out,
- size_t *outlen,
- const unsigned char *in,
- size_t inlen));
- void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
- int (**pderive_init) (EVP_PKEY_CTX *ctx),
- int (**pderive) (EVP_PKEY_CTX *ctx,
- unsigned char *key,
- size_t *keylen));
- void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth,
- int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
- void *p2),
- int (**pctrl_str) (EVP_PKEY_CTX *ctx,
- const char *type,
- const char *value));
-
-=head1 DESCRIPTION
-
-B<EVP_PKEY_METHOD> is a structure which holds a set of methods for a
-specific public key cryptographic algorithm. Those methods are usually
-used to perform different jobs, such as generating a key, signing or
-verifying, encrypting or decrypting, etc.
-
-There are two places where the B<EVP_PKEY_METHOD> objects are stored: one
-is a built-in static array representing the standard methods for different
-algorithms, and the other one is a stack of user-defined application-specific
-methods, which can be manipulated by using L<EVP_PKEY_meth_add0(3)>.
-
-The B<EVP_PKEY_METHOD> objects are usually referenced by B<EVP_PKEY_CTX>
-objects.
-
-=head2 Methods
-
-The methods are the underlying implementations of a particular public key
-algorithm present by the B<EVP_PKEY_CTX> object.
-
- int (*init) (EVP_PKEY_CTX *ctx);
- int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
- void (*cleanup) (EVP_PKEY_CTX *ctx);
-
-The init() method is called to initialize algorithm-specific data when a new
-B<EVP_PKEY_CTX> is created. As opposed to init(), the cleanup() method is called
-when an B<EVP_PKEY_CTX> is freed. The copy() method is called when an B<EVP_PKEY_CTX>
-is being duplicated. Refer to L<EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_CTX_new_id(3)>,
-L<EVP_PKEY_CTX_free(3)> and L<EVP_PKEY_CTX_dup(3)>.
-
- int (*paramgen_init) (EVP_PKEY_CTX *ctx);
- int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
-
-The paramgen_init() and paramgen() methods deal with key parameter generation.
-They are called by L<EVP_PKEY_paramgen_init(3)> and L<EVP_PKEY_paramgen(3)> to
-handle the parameter generation process.
-
- int (*keygen_init) (EVP_PKEY_CTX *ctx);
- int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
-
-The keygen_init() and keygen() methods are used to generate the actual key for
-the specified algorithm. They are called by L<EVP_PKEY_keygen_init(3)> and
-L<EVP_PKEY_keygen(3)>.
-
- int (*sign_init) (EVP_PKEY_CTX *ctx);
- int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
-
-The sign_init() and sign() methods are used to generate the signature of a
-piece of data using a private key. They are called by L<EVP_PKEY_sign_init(3)>
-and L<EVP_PKEY_sign(3)>.
-
- int (*verify_init) (EVP_PKEY_CTX *ctx);
- int (*verify) (EVP_PKEY_CTX *ctx,
- const unsigned char *sig, size_t siglen,
- const unsigned char *tbs, size_t tbslen);
-
-The verify_init() and verify() methods are used to verify whether a signature is
-valid. They are called by L<EVP_PKEY_verify_init(3)> and L<EVP_PKEY_verify(3)>.
-
- int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
- int (*verify_recover) (EVP_PKEY_CTX *ctx,
- unsigned char *rout, size_t *routlen,
- const unsigned char *sig, size_t siglen);
-
-The verify_recover_init() and verify_recover() methods are used to verify a
-signature and then recover the digest from the signature (for instance, a
-signature that was generated by RSA signing algorithm). They are called by
-L<EVP_PKEY_verify_recover_init(3)> and L<EVP_PKEY_verify_recover(3)>.
-
- int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
- int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
- EVP_MD_CTX *mctx);
-
-The signctx_init() and signctx() methods are used to sign a digest present by
-a B<EVP_MD_CTX> object. They are called by the EVP_DigestSign functions. See
-L<EVP_DigestSignInit(3)> for detail.
-
- int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
- int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
- EVP_MD_CTX *mctx);
-
-The verifyctx_init() and verifyctx() methods are used to verify a signature
-against the data in a B<EVP_MD_CTX> object. They are called by the various
-EVP_DigestVerify functions. See L<EVP_DigestVerifyInit(3)> for detail.
-
- int (*encrypt_init) (EVP_PKEY_CTX *ctx);
- int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
-
-The encrypt_init() and encrypt() methods are used to encrypt a piece of data.
-They are called by L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)>.
-
- int (*decrypt_init) (EVP_PKEY_CTX *ctx);
- int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
- const unsigned char *in, size_t inlen);
-
-The decrypt_init() and decrypt() methods are used to decrypt a piece of data.
-They are called by L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)>.
-
- int (*derive_init) (EVP_PKEY_CTX *ctx);
- int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
-
-The derive_init() and derive() methods are used to derive the shared secret
-from a public key algorithm (for instance, the DH algorithm). They are called by
-L<EVP_PKEY_derive_init(3)> and L<EVP_PKEY_derive(3)>.
-
- int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
- int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
-
-The ctrl() and ctrl_str() methods are used to adjust algorithm-specific
-settings. See L<EVP_PKEY_CTX_ctrl(3)> and related functions for detail.
-
- int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
- int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
- size_t siglen, const unsigned char *tbs,
- size_t tbslen);
-
-The digestsign() and digestverify() methods are used to generate or verify
-a signature in a one-shot mode. They could be called by L<EVP_DigetSign(3)>
-and L<EVP_DigestVerify(3)>.
-
-=head2 Functions
-
-EVP_PKEY_meth_new() creates and returns a new B<EVP_PKEY_METHOD> object,
-and associates the given B<id> and B<flags>. The following flags are
-supported:
-
- EVP_PKEY_FLAG_AUTOARGLEN
- EVP_PKEY_FLAG_SIGCTX_CUSTOM
-
-If an B<EVP_PKEY_METHOD> is set with the B<EVP_PKEY_FLAG_AUTOARGLEN> flag, the
-maximum size of the output buffer will be automatically calculated or checked
-in corresponding EVP methods by the EVP framework. Thus the implementations of
-these methods don't need to care about handling the case of returning output
-buffer size by themselves. For details on the output buffer size, refer to
-L<EVP_PKEY_sign(3)>.
-
-The B<EVP_PKEY_FLAG_SIGCTX_CUSTOM> is used to indicate the signctx() method
-of an B<EVP_PKEY_METHOD> is always called by the EVP framework while doing a
-digest signing operation by calling L<EVP_DigestSignFinal(3)>.
-
-EVP_PKEY_meth_free() frees an existing B<EVP_PKEY_METHOD> pointed by
-B<pmeth>.
-
-EVP_PKEY_meth_copy() copies an B<EVP_PKEY_METHOD> object from B<src>
-to B<dst>.
-
-EVP_PKEY_meth_find() finds an B<EVP_PKEY_METHOD> object with the B<id>.
-This function first searches through the user-defined method objects and
-then the built-in objects.
-
-EVP_PKEY_meth_add0() adds B<pmeth> to the user defined stack of methods.
-
-The EVP_PKEY_meth_set functions set the corresponding fields of
-B<EVP_PKEY_METHOD> structure with the arguments passed.
-
-The EVP_PKEY_meth_get functions get the corresponding fields of
-B<EVP_PKEY_METHOD> structure to the arguments provided.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_meth_new() returns a pointer to a new B<EVP_PKEY_METHOD>
-object or returns NULL on error.
-
-EVP_PKEY_meth_free() and EVP_PKEY_meth_copy() do not return values.
-
-EVP_PKEY_meth_find() returns a pointer to the found B<EVP_PKEY_METHOD>
-object or returns NULL if not found.
-
-EVP_PKEY_meth_add0() returns 1 if method is added successfully or 0
-if an error occurred.
-
-All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return
-values. For the 'get' functions, function pointers are returned by
-arguments.
-
-=head1 COPYRIGHT
-
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the OpenSSL license (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_new.pod b/doc/crypto/EVP_PKEY_new.pod
deleted file mode 100644
index 10687e458db2..000000000000
--- a/doc/crypto/EVP_PKEY_new.pod
+++ /dev/null
@@ -1,47 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_new, EVP_PKEY_free - private key allocation functions.
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- EVP_PKEY *EVP_PKEY_new(void);
- void EVP_PKEY_free(EVP_PKEY *key);
-
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_new() function allocates an empty B<EVP_PKEY>
-structure which is used by OpenSSL to store private keys.
-
-EVP_PKEY_free() frees up the private key B<key>.
-
-=head1 NOTES
-
-The B<EVP_PKEY> structure is used by various OpenSSL functions
-which require a general private key without reference to any
-particular algorithm.
-
-The structure returned by EVP_PKEY_new() is empty. To add a
-private key to this empty structure the functions described in
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)> should be used.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_new() returns either the newly allocated B<EVP_PKEY>
-structure of B<NULL> if an error occurred.
-
-EVP_PKEY_free() does not return a value.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_print_private.pod b/doc/crypto/EVP_PKEY_print_private.pod
deleted file mode 100644
index ce9d70d7a7a0..000000000000
--- a/doc/crypto/EVP_PKEY_print_private.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params - public key algorithm printing routines.
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
- int indent, ASN1_PCTX *pctx);
- int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
- int indent, ASN1_PCTX *pctx);
- int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
- int indent, ASN1_PCTX *pctx);
-
-=head1 DESCRIPTION
-
-The functions EVP_PKEY_print_public(), EVP_PKEY_print_private() and
-EVP_PKEY_print_params() print out the public, private or parameter components
-of key B<pkey> respectively. The key is sent to BIO B<out> in human readable
-form. The parameter B<indent> indicated how far the printout should be indented.
-
-The B<pctx> parameter allows the print output to be finely tuned by using
-ASN1 printing options. If B<pctx> is set to NULL then default values will
-be used.
-
-=head1 NOTES
-
-Currently no public key algorithms include any options in the B<pctx> parameter
-parameter.
-
-If the key does not include all the components indicated by the function then
-only those contained in the key will be printed. For example passing a public
-key to EVP_PKEY_print_private() will only print the public components.
-
-=head1 RETURN VALUES
-
-These functions all return 1 for success and 0 or a negative value for failure.
-In particular a return value of -2 indicates the operation is not supported by
-the public key algorithm.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod b/doc/crypto/EVP_PKEY_set1_RSA.pod
deleted file mode 100644
index 6f1017561516..000000000000
--- a/doc/crypto/EVP_PKEY_set1_RSA.pod
+++ /dev/null
@@ -1,80 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
-EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
-EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY,
-EVP_PKEY_type - EVP_PKEY assignment functions.
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key);
- int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key);
- int EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key);
- int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey,EC_KEY *key);
-
- RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
- DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
- DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
- EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
-
- int EVP_PKEY_assign_RSA(EVP_PKEY *pkey,RSA *key);
- int EVP_PKEY_assign_DSA(EVP_PKEY *pkey,DSA *key);
- int EVP_PKEY_assign_DH(EVP_PKEY *pkey,DH *key);
- int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey,EC_KEY *key);
-
- int EVP_PKEY_type(int type);
-
-=head1 DESCRIPTION
-
-EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and
-EVP_PKEY_set1_EC_KEY() set the key referenced by B<pkey> to B<key>.
-
-EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
-EVP_PKEY_get1_EC_KEY() return the referenced key in B<pkey> or
-B<NULL> if the key is not of the correct type.
-
-EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-and EVP_PKEY_assign_EC_KEY() also set the referenced key to B<key>
-however these use the supplied B<key> internally and so B<key>
-will be freed when the parent B<pkey> is freed.
-
-EVP_PKEY_type() returns the type of key corresponding to the value
-B<type>. The type of a key can be obtained with
-EVP_PKEY_type(pkey->type). The return value will be EVP_PKEY_RSA,
-EVP_PKEY_DSA, EVP_PKEY_DH or EVP_PKEY_EC for the corresponding
-key types or NID_undef if the key type is unassigned.
-
-=head1 NOTES
-
-In accordance with the OpenSSL naming convention the key obtained
-from or assigned to the B<pkey> using the B<1> functions must be
-freed as well as B<pkey>.
-
-EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-and EVP_PKEY_assign_EC_KEY() are implemented as macros.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and
-EVP_PKEY_set1_EC_KEY() return 1 for success or 0 for failure.
-
-EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
-EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if
-an error occurred.
-
-EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
-and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_sign.pod b/doc/crypto/EVP_PKEY_sign.pod
deleted file mode 100644
index 21974b4b1a9c..000000000000
--- a/doc/crypto/EVP_PKEY_sign.pod
+++ /dev/null
@@ -1,106 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_sign_init, EVP_PKEY_sign - sign using a public key algorithm
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
- unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_sign_init() function initializes a public key algorithm
-context using key B<pkey> for a signing operation.
-
-The EVP_PKEY_sign() function performs a public key signing operation
-using B<ctx>. The data to be signed is specified using the B<tbs> and
-B<tbslen> parameters. If B<sig> is B<NULL> then the maximum size of the output
-buffer is written to the B<siglen> parameter. If B<sig> is not B<NULL> then
-before the call the B<siglen> parameter should contain the length of the
-B<sig> buffer, if the call is successful the signature is written to
-B<sig> and the amount of data written to B<siglen>.
-
-=head1 NOTES
-
-EVP_PKEY_sign() does not hash the data to be signed, and therefore is
-normally used to sign digests. For signing arbitrary messages, see the
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)> and
-L<EVP_SignInit(3)|EVP_SignInit(3)> signing interfaces instead.
-
-After the call to EVP_PKEY_sign_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation (see L<EVP_PKEY_CTX_ctrl(3)|EVP_PKEY_CTX_ctrl(3)>).
-
-The function EVP_PKEY_sign() can be called more than once on the same
-context if several operations are performed using the same parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_sign_init() and EVP_PKEY_sign() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-
-=head1 EXAMPLE
-
-Sign data using RSA with PKCS#1 padding and SHA256 digest:
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- /* md is a SHA-256 digest in this example. */
- unsigned char *md, *sig;
- size_t mdlen = 32, siglen;
- EVP_PKEY *signing_key;
-
- /*
- * NB: assumes signing_key and md are set up before the next
- * step. signing_key must be an RSA private key and md must
- * point to the SHA-256 digest to be signed.
- */
- ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_sign_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
- /* Error */
-
- /* Determine buffer length */
- if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0)
- /* Error */
-
- sig = OPENSSL_malloc(siglen);
-
- if (!sig)
- /* malloc failure */
-
- if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
- /* Error */
-
- /* Signature is siglen bytes written to buffer sig */
-
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_CTX_ctrl(3)|EVP_PKEY_CTX_ctrl(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_verify.pod b/doc/crypto/EVP_PKEY_verify.pod
deleted file mode 100644
index 90612ba2f07a..000000000000
--- a/doc/crypto/EVP_PKEY_verify.pod
+++ /dev/null
@@ -1,91 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_verify_init, EVP_PKEY_verify - signature verification using a public key algorithm
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
- const unsigned char *sig, size_t siglen,
- const unsigned char *tbs, size_t tbslen);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_verify_init() function initializes a public key algorithm
-context using key B<pkey> for a signature verification operation.
-
-The EVP_PKEY_verify() function performs a public key verification operation
-using B<ctx>. The signature is specified using the B<sig> and
-B<siglen> parameters. The verified data (i.e. the data believed originally
-signed) is specified using the B<tbs> and B<tbslen> parameters.
-
-=head1 NOTES
-
-After the call to EVP_PKEY_verify_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-
-The function EVP_PKEY_verify() can be called more than once on the same
-context if several operations are performed using the same parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_verify_init() and EVP_PKEY_verify() return 1 if the verification was
-successful and 0 if it failed. Unlike other functions the return value 0 from
-EVP_PKEY_verify() only indicates that the signature did not not verify
-successfully (that is tbs did not match the original data or the signature was
-of invalid form) it is not an indication of a more serious error.
-
-A negative value indicates an error other that signature verification failure.
-In particular a return value of -2 indicates the operation is not supported by
-the public key algorithm.
-
-=head1 EXAMPLE
-
-Verify signature using PKCS#1 and SHA256 digest:
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- unsigned char *md, *sig;
- size_t mdlen, siglen;
- EVP_PKEY *verify_key;
- /* NB: assumes verify_key, sig, siglen md and mdlen are already set up
- * and that verify_key is an RSA public key
- */
- ctx = EVP_PKEY_CTX_new(verify_key);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_verify_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
- /* Error */
-
- /* Perform operation */
- ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
-
- /* ret == 1 indicates success, 0 verify failure and < 0 for some
- * other error.
- */
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_PKEY_verify_recover.pod b/doc/crypto/EVP_PKEY_verify_recover.pod
deleted file mode 100644
index 23a28a9c43e8..000000000000
--- a/doc/crypto/EVP_PKEY_verify_recover.pod
+++ /dev/null
@@ -1,103 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
- int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
- unsigned char *rout, size_t *routlen,
- const unsigned char *sig, size_t siglen);
-
-=head1 DESCRIPTION
-
-The EVP_PKEY_verify_recover_init() function initializes a public key algorithm
-context using key B<pkey> for a verify recover operation.
-
-The EVP_PKEY_verify_recover() function recovers signed data
-using B<ctx>. The signature is specified using the B<sig> and
-B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
-buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
-before the call the B<routlen> parameter should contain the length of the
-B<rout> buffer, if the call is successful recovered data is written to
-B<rout> and the amount of data written to B<routlen>.
-
-=head1 NOTES
-
-Normally an application is only interested in whether a signature verification
-operation is successful in those cases the EVP_verify() function should be
-used.
-
-Sometimes however it is useful to obtain the data originally signed using a
-signing operation. Only certain public key algorithms can recover a signature
-in this way (for example RSA in PKCS padding mode).
-
-After the call to EVP_PKEY_verify_recover_init() algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
-
-The function EVP_PKEY_verify_recover() can be called more than once on the same
-context if several operations are performed using the same parameters.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success
-and 0 or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
-
-=head1 EXAMPLE
-
-Recover digest originally signed using PKCS#1 and SHA256 digest:
-
- #include <openssl/evp.h>
- #include <openssl/rsa.h>
-
- EVP_PKEY_CTX *ctx;
- unsigned char *rout, *sig;
- size_t routlen, siglen;
- EVP_PKEY *verify_key;
- /* NB: assumes verify_key, sig and siglen are already set up
- * and that verify_key is an RSA public key
- */
- ctx = EVP_PKEY_CTX_new(verify_key);
- if (!ctx)
- /* Error occurred */
- if (EVP_PKEY_verify_recover_init(ctx) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
- /* Error */
- if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
- /* Error */
-
- /* Determine buffer length */
- if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
- /* Error */
-
- rout = OPENSSL_malloc(routlen);
-
- if (!rout)
- /* malloc failure */
-
- if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
- /* Error */
-
- /* Recovered data is routlen bytes written to buffer rout */
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-
-=head1 HISTORY
-
-These functions were first added to OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/EVP_SealInit.pod b/doc/crypto/EVP_SealInit.pod
deleted file mode 100644
index 19112a542d89..000000000000
--- a/doc/crypto/EVP_SealInit.pod
+++ /dev/null
@@ -1,85 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
- unsigned char **ek, int *ekl, unsigned char *iv,
- EVP_PKEY **pubk, int npubk);
- int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl, unsigned char *in, int inl);
- int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
- int *outl);
-
-=head1 DESCRIPTION
-
-The EVP envelope routines are a high level interface to envelope
-encryption. They generate a random key and IV (if required) then
-"envelope" it by using public key encryption. Data can then be
-encrypted using this key.
-
-EVP_SealInit() initializes a cipher context B<ctx> for encryption
-with cipher B<type> using a random secret key and IV. B<type> is normally
-supplied by a function such as EVP_aes_256_cbc(). The secret key is encrypted
-using one or more public keys, this allows the same encrypted data to be
-decrypted using any of the corresponding private keys. B<ek> is an array of
-buffers where the public key encrypted secret key will be written, each buffer
-must contain enough room for the corresponding encrypted key: that is
-B<ek[i]> must have room for B<EVP_PKEY_size(pubk[i])> bytes. The actual
-size of each encrypted secret key is written to the array B<ekl>. B<pubk> is
-an array of B<npubk> public keys.
-
-The B<iv> parameter is a buffer where the generated IV is written to. It must
-contain enough room for the corresponding cipher's IV, as determined by (for
-example) EVP_CIPHER_iv_length(type).
-
-If the cipher does not require an IV then the B<iv> parameter is ignored
-and can be B<NULL>.
-
-EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
-as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as
-documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
-page.
-
-=head1 RETURN VALUES
-
-EVP_SealInit() returns 0 on error or B<npubk> if successful.
-
-EVP_SealUpdate() and EVP_SealFinal() return 1 for success and 0 for
-failure.
-
-=head1 NOTES
-
-Because a random secret key is generated the random number generator
-must be seeded before calling EVP_SealInit().
-
-The public key must be RSA because it is the only OpenSSL public key
-algorithm that supports key transport.
-
-Envelope encryption is the usual method of using public key encryption
-on large amounts of data, this is because public key encryption is slow
-but symmetric encryption is fast. So symmetric encryption is used for
-bulk encryption and the small random symmetric key used is transferred
-using public key encryption.
-
-It is possible to call EVP_SealInit() twice in the same way as
-EVP_EncryptInit(). The first call should have B<npubk> set to 0
-and (after setting any cipher parameters) it should be called again
-with B<type> set to NULL.
-
-=head1 SEE ALSO
-
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_OpenInit(3)|EVP_OpenInit(3)>
-
-=head1 HISTORY
-
-EVP_SealFinal() did not return a value before OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/EVP_SignInit.pod b/doc/crypto/EVP_SignInit.pod
deleted file mode 100644
index c63d6b339318..000000000000
--- a/doc/crypto/EVP_SignInit.pod
+++ /dev/null
@@ -1,107 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_SignInit, EVP_SignInit_ex, EVP_SignUpdate, EVP_SignFinal - EVP signing
-functions
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey);
-
- void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-
- int EVP_PKEY_size(EVP_PKEY *pkey);
-
-=head1 DESCRIPTION
-
-The EVP signature routines are a high level interface to digital
-signatures.
-
-EVP_SignInit_ex() sets up signing context B<ctx> to use digest
-B<type> from ENGINE B<impl>. B<ctx> must be initialized with
-EVP_MD_CTX_init() before calling this function.
-
-EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
-signature context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data.
-
-EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
-places the signature in B<sig>. B<sig> must be at least EVP_PKEY_size(pkey)
-bytes in size. B<s> is an OUT paramter, and not used as an IN parameter.
-The number of bytes of data written (i.e. the length of the signature)
-will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
-will be written.
-
-EVP_SignInit() initializes a signing context B<ctx> to use the default
-implementation of digest B<type>.
-
-EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual
-signature returned by EVP_SignFinal() may be smaller.
-
-=head1 RETURN VALUES
-
-EVP_SignInit_ex(), EVP_SignUpdate() and EVP_SignFinal() return 1
-for success and 0 for failure.
-
-EVP_PKEY_size() returns the maximum size of a signature in bytes.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTES
-
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-
-Due to the link between message digests and public key algorithms the correct
-digest algorithm must be used with the correct public key type. A list of
-algorithms and associated public key algorithms appears in
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
-
-When signing with DSA private keys the random number generator must be seeded
-or the operation will fail. The random number generator does not need to be
-seeded for RSA signatures.
-
-The call to EVP_SignFinal() internally finalizes a copy of the digest context.
-This means that calls to EVP_SignUpdate() and EVP_SignFinal() can be called
-later to digest and sign additional data.
-
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-
-=head1 BUGS
-
-Older versions of this documentation wrongly stated that calls to
-EVP_SignUpdate() could not be made after calling EVP_SignFinal().
-
-Since the private key is passed in the call to EVP_SignFinal() any error
-relating to the private key (for example an unsuitable key and digest
-combination) will not be indicated until after potentially large amounts of
-data have been passed through EVP_SignUpdate().
-
-It is not possible to change the signing parameters using these function.
-
-The previous two bugs are fixed in the newer EVP_SignDigest*() function.
-
-=head1 SEE ALSO
-
-L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-
-=head1 HISTORY
-
-EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
-available in all versions of SSLeay and OpenSSL.
-
-EVP_SignInit_ex() was added in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/EVP_VerifyInit.pod b/doc/crypto/EVP_VerifyInit.pod
deleted file mode 100644
index 9097f094105d..000000000000
--- a/doc/crypto/EVP_VerifyInit.pod
+++ /dev/null
@@ -1,95 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification functions
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey);
-
- int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-
-=head1 DESCRIPTION
-
-The EVP signature verification routines are a high level interface to digital
-signatures.
-
-EVP_VerifyInit_ex() sets up verification context B<ctx> to use digest
-B<type> from ENGINE B<impl>. B<ctx> must be initialized by calling
-EVP_MD_CTX_init() before calling this function.
-
-EVP_VerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
-verification context B<ctx>. This function can be called several times on the
-same B<ctx> to include additional data.
-
-EVP_VerifyFinal() verifies the data in B<ctx> using the public key B<pkey>
-and against the B<siglen> bytes at B<sigbuf>.
-
-EVP_VerifyInit() initializes verification context B<ctx> to use the default
-implementation of digest B<type>.
-
-=head1 RETURN VALUES
-
-EVP_VerifyInit_ex() and EVP_VerifyUpdate() return 1 for success and 0 for
-failure.
-
-EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
-other error occurred.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTES
-
-The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
-transparent to the algorithm used and much more flexible.
-
-Due to the link between message digests and public key algorithms the correct
-digest algorithm must be used with the correct public key type. A list of
-algorithms and associated public key algorithms appears in
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
-
-The call to EVP_VerifyFinal() internally finalizes a copy of the digest context.
-This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can be called
-later to digest and verify additional data.
-
-Since only a copy of the digest context is ever finalized the context must
-be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
-will occur.
-
-=head1 BUGS
-
-Older versions of this documentation wrongly stated that calls to
-EVP_VerifyUpdate() could not be made after calling EVP_VerifyFinal().
-
-Since the public key is passed in the call to EVP_SignFinal() any error
-relating to the private key (for example an unsuitable key and digest
-combination) will not be indicated until after potentially large amounts of
-data have been passed through EVP_SignUpdate().
-
-It is not possible to change the signing parameters using these function.
-
-The previous two bugs are fixed in the newer EVP_VerifyDigest*() function.
-
-=head1 SEE ALSO
-
-L<evp(3)|evp(3)>,
-L<EVP_SignInit(3)|EVP_SignInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
-
-=head1 HISTORY
-
-EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() are
-available in all versions of SSLeay and OpenSSL.
-
-EVP_VerifyInit_ex() was added in OpenSSL 0.9.7
-
-=cut
diff --git a/doc/crypto/OBJ_nid2obj.pod b/doc/crypto/OBJ_nid2obj.pod
deleted file mode 100644
index b8d289673dee..000000000000
--- a/doc/crypto/OBJ_nid2obj.pod
+++ /dev/null
@@ -1,170 +0,0 @@
-=pod
-
-=head1 NAME
-
-OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid,
-OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup - ASN1 object utility
-functions
-
-=head1 SYNOPSIS
-
- #include <openssl/objects.h>
-
- ASN1_OBJECT * OBJ_nid2obj(int n);
- const char * OBJ_nid2ln(int n);
- const char * OBJ_nid2sn(int n);
-
- int OBJ_obj2nid(const ASN1_OBJECT *o);
- int OBJ_ln2nid(const char *ln);
- int OBJ_sn2nid(const char *sn);
-
- int OBJ_txt2nid(const char *s);
-
- ASN1_OBJECT * OBJ_txt2obj(const char *s, int no_name);
- int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
-
- int OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b);
- ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o);
-
- int OBJ_create(const char *oid,const char *sn,const char *ln);
- void OBJ_cleanup(void);
-
-=head1 DESCRIPTION
-
-The ASN1 object utility functions process ASN1_OBJECT structures which are
-a representation of the ASN1 OBJECT IDENTIFIER (OID) type.
-For convenience, OIDs are usually represented in source code as numeric
-identifiers, or B<NID>s. OpenSSL has an internal table of OIDs that
-are generated when the library is built, and their corresponding NIDs
-are available as defined constants. For the functions below, application
-code should treat all returned values -- OIDs, NIDs, or names -- as
-constants.
-
-OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to
-an ASN1_OBJECT structure, its long name and its short name respectively,
-or B<NULL> is an error occurred.
-
-OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID
-for the object B<o>, the long name <ln> or the short name <sn> respectively
-or NID_undef if an error occurred.
-
-OBJ_txt2nid() returns NID corresponding to text string <s>. B<s> can be
-a long name, a short name or the numerical respresentation of an object.
-
-OBJ_txt2obj() converts the text string B<s> into an ASN1_OBJECT structure.
-If B<no_name> is 0 then long names and short names will be interpreted
-as well as numerical forms. If B<no_name> is 1 only the numerical form
-is acceptable.
-
-OBJ_obj2txt() converts the B<ASN1_OBJECT> B<a> into a textual representation.
-The representation is written as a null terminated string to B<buf>
-at most B<buf_len> bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If B<no_name> is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If B<no_name> is 1 then the numerical
-form will always be used.
-
-OBJ_cmp() compares B<a> to B<b>. If the two are identical 0 is returned.
-
-OBJ_dup() returns a copy of B<o>.
-
-OBJ_create() adds a new object to the internal table. B<oid> is the
-numerical form of the object, B<sn> the short name and B<ln> the
-long name. A new NID is returned for the created object.
-
-OBJ_cleanup() cleans up OpenSSLs internal object table: this should
-be called before an application exits if any new objects were added
-using OBJ_create().
-
-=head1 NOTES
-
-Objects in OpenSSL can have a short name, a long name and a numerical
-identifier (NID) associated with them. A standard set of objects is
-represented in an internal table. The appropriate values are defined
-in the header file B<objects.h>.
-
-For example the OID for commonName has the following definitions:
-
- #define SN_commonName "CN"
- #define LN_commonName "commonName"
- #define NID_commonName 13
-
-New objects can be added by calling OBJ_create().
-
-Table objects have certain advantages over other objects: for example
-their NIDs can be used in a C language switch statement. They are
-also static constant structures which are shared: that is there
-is only a single constant structure for each table object.
-
-Objects which are not in the table have the NID value NID_undef.
-
-Objects do not need to be in the internal tables to be processed,
-the functions OBJ_txt2obj() and OBJ_obj2txt() can process the numerical
-form of an OID.
-
-Some objects are used to represent algorithms which do not have a
-corresponding ASN.1 OBJECT IDENTIFIER encoding (for example no OID currently
-exists for a particular algorithm). As a result they B<cannot> be encoded or
-decoded as part of ASN.1 structures. Applications can determine if there
-is a corresponding OBJECT IDENTIFIER by checking OBJ_length() is not zero.
-
-These functions cannot return B<const> because an B<ASN1_OBJECT> can
-represent both an internal, constant, OID and a dynamically-created one.
-The latter cannot be constant because it needs to be freed after use.
-
-=head1 EXAMPLES
-
-Create an object for B<commonName>:
-
- ASN1_OBJECT *o;
- o = OBJ_nid2obj(NID_commonName);
-
-Check if an object is B<commonName>
-
- if (OBJ_obj2nid(obj) == NID_commonName)
- /* Do something */
-
-Create a new NID and initialize an object from it:
-
- int new_nid;
- ASN1_OBJECT *obj;
-
- new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier");
-
- obj = OBJ_nid2obj(new_nid);
-
-Create a new object directly:
-
- obj = OBJ_txt2obj("1.2.3.4", 1);
-
-=head1 BUGS
-
-OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to B<NULL> to determine the amount of data that should be written.
-Instead B<buf> must point to a valid buffer and B<buf_len> should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any OID encountered in practice.
-
-=head1 RETURN VALUES
-
-OBJ_nid2obj() returns an B<ASN1_OBJECT> structure or B<NULL> is an
-error occurred.
-It returns a pointer to an internal table and does not
-allocate memory; ASN1_OBJECT_free() will have no effect.
-
-OBJ_nid2ln() and OBJ_nid2sn() returns a valid string or B<NULL>
-on error.
-
-OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
-a NID or B<NID_undef> on error.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/OPENSSL_Applink.pod b/doc/crypto/OPENSSL_Applink.pod
deleted file mode 100644
index e54de12cc89e..000000000000
--- a/doc/crypto/OPENSSL_Applink.pod
+++ /dev/null
@@ -1,21 +0,0 @@
-=pod
-
-=head1 NAME
-
-OPENSSL_Applink - glue between OpenSSL BIO and Win32 compiler run-time
-
-=head1 SYNOPSIS
-
- __declspec(dllexport) void **OPENSSL_Applink();
-
-=head1 DESCRIPTION
-
-OPENSSL_Applink is application-side interface which provides a glue
-between OpenSSL BIO layer and Win32 compiler run-time environment.
-Even though it appears at application side, it's essentially OpenSSL
-private interface. For this reason application developers are not
-expected to implement it, but to compile provided module with
-compiler of their choice and link it into the target application.
-The referred module is available as <openssl>/ms/applink.c.
-
-=cut
diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod
deleted file mode 100644
index f7ca7cb79066..000000000000
--- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod
+++ /dev/null
@@ -1,101 +0,0 @@
-=pod
-
-=head1 NAME
-
-OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version - get OpenSSL version number
-
-=head1 SYNOPSIS
-
- #include <openssl/opensslv.h>
- #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
-
- #include <openssl/crypto.h>
- long SSLeay(void);
- const char *SSLeay_version(int t);
-
-=head1 DESCRIPTION
-
-OPENSSL_VERSION_NUMBER is a numeric release version identifier:
-
- MNNFFPPS: major minor fix patch status
-
-The status nibble has one of the values 0 for development, 1 to e for betas
-1 to 14, and f for release.
-
-for example
-
- 0x000906000 == 0.9.6 dev
- 0x000906023 == 0.9.6b beta 3
- 0x00090605f == 0.9.6e release
-
-Versions prior to 0.9.3 have identifiers E<lt> 0x0930.
-Versions between 0.9.3 and 0.9.5 had a version identifier with this
-interpretation:
-
- MMNNFFRBB major minor fix final beta/patch
-
-for example
-
- 0x000904100 == 0.9.4 release
- 0x000905000 == 0.9.5 dev
-
-Version 0.9.5a had an interim interpretation that is like the current one,
-except the patch level got the highest bit set, to keep continuity. The
-number was therefore 0x0090581f.
-
-
-For backward compatibility, SSLEAY_VERSION_NUMBER is also defined.
-
-SSLeay() returns this number. The return value can be compared to the
-macro to make sure that the correct version of the library has been
-loaded, especially when using DLLs on Windows systems.
-
-SSLeay_version() returns different strings depending on B<t>:
-
-=over 4
-
-=item SSLEAY_VERSION
-
-The text variant of the version number and the release date. For example,
-"OpenSSL 0.9.5a 1 Apr 2000".
-
-=item SSLEAY_CFLAGS
-
-The compiler flags set for the compilation process in the form
-"compiler: ..." if available or "compiler: information not available"
-otherwise.
-
-=item SSLEAY_BUILT_ON
-
-The date of the build process in the form "built on: ..." if available
-or "built on: date not available" otherwise.
-
-=item SSLEAY_PLATFORM
-
-The "Configure" target of the library build in the form "platform: ..."
-if available or "platform: information not available" otherwise.
-
-=item SSLEAY_DIR
-
-The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "...""
-if available or "OPENSSLDIR: N/A" otherwise.
-
-=back
-
-For an unknown B<t>, the text "not available" is returned.
-
-=head1 RETURN VALUE
-
-The version number.
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>
-
-=head1 HISTORY
-
-SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
-OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
-B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/OPENSSL_config.pod b/doc/crypto/OPENSSL_config.pod
deleted file mode 100644
index 4e713653d09c..000000000000
--- a/doc/crypto/OPENSSL_config.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-
-=head1 NAME
-
-OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions
-
-=head1 SYNOPSIS
-
- #include <openssl/conf.h>
-
- void OPENSSL_config(const char *appname);
- void OPENSSL_no_config(void);
-
-=head1 DESCRIPTION
-
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
-reads from the application section B<appname>. If B<appname> is NULL then
-the default section, B<openssl_conf>, will be used.
-Errors are silently ignored.
-Multiple calls have no effect.
-
-OPENSSL_no_config() disables configuration. If called before OPENSSL_config()
-no configuration takes place.
-
-=head1 NOTES
-
-The OPENSSL_config() function is designed to be a very simple "call it and
-forget it" function.
-It is however B<much> better than nothing. Applications which need finer
-control over their configuration functionality should use the configuration
-functions such as CONF_modules_load() directly. This function is deprecated
-and its use should be avoided.
-Applications should instead call CONF_modules_load() during
-initialization (that is before starting any threads).
-
-There are several reasons why calling the OpenSSL configuration routines is
-advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7.
-In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be
-used (among other things) to load dynamic ENGINEs from shared libraries (DSOs).
-However very few applications currently support the control interface and so
-very few can load and use dynamic ENGINEs. Equally in future more sophisticated
-ENGINEs will require certain control operations to customize them. If an
-application calls OPENSSL_config() it doesn't need to know or care about
-ENGINE control operations because they can be performed by editing a
-configuration file.
-
-Applications should free up configuration at application closedown by calling
-CONF_modules_free().
-
-=head1 RETURN VALUES
-
-Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
-
-=head1 SEE ALSO
-
-L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
-L<CONF_modules_free(3)|CONF_modules_free(3)>
-
-=head1 HISTORY
-
-OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7
-
-=cut
diff --git a/doc/crypto/OPENSSL_ia32cap.pod b/doc/crypto/OPENSSL_ia32cap.pod
deleted file mode 100644
index 5bcb82e3cfed..000000000000
--- a/doc/crypto/OPENSSL_ia32cap.pod
+++ /dev/null
@@ -1,96 +0,0 @@
-=pod
-
-=head1 NAME
-
-OPENSSL_ia32cap, OPENSSL_ia32cap_loc - the IA-32 processor capabilities vector
-
-=head1 SYNOPSIS
-
- unsigned long *OPENSSL_ia32cap_loc(void);
- #define OPENSSL_ia32cap ((OPENSSL_ia32cap_loc())[0])
-
-=head1 DESCRIPTION
-
-Value returned by OPENSSL_ia32cap_loc() is address of a variable
-containing IA-32 processor capabilities bit vector as it appears in
-EDX:ECX register pair after executing CPUID instruction with EAX=1
-input value (see Intel Application Note #241618). Naturally it's
-meaningful on x86 and x86_64 platforms only. The variable is normally
-set up automatically upon toolkit initialization, but can be
-manipulated afterwards to modify crypto library behaviour. For the
-moment of this writing following bits are significant:
-
-=over
-
-=item bit #4 denoting presence of Time-Stamp Counter.
-
-=item bit #19 denoting availability of CLFLUSH instruction;
-
-=item bit #20, reserved by Intel, is used to choose among RC4 code paths;
-
-=item bit #23 denoting MMX support;
-
-=item bit #24, FXSR bit, denoting availability of XMM registers;
-
-=item bit #25 denoting SSE support;
-
-=item bit #26 denoting SSE2 support;
-
-=item bit #28 denoting Hyperthreading, which is used to distinguish
-cores with shared cache;
-
-=item bit #30, reserved by Intel, denotes specifically Intel CPUs;
-
-=item bit #33 denoting availability of PCLMULQDQ instruction;
-
-=item bit #41 denoting SSSE3, Supplemental SSE3, support;
-
-=item bit #43 denoting AMD XOP support (forced to zero on non-AMD CPUs);
-
-=item bit #57 denoting AES-NI instruction set extension;
-
-=item bit #59, OSXSAVE bit, denoting availability of YMM registers;
-
-=item bit #60 denoting AVX extension;
-
-=item bit #62 denoting availability of RDRAND instruction;
-
-=back
-
-For example, clearing bit #26 at run-time disables high-performance
-SSE2 code present in the crypto library, while clearing bit #24
-disables SSE2 code operating on 128-bit XMM register bank. You might
-have to do the latter if target OpenSSL application is executed on SSE2
-capable CPU, but under control of OS that does not enable XMM
-registers. Even though you can manipulate the value programmatically,
-you most likely will find it more appropriate to set up an environment
-variable with the same name prior starting target application, e.g. on
-Intel P4 processor 'env OPENSSL_ia32cap=0x16980010 apps/openssl', or
-better yet 'env OPENSSL_ia32cap=~0x1000000 apps/openssl' to achieve same
-effect without modifying the application source code. Alternatively you
-can reconfigure the toolkit with no-sse2 option and recompile.
-
-Less intuitive is clearing bit #28. The truth is that it's not copied
-from CPUID output verbatim, but is adjusted to reflect whether or not
-the data cache is actually shared between logical cores. This in turn
-affects the decision on whether or not expensive countermeasures
-against cache-timing attacks are applied, most notably in AES assembler
-module.
-
-The vector is further extended with EBX value returned by CPUID with
-EAX=7 and ECX=0 as input. Following bits are significant:
-
-=over
-
-=item bit #64+3 denoting availability of BMI1 instructions, e.g. ANDN;
-
-=item bit #64+5 denoting availability of AVX2 instructions;
-
-=item bit #64+8 denoting availability of BMI2 instructions, e.g. MUXL
-and RORX;
-
-=item bit #64+18 denoting availability of RDSEED instruction;
-
-=item bit #64+19 denoting availability of ADCX and ADOX instructions;
-
-=back
diff --git a/doc/crypto/OPENSSL_instrument_bus.pod b/doc/crypto/OPENSSL_instrument_bus.pod
deleted file mode 100644
index 4ed83e4950b7..000000000000
--- a/doc/crypto/OPENSSL_instrument_bus.pod
+++ /dev/null
@@ -1,42 +0,0 @@
-=pod
-
-=head1 NAME
-
-OPENSSL_instrument_bus, OPENSSL_instrument_bus2 - instrument references to memory bus
-
-=head1 SYNOPSIS
-
- #ifdef OPENSSL_CPUID_OBJ
- size_t OPENSSL_instrument_bus (int *vector,size_t num);
- size_t OPENSSL_instrument_bus2(int *vector,size_t num,size_t max);
- #endif
-
-=head1 DESCRIPTION
-
-It was empirically found that timings of references to primary memory
-are subject to irregular, apparently non-deterministic variations. The
-subroutines in question instrument these references for purposes of
-gathering entropy for random number generator. In order to make it
-bus-bound a 'flush cache line' instruction is used between probes. In
-addition probes are added to B<vector> elements in atomic or
-interlocked manner, which should contribute additional noise on
-multi-processor systems. This also means that B<vector[num]> should be
-zeroed upon invocation (if you want to retrieve actual probe values).
-
-OPENSSL_instrument_bus performs B<num> probes and records the number of
-oscillator cycles every probe took.
-
-OPENSSL_instrument_bus2 on the other hand B<accumulates> consecutive
-probes with the same value, i.e. in a way it records duration of
-periods when probe values appeared deterministic. The subroutine
-performs at most B<max> probes in attempt to fill the B<vector[num]>,
-with B<max> value of 0 meaning "as many as it takes."
-
-=head1 RETURN VALUE
-
-Return value of 0 indicates that CPU is not capable of performing the
-benchmark, either because oscillator counter or 'flush cache line' is
-not available on current platform. For reference, on x86 'flush cache
-line' was introduced with the SSE2 extensions.
-
-Otherwise number of recorded values is returned.
diff --git a/doc/crypto/OPENSSL_load_builtin_modules.pod b/doc/crypto/OPENSSL_load_builtin_modules.pod
deleted file mode 100644
index de62912ff253..000000000000
--- a/doc/crypto/OPENSSL_load_builtin_modules.pod
+++ /dev/null
@@ -1,51 +0,0 @@
-=pod
-
-=head1 NAME
-
-OPENSSL_load_builtin_modules, ASN1_add_oid_module, ENGINE_add_conf_module - add standard configuration modules
-
-=head1 SYNOPSIS
-
- #include <openssl/conf.h>
-
- void OPENSSL_load_builtin_modules(void);
- void ASN1_add_oid_module(void);
- ENGINE_add_conf_module();
-
-=head1 DESCRIPTION
-
-The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL
-configuration modules to the internal list. They can then be used by the
-OpenSSL configuration code.
-
-ASN1_add_oid_module() adds just the ASN1 OBJECT module.
-
-ENGINE_add_conf_module() adds just the ENGINE configuration module.
-
-=head1 NOTES
-
-If the simple configuration function OPENSSL_config() is called then
-OPENSSL_load_builtin_modules() is called automatically.
-
-Applications which use the configuration functions directly will need to
-call OPENSSL_load_builtin_modules() themselves I<before> any other
-configuration code.
-
-Applications should call OPENSSL_load_builtin_modules() to load all
-configuration modules instead of adding modules selectively: otherwise
-functionality may be missing from the application if an when new
-modules are added.
-
-=head1 RETURN VALUE
-
-None of the functions return a value.
-
-=head1 SEE ALSO
-
-L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)>
-
-=head1 HISTORY
-
-These functions first appeared in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/OpenSSL_add_all_algorithms.pod b/doc/crypto/OpenSSL_add_all_algorithms.pod
deleted file mode 100644
index bcb79e5f6b45..000000000000
--- a/doc/crypto/OpenSSL_add_all_algorithms.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
-OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests, EVP_cleanup -
-add algorithms to internal table
-
-=head1 SYNOPSIS
-
- #include <openssl/evp.h>
-
- void OpenSSL_add_all_algorithms(void);
- void OpenSSL_add_all_ciphers(void);
- void OpenSSL_add_all_digests(void);
-
- void EVP_cleanup(void);
-
-=head1 DESCRIPTION
-
-OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
-this table to lookup ciphers via functions such as EVP_get_cipher_byname().
-
-OpenSSL_add_all_digests() adds all digest algorithms to the table.
-
-OpenSSL_add_all_algorithms() adds all algorithms to the table (digests and
-ciphers).
-
-OpenSSL_add_all_ciphers() adds all encryption algorithms to the table including
-password based encryption algorithms.
-
-EVP_cleanup() removes all ciphers and digests from the table.
-
-=head1 RETURN VALUES
-
-None of the functions return a value.
-
-=head1 NOTES
-
-A typical application will call OpenSSL_add_all_algorithms() initially and
-EVP_cleanup() before exiting.
-
-An application does not need to add algorithms to use them explicitly, for example
-by EVP_sha1(). It just needs to add them if it (or any of the functions it calls)
-needs to lookup algorithms.
-
-The cipher and digest lookup functions are used in many parts of the library. If
-the table is not initialized several functions will misbehave and complain they
-cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries.
-This is a common query in the OpenSSL mailing lists.
-
-Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
-statically linked executable can be quite large. If this is important it is possible
-to just add the required ciphers and digests.
-
-=head1 BUGS
-
-Although the functions do not return error codes it is possible for them to fail.
-This will only happen as a result of a memory allocation failure so this is not
-too much of a problem in practice.
-
-=head1 SEE ALSO
-
-L<evp(3)|evp(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
-
-=cut
diff --git a/doc/crypto/PEM_write_bio_CMS_stream.pod b/doc/crypto/PEM_write_bio_CMS_stream.pod
deleted file mode 100644
index e070c45c2e95..000000000000
--- a/doc/crypto/PEM_write_bio_CMS_stream.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-
-=head1 NAME
-
- PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format.
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
- #include <openssl/pem.h>
-
- int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
-
-=head1 DESCRIPTION
-
-PEM_write_bio_CMS_stream() outputs a CMS_ContentInfo structure in PEM format.
-
-It is otherwise identical to the function SMIME_write_CMS().
-
-=head1 NOTES
-
-This function is effectively a version of the PEM_write_bio_CMS() supporting
-streaming.
-
-=head1 RETURN VALUES
-
-PEM_write_bio_CMS_stream() returns 1 for success or 0 for failure.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<SMIME_write_CMS(3)|SMIME_write_CMS(3)>,
-L<i2d_CMS_bio_stream(3)|i2d_CMS_bio_stream(3)>
-
-=head1 HISTORY
-
-PEM_write_bio_CMS_stream() was added to OpenSSL 1.0.0
-
-=cut
diff --git a/doc/crypto/PEM_write_bio_PKCS7_stream.pod b/doc/crypto/PEM_write_bio_PKCS7_stream.pod
deleted file mode 100644
index 16fc9b684589..000000000000
--- a/doc/crypto/PEM_write_bio_PKCS7_stream.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-
-=head1 NAME
-
-PEM_write_bio_PKCS7_stream - output PKCS7 structure in PEM format.
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
- #include <openssl/pem.h>
-
- int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
-
-=head1 DESCRIPTION
-
-PEM_write_bio_PKCS7_stream() outputs a PKCS7 structure in PEM format.
-
-It is otherwise identical to the function SMIME_write_PKCS7().
-
-=head1 NOTES
-
-This function is effectively a version of the PEM_write_bio_PKCS7() supporting
-streaming.
-
-=head1 RETURN VALUES
-
-PEM_write_bio_PKCS7_stream() returns 1 for success or 0 for failure.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>,
-L<SMIME_write_PKCS7(3)|SMIME_write_PKCS7(3)>,
-L<i2d_PKCS7_bio_stream(3)|i2d_PKCS7_bio_stream(3)>
-
-=head1 HISTORY
-
-PEM_write_bio_PKCS7_stream() was added to OpenSSL 1.0.0
-
-=cut
diff --git a/doc/crypto/PKCS12_create.pod b/doc/crypto/PKCS12_create.pod
deleted file mode 100644
index de7cab2bdffc..000000000000
--- a/doc/crypto/PKCS12_create.pod
+++ /dev/null
@@ -1,75 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS12_create - create a PKCS#12 structure
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs12.h>
-
- PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca,
- int nid_key, int nid_cert, int iter, int mac_iter, int keytype);
-
-=head1 DESCRIPTION
-
-PKCS12_create() creates a PKCS#12 structure.
-
-B<pass> is the passphrase to use. B<name> is the B<friendlyName> to use for
-the supplied certifictate and key. B<pkey> is the private key to include in
-the structure and B<cert> its corresponding certificates. B<ca>, if not B<NULL>
-is an optional set of certificates to also include in the structure.
-
-B<nid_key> and B<nid_cert> are the encryption algorithms that should be used
-for the key and certificate respectively. B<iter> is the encryption algorithm
-iteration count to use and B<mac_iter> is the MAC iteration count to use.
-B<keytype> is the type of key.
-
-=head1 NOTES
-
-The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype>
-can all be set to zero and sensible defaults will be used.
-
-These defaults are: 40 bit RC2 encryption for certificates, triple DES
-encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER
-(currently 2048) and a MAC iteration count of 1.
-
-The default MAC iteration count is 1 in order to retain compatibility with
-old software which did not interpret MAC iteration counts. If such compatibility
-is not required then B<mac_iter> should be set to PKCS12_DEFAULT_ITER.
-
-B<keytype> adds a flag to the store private key. This is a non standard extension
-that is only currently interpreted by MSIE. If set to zero the flag is omitted,
-if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX>
-it can be used for signing and encryption. This option was useful for old
-export grade software which could use signing only keys of arbitrary size but
-had restrictions on the permissible sizes of keys which could be used for
-encryption.
-
-=head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8
-
-Some additional functionality was added to PKCS12_create() in OpenSSL
-0.9.8. These extensions are detailed below.
-
-If a certificate contains an B<alias> or B<keyid> then this will be
-used for the corresponding B<friendlyName> or B<localKeyID> in the
-PKCS12 structure.
-
-Either B<pkey>, B<cert> or both can be B<NULL> to indicate that no key or
-certficate is required. In previous versions both had to be present or
-a fatal error is returned.
-
-B<nid_key> or B<nid_cert> can be set to -1 indicating that no encryption
-should be used.
-
-B<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
-
-=head1 SEE ALSO
-
-L<d2i_PKCS12(3)|d2i_PKCS12(3)>
-
-=head1 HISTORY
-
-PKCS12_create was added in OpenSSL 0.9.3
-
-=cut
diff --git a/doc/crypto/PKCS12_parse.pod b/doc/crypto/PKCS12_parse.pod
deleted file mode 100644
index c54cf2ad613e..000000000000
--- a/doc/crypto/PKCS12_parse.pod
+++ /dev/null
@@ -1,57 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS12_parse - parse a PKCS#12 structure
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs12.h>
-
-int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
-
-=head1 DESCRIPTION
-
-PKCS12_parse() parses a PKCS12 structure.
-
-B<p12> is the B<PKCS12> structure to parse. B<pass> is the passphrase to use.
-If successful the private key will be written to B<*pkey>, the corresponding
-certificate to B<*cert> and any additional certificates to B<*ca>.
-
-=head1 NOTES
-
-The parameters B<pkey> and B<cert> cannot be B<NULL>. B<ca> can be <NULL> in
-which case additional certificates will be discarded. B<*ca> can also be a
-valid STACK in which case additional certificates are appended to B<*ca>. If
-B<*ca> is B<NULL> a new STACK will be allocated.
-
-The B<friendlyName> and B<localKeyID> attributes (if present) on each
-certificate will be stored in the B<alias> and B<keyid> attributes of the
-B<X509> structure.
-
-=head1 RETURN VALUES
-
-PKCS12_parse() returns 1 for success and zero if an error occurred.
-
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 BUGS
-
-Only a single private key and corresponding certificate is returned by this
-function. More complex PKCS#12 files with multiple private keys will only
-return the first match.
-
-Only B<friendlyName> and B<localKeyID> attributes are currently stored in
-certificates. Other attributes are discarded.
-
-Attributes currently cannot be stored in the private key B<EVP_PKEY> structure.
-
-=head1 SEE ALSO
-
-L<d2i_PKCS12(3)|d2i_PKCS12(3)>
-
-=head1 HISTORY
-
-PKCS12_parse was added in OpenSSL 0.9.3
-
-=cut
diff --git a/doc/crypto/PKCS7_decrypt.pod b/doc/crypto/PKCS7_decrypt.pod
deleted file mode 100644
index 325699d0b6d4..000000000000
--- a/doc/crypto/PKCS7_decrypt.pod
+++ /dev/null
@@ -1,55 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS7_decrypt - decrypt content from a PKCS#7 envelopedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
-
-=head1 DESCRIPTION
-
-PKCS7_decrypt() extracts and decrypts the content from a PKCS#7 envelopedData
-structure. B<pkey> is the private key of the recipient, B<cert> is the
-recipients certificate, B<data> is a BIO to write the content to and
-B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-OpenSSL_add_all_algorithms() (or equivalent) should be called before using this
-function or errors about unknown algorithms will occur.
-
-Although the recipients certificate is not needed to decrypt the data it is needed
-to locate the appropriate (of possible several) recipients in the PKCS#7 structure.
-
-The following flags can be passed in the B<flags> parameter.
-
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-
-=head1 RETURN VALUES
-
-PKCS7_decrypt() returns either 1 for success or 0 for failure.
-The error can be obtained from ERR_get_error(3)
-
-=head1 BUGS
-
-PKCS7_decrypt() must be passed the correct recipient key and certificate. It would
-be better if it could look up the correct key and certificate from a database.
-
-The lack of single pass processing and need to hold all data in memory as
-mentioned in PKCS7_sign() also applies to PKCS7_verify().
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-
-=head1 HISTORY
-
-PKCS7_decrypt() was added to OpenSSL 0.9.5
-
-=cut
diff --git a/doc/crypto/PKCS7_encrypt.pod b/doc/crypto/PKCS7_encrypt.pod
deleted file mode 100644
index 2cd925a7e0b6..000000000000
--- a/doc/crypto/PKCS7_encrypt.pod
+++ /dev/null
@@ -1,80 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS7_encrypt - create a PKCS#7 envelopedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
-
-=head1 DESCRIPTION
-
-PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B<certs>
-is a list of recipient certificates. B<in> is the content to be encrypted.
-B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-Only RSA keys are supported in PKCS#7 and envelopedData so the recipient
-certificates supplied to this function must all contain RSA public keys, though
-they do not have to be signed using the RSA algorithm.
-
-EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
-because most clients will support it.
-
-Some old "export grade" clients may only support weak encryption using 40 or 64
-bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc()
-respectively.
-
-The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
-its parameters.
-
-Many browsers implement a "sign and encrypt" option which is simply an S/MIME
-envelopedData containing an S/MIME signed message. This can be readily produced
-by storing the S/MIME signed message in a memory BIO and passing it to
-PKCS7_encrypt().
-
-The following flags can be passed in the B<flags> parameter.
-
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are
-prepended to the data.
-
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then
-B<PKCS7_TEXT> is ignored.
-
-If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output
-suitable for streaming I/O: no data is read from the BIO B<in>.
-
-=head1 NOTES
-
-If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not>
-complete and outputting its contents via a function that does not
-properly finalize the B<PKCS7> structure will give unpredictable
-results.
-
-Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
-PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_PKCS7().
-
-=head1 RETURN VALUES
-
-PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred.
-The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
-
-=head1 HISTORY
-
-PKCS7_decrypt() was added to OpenSSL 0.9.5
-The B<PKCS7_STREAM> flag was first supported in OpenSSL 1.0.0.
-
-=cut
diff --git a/doc/crypto/PKCS7_sign.pod b/doc/crypto/PKCS7_sign.pod
deleted file mode 100644
index 64a35144f8c9..000000000000
--- a/doc/crypto/PKCS7_sign.pod
+++ /dev/null
@@ -1,116 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS7_sign - create a PKCS#7 signedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags);
-
-=head1 DESCRIPTION
-
-PKCS7_sign() creates and returns a PKCS#7 signedData structure. B<signcert> is
-the certificate to sign with, B<pkey> is the corresponsding private key.
-B<certs> is an optional additional set of certificates to include in the PKCS#7
-structure (for example any intermediate CAs in the chain).
-
-The data to be signed is read from BIO B<data>.
-
-B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter.
-
-Many S/MIME clients expect the signed content to include valid MIME headers. If
-the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended
-to the data.
-
-If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the
-PKCS7 structure, the signer's certificate must still be supplied in the
-B<signcert> parameter though. This can reduce the size of the signature if the
-signers certificate can be obtained by other means: for example a previously
-signed message.
-
-The data being signed is included in the PKCS7 structure, unless
-B<PKCS7_DETACHED> is set in which case it is omitted. This is used for PKCS7
-detached signatures which are used in S/MIME plaintext signed messages for
-example.
-
-Normally the supplied content is translated into MIME canonical format (as
-required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation
-occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it.
-
-The signedData structure includes several PKCS#7 autenticatedAttributes
-including the signing time, the PKCS#7 content type and the supported list of
-ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no
-authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just
-the SMIMECapabilities are omitted.
-
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
-these algorithms is disabled then it will not be included.
-
-If the flags B<PKCS7_STREAM> is set then the returned B<PKCS7> structure is
-just initialized ready to perform the signing operation. The signing is however
-B<not> performed and the data to be signed is not read from the B<data>
-parameter. Signing is deferred until after the data has been written. In this
-way data can be signed in a single pass.
-
-If the B<PKCS7_PARTIAL> flag is set a partial B<PKCS7> structure is output to
-which additional signers and capabilities can be added before finalization.
-
-
-=head1 NOTES
-
-If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not>
-complete and outputting its contents via a function that does not properly
-finalize the B<PKCS7> structure will give unpredictable results.
-
-Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
-PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming ASN1 B<BIO> directly using
-BIO_new_PKCS7().
-
-If a signer is specified it will use the default digest for the signing
-algorithm. This is B<SHA1> for both RSA and DSA keys.
-
-In OpenSSL 1.0.0 the B<certs>, B<signcert> and B<pkey> parameters can all be
-B<NULL> if the B<PKCS7_PARTIAL> flag is set. One or more signers can be added
-using the function B<PKCS7_sign_add_signer()>. B<PKCS7_final()> must also be
-called to finalize the structure if streaming is not enabled. Alternative
-signing digests can also be specified using this method.
-
-In OpenSSL 1.0.0 if B<signcert> and B<pkey> are NULL then a certificates only
-PKCS#7 structure is output.
-
-In versions of OpenSSL before 1.0.0 the B<signcert> and B<pkey> parameters must
-B<NOT> be NULL.
-
-=head1 BUGS
-
-Some advanced attributes such as counter signatures are not supported.
-
-=head1 RETURN VALUES
-
-PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)>
-
-=head1 HISTORY
-
-PKCS7_sign() was added to OpenSSL 0.9.5
-
-The B<PKCS7_PARTIAL> flag was added in OpenSSL 1.0.0
-
-The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0
-
-=cut
diff --git a/doc/crypto/PKCS7_sign_add_signer.pod b/doc/crypto/PKCS7_sign_add_signer.pod
deleted file mode 100644
index ebec4d57deaf..000000000000
--- a/doc/crypto/PKCS7_sign_add_signer.pod
+++ /dev/null
@@ -1,87 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS7_sign_add_signer - add a signer PKCS7 signed data structure.
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags);
-
-
-=head1 DESCRIPTION
-
-PKCS7_sign_add_signer() adds a signer with certificate B<signcert> and private
-key B<pkey> using message digest B<md> to a PKCS7 signed data structure
-B<p7>.
-
-The PKCS7 structure should be obtained from an initial call to PKCS7_sign()
-with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS7
-signed data structure.
-
-If the B<md> parameter is B<NULL> then the default digest for the public
-key algorithm will be used.
-
-Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned PKCS7 structure
-is not complete and must be finalized either by streaming (if applicable) or
-a call to PKCS7_final().
-
-
-=head1 NOTES
-
-The main purpose of this function is to provide finer control over a PKCS#7
-signed data structure where the simpler PKCS7_sign() function defaults are
-not appropriate. For example if multiple signers or non default digest
-algorithms are needed.
-
-Any of the following flags (ored together) can be passed in the B<flags>
-parameter.
-
-If B<PKCS7_REUSE_DIGEST> is set then an attempt is made to copy the content
-digest value from the PKCS7 struture: to add a signer to an existing structure.
-An error occurs if a matching digest value cannot be found to copy. The
-returned PKCS7 structure will be valid and finalized when this flag is set.
-
-If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the
-B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes
-can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is
-needed to finalize it.
-
-If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the
-PKCS7 structure, the signer's certificate must still be supplied in the
-B<signcert> parameter though. This can reduce the size of the signature if the
-signers certificate can be obtained by other means: for example a previously
-signed message.
-
-The signedData structure includes several PKCS#7 autenticatedAttributes
-including the signing time, the PKCS#7 content type and the supported list of
-ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no
-authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just
-the SMIMECapabilities are omitted.
-
-If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
-these algorithms is disabled then it will not be included.
-
-
-PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO
-structure just added, this can be used to set additional attributes
-before it is finalized.
-
-=head1 RETURN VALUES
-
-PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO
-structure just added or NULL if an error occurs.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_final(3)|PKCS7_final(3)>,
-
-=head1 HISTORY
-
-PPKCS7_sign_add_signer() was added to OpenSSL 1.0.0
-
-=cut
diff --git a/doc/crypto/PKCS7_verify.pod b/doc/crypto/PKCS7_verify.pod
deleted file mode 100644
index f083306b0dc3..000000000000
--- a/doc/crypto/PKCS7_verify.pod
+++ /dev/null
@@ -1,118 +0,0 @@
-=pod
-
-=head1 NAME
-
-PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
-
- STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
-
-=head1 DESCRIPTION
-
-PKCS7_verify() verifies a PKCS#7 signedData structure. B<p7> is the PKCS7
-structure to verify. B<certs> is a set of certificates in which to search for
-the signer's certificate. B<store> is a trusted certficate store (used for
-chain verification). B<indata> is the signed data if the content is not
-present in B<p7> (that is it is detached). The content is written to B<out>
-if it is not NULL.
-
-B<flags> is an optional set of flags, which can be used to modify the verify
-operation.
-
-PKCS7_get0_signers() retrieves the signer's certificates from B<p7>, it does
-B<not> check their validity or whether any signatures are valid. The B<certs>
-and B<flags> parameters have the same meanings as in PKCS7_verify().
-
-=head1 VERIFY PROCESS
-
-Normally the verify process proceeds as follows.
-
-Initially some sanity checks are performed on B<p7>. The type of B<p7> must
-be signedData. There must be at least one signature on the data and if
-the content is detached B<indata> cannot be B<NULL>.
-
-An attempt is made to locate all the signer's certificates, first looking in
-the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates
-contained in the B<p7> structure itself. If any signer's certificates cannot be
-located the operation fails.
-
-Each signer's certificate is chain verified using the B<smimesign> purpose and
-the supplied trusted certificate store. Any internal certificates in the message
-are used as untrusted CAs. If any chain verify fails an error code is returned.
-
-Finally the signed content is read (and written to B<out> is it is not NULL) and
-the signature's checked.
-
-If all signature's verify correctly then the function is successful.
-
-Any of the following flags (ored together) can be passed in the B<flags> parameter
-to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is
-meaningful to PKCS7_get0_signers().
-
-If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
-searched when locating the signer's certificate. This means that all the signers
-certificates must be in the B<certs> parameter.
-
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are deleted
-from the content. If the content is not of type B<text/plain> then an error is
-returned.
-
-If B<PKCS7_NOVERIFY> is set the signer's certificates are not chain verified.
-
-If B<PKCS7_NOCHAIN> is set then the certificates contained in the message are
-not used as untrusted CAs. This means that the whole verify chain (apart from
-the signer's certificate) must be contained in the trusted store.
-
-If B<PKCS7_NOSIGS> is set then the signatures on the data are not checked.
-
-=head1 NOTES
-
-One application of B<PKCS7_NOINTERN> is to only accept messages signed by
-a small number of certificates. The acceptable certificates would be passed
-in the B<certs> parameter. In this case if the signer is not one of the
-certificates supplied in B<certs> then the verify will fail because the
-signer cannot be found.
-
-Care should be taken when modifying the default verify behaviour, for example
-setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
-and any signed message will be considered valid. This combination is however
-useful if one merely wishes to write the content to B<out> and its validity
-is not considered important.
-
-Chain verification should arguably be performed using the signing time rather
-than the current time. However since the signing time is supplied by the
-signer it cannot be trusted without additional evidence (such as a trusted
-timestamp).
-
-=head1 RETURN VALUES
-
-PKCS7_verify() returns one for a successful verification and zero
-if an error occurs.
-
-PKCS7_get0_signers() returns all signers or B<NULL> if an error occurred.
-
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 BUGS
-
-The trusted certificate store is not searched for the signers certificate,
-this is primarily due to the inadequacies of the current B<X509_STORE>
-functionality.
-
-The lack of single pass processing and need to hold all data in memory as
-mentioned in PKCS7_sign() also applies to PKCS7_verify().
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>
-
-=head1 HISTORY
-
-PKCS7_verify() was added to OpenSSL 0.9.5
-
-=cut
diff --git a/doc/crypto/RAND_add.pod b/doc/crypto/RAND_add.pod
deleted file mode 100644
index 67c66f3e0c96..000000000000
--- a/doc/crypto/RAND_add.pod
+++ /dev/null
@@ -1,77 +0,0 @@
-=pod
-
-=head1 NAME
-
-RAND_add, RAND_seed, RAND_status, RAND_event, RAND_screen - add
-entropy to the PRNG
-
-=head1 SYNOPSIS
-
- #include <openssl/rand.h>
-
- void RAND_seed(const void *buf, int num);
-
- void RAND_add(const void *buf, int num, double entropy);
-
- int RAND_status(void);
-
- int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam);
- void RAND_screen(void);
-
-=head1 DESCRIPTION
-
-RAND_add() mixes the B<num> bytes at B<buf> into the PRNG state. Thus,
-if the data at B<buf> are unpredictable to an adversary, this
-increases the uncertainty about the state and makes the PRNG output
-less predictable. Suitable input comes from user interaction (random
-key presses, mouse movements) and certain hardware events. The
-B<entropy> argument is (the lower bound of) an estimate of how much
-randomness is contained in B<buf>, measured in bytes. Details about
-sources of randomness and how to estimate their entropy can be found
-in the literature, e.g. RFC 1750.
-
-RAND_add() may be called with sensitive data such as user entered
-passwords. The seed values cannot be recovered from the PRNG output.
-
-OpenSSL makes sure that the PRNG state is unique for each thread. On
-systems that provide C</dev/urandom>, the randomness device is used
-to seed the PRNG transparently. However, on all other systems, the
-application is responsible for seeding the PRNG by calling RAND_add(),
-L<RAND_egd(3)|RAND_egd(3)>
-or L<RAND_load_file(3)|RAND_load_file(3)>.
-
-RAND_seed() is equivalent to RAND_add() when B<num == entropy>.
-
-RAND_event() collects the entropy from Windows events such as mouse
-movements and other user interaction. It should be called with the
-B<iMsg>, B<wParam> and B<lParam> arguments of I<all> messages sent to
-the window procedure. It will estimate the entropy contained in the
-event message (if any), and add it to the PRNG. The program can then
-process the messages as usual.
-
-The RAND_screen() function is available for the convenience of Windows
-programmers. It adds the current contents of the screen to the PRNG.
-For applications that can catch Windows events, seeding the PRNG by
-calling RAND_event() is a significantly better source of
-randomness. It should be noted that both methods cannot be used on
-servers that run without user interaction.
-
-=head1 RETURN VALUES
-
-RAND_status() and RAND_event() return 1 if the PRNG has been seeded
-with enough data, 0 otherwise.
-
-The other functions do not return values.
-
-=head1 SEE ALSO
-
-L<rand(3)|rand(3)>, L<RAND_egd(3)|RAND_egd(3)>,
-L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
-
-=head1 HISTORY
-
-RAND_seed() and RAND_screen() are available in all versions of SSLeay
-and OpenSSL. RAND_add() and RAND_status() have been added in OpenSSL
-0.9.5, RAND_event() in OpenSSL 0.9.5a.
-
-=cut
diff --git a/doc/crypto/RAND_bytes.pod b/doc/crypto/RAND_bytes.pod
deleted file mode 100644
index 1a9b91e28144..000000000000
--- a/doc/crypto/RAND_bytes.pod
+++ /dev/null
@@ -1,50 +0,0 @@
-=pod
-
-=head1 NAME
-
-RAND_bytes, RAND_pseudo_bytes - generate random data
-
-=head1 SYNOPSIS
-
- #include <openssl/rand.h>
-
- int RAND_bytes(unsigned char *buf, int num);
-
- int RAND_pseudo_bytes(unsigned char *buf, int num);
-
-=head1 DESCRIPTION
-
-RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
-into B<buf>. An error occurs if the PRNG has not been seeded with
-enough randomness to ensure an unpredictable byte sequence.
-
-RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
-Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
-unique if they are of sufficient length, but are not necessarily
-unpredictable. They can be used for non-cryptographic purposes and for
-certain purposes in cryptographic protocols, but usually not for key
-generation etc.
-
-The contents of B<buf> is mixed into the entropy pool before retrieving
-the new pseudo-random bytes unless disabled at compile time (see FAQ).
-
-=head1 RETURN VALUES
-
-RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
-bytes generated are cryptographically strong, 0 otherwise. Both
-functions return -1 if they are not supported by the current RAND
-method.
-
-=head1 SEE ALSO
-
-L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<RAND_add(3)|RAND_add(3)>
-
-=head1 HISTORY
-
-RAND_bytes() is available in all versions of SSLeay and OpenSSL. It
-has a return value since OpenSSL 0.9.5. RAND_pseudo_bytes() was added
-in OpenSSL 0.9.5.
-
-=cut
diff --git a/doc/crypto/RAND_cleanup.pod b/doc/crypto/RAND_cleanup.pod
deleted file mode 100644
index 3a8f0749a8d4..000000000000
--- a/doc/crypto/RAND_cleanup.pod
+++ /dev/null
@@ -1,29 +0,0 @@
-=pod
-
-=head1 NAME
-
-RAND_cleanup - erase the PRNG state
-
-=head1 SYNOPSIS
-
- #include <openssl/rand.h>
-
- void RAND_cleanup(void);
-
-=head1 DESCRIPTION
-
-RAND_cleanup() erases the memory used by the PRNG.
-
-=head1 RETURN VALUE
-
-RAND_cleanup() returns no value.
-
-=head1 SEE ALSO
-
-L<rand(3)|rand(3)>
-
-=head1 HISTORY
-
-RAND_cleanup() is available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/RAND_egd.pod b/doc/crypto/RAND_egd.pod
deleted file mode 100644
index 80fa734d1865..000000000000
--- a/doc/crypto/RAND_egd.pod
+++ /dev/null
@@ -1,88 +0,0 @@
-=pod
-
-=head1 NAME
-
-RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes - query entropy gathering daemon
-
-=head1 SYNOPSIS
-
- #include <openssl/rand.h>
-
- int RAND_egd(const char *path);
- int RAND_egd_bytes(const char *path, int bytes);
-
- int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes);
-
-=head1 DESCRIPTION
-
-RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
-It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
-OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for
-RAND_egd_bytes(path, 255);
-
-RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>.
-It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
-OpenSSL built-in PRNG.
-This function is more flexible than RAND_egd().
-When only one secret key must
-be generated, it is not necessary to request the full amount 255 bytes from
-the EGD socket. This can be advantageous, since the amount of entropy
-that can be retrieved from EGD over time is limited.
-
-RAND_query_egd_bytes() performs the actual query of the EGD daemon on socket
-B<path>. If B<buf> is given, B<bytes> bytes are queried and written into
-B<buf>. If B<buf> is NULL, B<bytes> bytes are queried and used to seed the
-OpenSSL built-in PRNG using L<RAND_add(3)|RAND_add(3)>.
-
-=head1 NOTES
-
-On systems without /dev/*random devices providing entropy from the kernel,
-the EGD entropy gathering daemon can be used to collect entropy. It provides
-a socket interface through which entropy can be gathered in chunks up to
-255 bytes. Several chunks can be queried during one connection.
-
-EGD is available from http://www.lothar.com/tech/crypto/ (C<perl
-Makefile.PL; make; make install> to install). It is run as B<egd>
-I<path>, where I<path> is an absolute path designating a socket. When
-RAND_egd() is called with that path as an argument, it tries to read
-random bytes that EGD has collected. RAND_egd() retrieves entropy from the
-daemon using the daemon's "non-blocking read" command which shall
-be answered immediately by the daemon without waiting for additional
-entropy to be collected. The write and read socket operations in the
-communication are blocking.
-
-Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is
-available from
-http://prngd.sourceforge.net/ .
-PRNGD does employ an internal PRNG itself and can therefore never run
-out of entropy.
-
-OpenSSL automatically queries EGD when entropy is requested via RAND_bytes()
-or the status is checked via RAND_status() for the first time, if the socket
-is located at /var/run/egd-pool, /dev/egd-pool or /etc/egd-pool.
-
-=head1 RETURN VALUE
-
-RAND_egd() and RAND_egd_bytes() return the number of bytes read from the
-daemon on success, and -1 if the connection failed or the daemon did not
-return enough data to fully seed the PRNG.
-
-RAND_query_egd_bytes() returns the number of bytes read from the daemon on
-success, and -1 if the connection failed. The PRNG state is not considered.
-
-=head1 SEE ALSO
-
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
-L<RAND_cleanup(3)|RAND_cleanup(3)>
-
-=head1 HISTORY
-
-RAND_egd() is available since OpenSSL 0.9.5.
-
-RAND_egd_bytes() is available since OpenSSL 0.9.6.
-
-RAND_query_egd_bytes() is available since OpenSSL 0.9.7.
-
-The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/RAND_load_file.pod b/doc/crypto/RAND_load_file.pod
deleted file mode 100644
index d8c134e621d1..000000000000
--- a/doc/crypto/RAND_load_file.pod
+++ /dev/null
@@ -1,53 +0,0 @@
-=pod
-
-=head1 NAME
-
-RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file
-
-=head1 SYNOPSIS
-
- #include <openssl/rand.h>
-
- const char *RAND_file_name(char *buf, size_t num);
-
- int RAND_load_file(const char *filename, long max_bytes);
-
- int RAND_write_file(const char *filename);
-
-=head1 DESCRIPTION
-
-RAND_file_name() generates a default path for the random seed
-file. B<buf> points to a buffer of size B<num> in which to store the
-filename. The seed file is $RANDFILE if that environment variable is
-set, $HOME/.rnd otherwise. If $HOME is not set either, or B<num> is
-too small for the path name, an error occurs.
-
-RAND_load_file() reads a number of bytes from file B<filename> and
-adds them to the PRNG. If B<max_bytes> is non-negative,
-up to to B<max_bytes> are read; starting with OpenSSL 0.9.5,
-if B<max_bytes> is -1, the complete file is read.
-
-RAND_write_file() writes a number of random bytes (currently 1024) to
-file B<filename> which can be used to initialize the PRNG by calling
-RAND_load_file() in a later session.
-
-=head1 RETURN VALUES
-
-RAND_load_file() returns the number of bytes read.
-
-RAND_write_file() returns the number of bytes written, and -1 if the
-bytes written were generated without appropriate seed.
-
-RAND_file_name() returns a pointer to B<buf> on success, and NULL on
-error.
-
-=head1 SEE ALSO
-
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
-
-=head1 HISTORY
-
-RAND_load_file(), RAND_write_file() and RAND_file_name() are available in
-all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/RAND_set_rand_method.pod b/doc/crypto/RAND_set_rand_method.pod
deleted file mode 100644
index e5b780fad06b..000000000000
--- a/doc/crypto/RAND_set_rand_method.pod
+++ /dev/null
@@ -1,83 +0,0 @@
-=pod
-
-=head1 NAME
-
-RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay - select RAND method
-
-=head1 SYNOPSIS
-
- #include <openssl/rand.h>
-
- void RAND_set_rand_method(const RAND_METHOD *meth);
-
- const RAND_METHOD *RAND_get_rand_method(void);
-
- RAND_METHOD *RAND_SSLeay(void);
-
-=head1 DESCRIPTION
-
-A B<RAND_METHOD> specifies the functions that OpenSSL uses for random number
-generation. By modifying the method, alternative implementations such as
-hardware RNGs may be used. IMPORTANT: See the NOTES section for important
-information about how these RAND API functions are affected by the use of
-B<ENGINE> API calls.
-
-Initially, the default RAND_METHOD is the OpenSSL internal implementation, as
-returned by RAND_SSLeay().
-
-RAND_set_default_method() makes B<meth> the method for PRNG use. B<NB>: This is
-true only whilst no ENGINE has been set as a default for RAND, so this function
-is no longer recommended.
-
-RAND_get_default_method() returns a pointer to the current RAND_METHOD.
-However, the meaningfulness of this result is dependent on whether the ENGINE
-API is being used, so this function is no longer recommended.
-
-=head1 THE RAND_METHOD STRUCTURE
-
- typedef struct rand_meth_st
- {
- void (*seed)(const void *buf, int num);
- int (*bytes)(unsigned char *buf, int num);
- void (*cleanup)(void);
- void (*add)(const void *buf, int num, int entropy);
- int (*pseudorand)(unsigned char *buf, int num);
- int (*status)(void);
- } RAND_METHOD;
-
-The components point to the implementation of RAND_seed(),
-RAND_bytes(), RAND_cleanup(), RAND_add(), RAND_pseudo_rand()
-and RAND_status().
-Each component may be NULL if the function is not implemented.
-
-=head1 RETURN VALUES
-
-RAND_set_rand_method() returns no value. RAND_get_rand_method() and
-RAND_SSLeay() return pointers to the respective methods.
-
-=head1 NOTES
-
-As of version 0.9.7, RAND_METHOD implementations are grouped together with other
-algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
-default ENGINE is specified for RAND functionality using an ENGINE API function,
-that will override any RAND defaults set using the RAND API (ie.
-RAND_set_rand_method()). For this reason, the ENGINE API is the recommended way
-to control default implementations for use in RAND and other cryptographic
-algorithms.
-
-=head1 SEE ALSO
-
-L<rand(3)|rand(3)>, L<engine(3)|engine(3)>
-
-=head1 HISTORY
-
-RAND_set_rand_method(), RAND_get_rand_method() and RAND_SSLeay() are
-available in all versions of OpenSSL.
-
-In the engine version of version 0.9.6, RAND_set_rand_method() was altered to
-take an ENGINE pointer as its argument. As of version 0.9.7, that has been
-reverted as the ENGINE API transparently overrides RAND defaults if used,
-otherwise RAND API functions work as before. RAND_set_rand_engine() was also
-introduced in version 0.9.7.
-
-=cut
diff --git a/doc/crypto/RSA_blinding_on.pod b/doc/crypto/RSA_blinding_on.pod
deleted file mode 100644
index fd2c69abd867..000000000000
--- a/doc/crypto/RSA_blinding_on.pod
+++ /dev/null
@@ -1,43 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attacks
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
-
- void RSA_blinding_off(RSA *rsa);
-
-=head1 DESCRIPTION
-
-RSA is vulnerable to timing attacks. In a setup where attackers can
-measure the time of RSA decryption or signature operations, blinding
-must be used to protect the RSA operation from that attack.
-
-RSA_blinding_on() turns blinding on for key B<rsa> and generates a
-random blinding factor. B<ctx> is B<NULL> or a pre-allocated and
-initialized B<BN_CTX>. The random number generator must be seeded
-prior to calling RSA_blinding_on().
-
-RSA_blinding_off() turns blinding off and frees the memory used for
-the blinding factor.
-
-=head1 RETURN VALUES
-
-RSA_blinding_on() returns 1 on success, and 0 if an error occurred.
-
-RSA_blinding_off() returns no value.
-
-=head1 SEE ALSO
-
-L<rsa(3)|rsa(3)>, L<rand(3)|rand(3)>
-
-=head1 HISTORY
-
-RSA_blinding_on() and RSA_blinding_off() appeared in SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/RSA_check_key.pod b/doc/crypto/RSA_check_key.pod
deleted file mode 100644
index a5198f3db5b5..000000000000
--- a/doc/crypto/RSA_check_key.pod
+++ /dev/null
@@ -1,67 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_check_key - validate private RSA keys
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_check_key(RSA *rsa);
-
-=head1 DESCRIPTION
-
-This function validates RSA keys. It checks that B<p> and B<q> are
-in fact prime, and that B<n = p*q>.
-
-It also checks that B<d*e = 1 mod (p-1*q-1)>,
-and that B<dmp1>, B<dmq1> and B<iqmp> are set correctly or are B<NULL>.
-
-As such, this function can not be used with any arbitrary RSA key object,
-even if it is otherwise fit for regular RSA operation. See B<NOTES> for more
-information.
-
-=head1 RETURN VALUE
-
-RSA_check_key() returns 1 if B<rsa> is a valid RSA key, and 0 otherwise.
--1 is returned if an error occurs while checking the key.
-
-If the key is invalid or an error occurred, the reason code can be
-obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 NOTES
-
-This function does not work on RSA public keys that have only the modulus
-and public exponent elements populated. It performs integrity checks on all
-the RSA key material, so the RSA key structure must contain all the private
-key data too.
-
-Unlike most other RSA functions, this function does B<not> work
-transparently with any underlying ENGINE implementation because it uses the
-key data in the RSA structure directly. An ENGINE implementation can
-override the way key data is stored and handled, and can even provide
-support for HSM keys - in which case the RSA structure may contain B<no>
-key data at all! If the ENGINE in question is only being used for
-acceleration or analysis purposes, then in all likelihood the RSA key data
-is complete and untouched, but this can't be assumed in the general case.
-
-=head1 BUGS
-
-A method of verifying the RSA key using opaque RSA API functions might need
-to be considered. Right now RSA_check_key() simply uses the RSA structure
-elements directly, bypassing the RSA_METHOD table altogether (and
-completely violating encapsulation and object-orientation in the process).
-The best fix will probably be to introduce a "check_key()" handler to the
-RSA_METHOD function table so that alternative implementations can also
-provide their own verifiers.
-
-=head1 SEE ALSO
-
-L<rsa(3)|rsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
-
-=head1 HISTORY
-
-RSA_check_key() appeared in OpenSSL 0.9.4.
-
-=cut
diff --git a/doc/crypto/RSA_generate_key.pod b/doc/crypto/RSA_generate_key.pod
deleted file mode 100644
index 0882a1a59d71..000000000000
--- a/doc/crypto/RSA_generate_key.pod
+++ /dev/null
@@ -1,80 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_generate_key_ex, RSA_generate_key - generate RSA key pair
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-
-Deprecated:
-
- RSA *RSA_generate_key(int num, unsigned long e,
- void (*callback)(int,int,void *), void *cb_arg);
-
-=head1 DESCRIPTION
-
-RSA_generate_key_ex() generates a key pair and stores it in the B<RSA>
-structure provided in B<rsa>. The pseudo-random number generator must
-be seeded prior to calling RSA_generate_key_ex().
-
-The modulus size will be of length B<bits>, and the public exponent will be
-B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
-The exponent is an odd number, typically 3, 17 or 65537.
-
-A callback function may be used to provide feedback about the
-progress of the key generation. If B<cb> is not B<NULL>, it
-will be called as follows using the BN_GENCB_call() function
-described on the L<BN_generate_prime(3)|BN_generate_prime(3)> page.
-
-=over 4
-
-=item *
-
-While a random prime number is generated, it is called as
-described in L<BN_generate_prime(3)|BN_generate_prime(3)>.
-
-=item *
-
-When the n-th randomly generated prime is rejected as not
-suitable for the key, B<BN_GENCB_call(cb, 2, n)> is called.
-
-=item *
-
-When a random p has been found with p-1 relatively prime to B<e>,
-it is called as B<BN_GENCB_call(cb, 3, 0)>.
-
-=back
-
-The process is then repeated for prime q with B<BN_GENCB_call(cb, 3, 1)>.
-
-RSA_generate_key is deprecated (new applications should use
-RSA_generate_key_ex instead). RSA_generate_key works in the same way as
-RSA_generate_key_ex except it uses "old style" call backs. See
-L<BN_generate_prime(3)|BN_generate_prime(3)> for further details.
-
-=head1 RETURN VALUE
-
-If key generation fails, RSA_generate_key() returns B<NULL>.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 BUGS
-
-B<BN_GENCB_call(cb, 2, x)> is used with two different meanings.
-
-RSA_generate_key() goes into an infinite loop for illegal input values.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_free(3)|RSA_free(3)>, L<BN_generate_prime(3)|BN_generate_prime(3)>
-
-=head1 HISTORY
-
-The B<cb_arg> argument was added in SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/RSA_get_ex_new_index.pod b/doc/crypto/RSA_get_ex_new_index.pod
deleted file mode 100644
index 7d0fd1f91de9..000000000000
--- a/doc/crypto/RSA_get_ex_new_index.pod
+++ /dev/null
@@ -1,120 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specific data to RSA structures
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_get_ex_new_index(long argl, void *argp,
- CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-
- int RSA_set_ex_data(RSA *r, int idx, void *arg);
-
- void *RSA_get_ex_data(RSA *r, int idx);
-
- typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int idx, long argl, void *argp);
- typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
- int idx, long argl, void *argp);
-
-=head1 DESCRIPTION
-
-Several OpenSSL structures can have application specific data attached to them.
-This has several potential uses, it can be used to cache data associated with
-a structure (for example the hash of some part of the structure) or some
-additional data (for example a handle to the data in an external library).
-
-Since the application data can be anything at all it is passed and retrieved
-as a B<void *> type.
-
-The B<RSA_get_ex_new_index()> function is initially called to "register" some
-new application specific data. It takes three optional function pointers which
-are called when the parent structure (in this case an RSA structure) is
-initially created, when it is copied and when it is freed up. If any or all of
-these function pointer arguments are not used they should be set to NULL. The
-precise manner in which these function pointers are called is described in more
-detail below. B<RSA_get_ex_new_index()> also takes additional long and pointer
-parameters which will be passed to the supplied functions but which otherwise
-have no special meaning. It returns an B<index> which should be stored
-(typically in a static variable) and passed used in the B<idx> parameter in
-the remaining functions. Each successful call to B<RSA_get_ex_new_index()>
-will return an index greater than any previously returned, this is important
-because the optional functions are called in order of increasing index value.
-
-B<RSA_set_ex_data()> is used to set application specific data, the data is
-supplied in the B<arg> parameter and its precise meaning is up to the
-application.
-
-B<RSA_get_ex_data()> is used to retrieve application specific data. The data
-is returned to the application, this will be the same value as supplied to
-a previous B<RSA_set_ex_data()> call.
-
-B<new_func()> is called when a structure is initially allocated (for example
-with B<RSA_new()>. The parent structure members will not have any meaningful
-values at this point. This function will typically be used to allocate any
-application specific structure.
-
-B<free_func()> is called when a structure is being freed up. The dynamic parent
-structure members should not be accessed because they will be freed up when
-this function is called.
-
-B<new_func()> and B<free_func()> take the same parameters. B<parent> is a
-pointer to the parent RSA structure. B<ptr> is a the application specific data
-(this wont be of much use in B<new_func()>. B<ad> is a pointer to the
-B<CRYPTO_EX_DATA> structure from the parent RSA structure: the functions
-B<CRYPTO_get_ex_data()> and B<CRYPTO_set_ex_data()> can be called to manipulate
-it. The B<idx> parameter is the index: this will be the same value returned by
-B<RSA_get_ex_new_index()> when the functions were initially registered. Finally
-the B<argl> and B<argp> parameters are the values originally passed to the same
-corresponding parameters when B<RSA_get_ex_new_index()> was called.
-
-B<dup_func()> is called when a structure is being copied. Pointers to the
-destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
-B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
-the source application data when the function is called, when the function returns
-the value is copied to the destination: the application can thus modify the data
-pointed to by B<from_d> and have different values in the source and destination.
-The B<idx>, B<argl> and B<argp> parameters are the same as those in B<new_func()>
-and B<free_func()>.
-
-=head1 RETURN VALUES
-
-B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a valid
-index value).
-
-B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
-
-B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
-be valid application data but currently it can only fail if given an invalid B<idx>
-parameter.
-
-B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
-
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 BUGS
-
-B<dup_func()> is currently never called.
-
-The return value of B<new_func()> is ignored.
-
-The B<new_func()> function isn't very useful because no meaningful values are
-present in the parent RSA structure when it is called.
-
-=head1 SEE ALSO
-
-L<rsa(3)|rsa(3)>, L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
-
-=head1 HISTORY
-
-RSA_get_ex_new_index(), RSA_set_ex_data() and RSA_get_ex_data() are
-available since SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/RSA_new.pod b/doc/crypto/RSA_new.pod
deleted file mode 100644
index 3d15b928243d..000000000000
--- a/doc/crypto/RSA_new.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_new, RSA_free - allocate and free RSA objects
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- RSA * RSA_new(void);
-
- void RSA_free(RSA *rsa);
-
-=head1 DESCRIPTION
-
-RSA_new() allocates and initializes an B<RSA> structure. It is equivalent to
-calling RSA_new_method(NULL).
-
-RSA_free() frees the B<RSA> structure and its components. The key is
-erased before the memory is returned to the system.
-
-=head1 RETURN VALUES
-
-If the allocation fails, RSA_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
-a pointer to the newly allocated structure.
-
-RSA_free() returns no value.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_generate_key(3)|RSA_generate_key(3)>,
-L<RSA_new_method(3)|RSA_new_method(3)>
-
-=head1 HISTORY
-
-RSA_new() and RSA_free() are available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
deleted file mode 100644
index f20f815d4786..000000000000
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ /dev/null
@@ -1,131 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
-RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
-RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
-RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
-RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption
-padding
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
- unsigned char *f, int fl);
-
- int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
-
- int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
- unsigned char *f, int fl);
-
- int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
-
- int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
- unsigned char *f, int fl, unsigned char *p, int pl);
-
- int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len, unsigned char *p, int pl);
-
- int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
- unsigned char *f, int fl);
-
- int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
-
- int RSA_padding_add_none(unsigned char *to, int tlen,
- unsigned char *f, int fl);
-
- int RSA_padding_check_none(unsigned char *to, int tlen,
- unsigned char *f, int fl, int rsa_len);
-
-=head1 DESCRIPTION
-
-The RSA_padding_xxx_xxx() functions are called from the RSA encrypt,
-decrypt, sign and verify functions. Normally they should not be called
-from application programs.
-
-However, they can also be called directly to implement padding for other
-asymmetric ciphers. RSA_padding_add_PKCS1_OAEP() and
-RSA_padding_check_PKCS1_OAEP() may be used in an application combined
-with B<RSA_NO_PADDING> in order to implement OAEP with an encoding
-parameter.
-
-RSA_padding_add_xxx() encodes B<fl> bytes from B<f> so as to fit into
-B<tlen> bytes and stores the result at B<to>. An error occurs if B<fl>
-does not meet the size requirements of the encoding method.
-
-The following encoding methods are implemented:
-
-=over 4
-
-=item PKCS1_type_1
-
-PKCS #1 v2.0 EMSA-PKCS1-v1_5 (PKCS #1 v1.5 block type 1); used for signatures
-
-=item PKCS1_type_2
-
-PKCS #1 v2.0 EME-PKCS1-v1_5 (PKCS #1 v1.5 block type 2)
-
-=item PKCS1_OAEP
-
-PKCS #1 v2.0 EME-OAEP
-
-=item SSLv23
-
-PKCS #1 EME-PKCS1-v1_5 with SSL-specific modification
-
-=item none
-
-simply copy the data
-
-=back
-
-The random number generator must be seeded prior to calling
-RSA_padding_add_xxx().
-
-RSA_padding_check_xxx() verifies that the B<fl> bytes at B<f> contain
-a valid encoding for a B<rsa_len> byte RSA key in the respective
-encoding method and stores the recovered data of at most B<tlen> bytes
-(for B<RSA_NO_PADDING>: of size B<tlen>)
-at B<to>.
-
-For RSA_padding_xxx_OAEP(), B<p> points to the encoding parameter
-of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
-
-=head1 RETURN VALUES
-
-The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
-The RSA_padding_check_xxx() functions return the length of the
-recovered data, -1 on error. Error codes can be obtained by calling
-L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 WARNING
-
-The RSA_padding_check_PKCS1_type_2() padding check leaks timing
-information which can potentially be used to mount a Bleichenbacher
-padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding.
-
-=head1 SEE ALSO
-
-L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
-L<RSA_private_decrypt(3)|RSA_private_decrypt(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
-
-=head1 HISTORY
-
-RSA_padding_add_PKCS1_type_1(), RSA_padding_check_PKCS1_type_1(),
-RSA_padding_add_PKCS1_type_2(), RSA_padding_check_PKCS1_type_2(),
-RSA_padding_add_SSLv23(), RSA_padding_check_SSLv23(),
-RSA_padding_add_none() and RSA_padding_check_none() appeared in
-SSLeay 0.9.0.
-
-RSA_padding_add_PKCS1_OAEP() and RSA_padding_check_PKCS1_OAEP() were
-added in OpenSSL 0.9.2b.
-
-=cut
diff --git a/doc/crypto/RSA_print.pod b/doc/crypto/RSA_print.pod
deleted file mode 100644
index c971e91f4db6..000000000000
--- a/doc/crypto/RSA_print.pod
+++ /dev/null
@@ -1,49 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_print, RSA_print_fp,
-DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp,
-DHparams_print, DHparams_print_fp - print cryptographic parameters
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_print(BIO *bp, RSA *x, int offset);
- int RSA_print_fp(FILE *fp, RSA *x, int offset);
-
- #include <openssl/dsa.h>
-
- int DSAparams_print(BIO *bp, DSA *x);
- int DSAparams_print_fp(FILE *fp, DSA *x);
- int DSA_print(BIO *bp, DSA *x, int offset);
- int DSA_print_fp(FILE *fp, DSA *x, int offset);
-
- #include <openssl/dh.h>
-
- int DHparams_print(BIO *bp, DH *x);
- int DHparams_print_fp(FILE *fp, DH *x);
-
-=head1 DESCRIPTION
-
-A human-readable hexadecimal output of the components of the RSA
-key, DSA parameters or key or DH parameters is printed to B<bp> or B<fp>.
-
-The output lines are indented by B<offset> spaces.
-
-=head1 RETURN VALUES
-
-These functions return 1 on success, 0 on error.
-
-=head1 SEE ALSO
-
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
-
-=head1 HISTORY
-
-RSA_print(), RSA_print_fp(), DSA_print(), DSA_print_fp(), DH_print(),
-DH_print_fp() are available in all versions of SSLeay and OpenSSL.
-DSAparams_print() and DSAparams_print_fp() were added in SSLeay 0.8.
-
-=cut
diff --git a/doc/crypto/RSA_private_encrypt.pod b/doc/crypto/RSA_private_encrypt.pod
deleted file mode 100644
index 3e1f895c5ad8..000000000000
--- a/doc/crypto/RSA_private_encrypt.pod
+++ /dev/null
@@ -1,70 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_private_encrypt, RSA_public_decrypt - low level signature operations
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_private_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- int RSA_public_decrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
-=head1 DESCRIPTION
-
-These functions handle RSA signatures at a low level.
-
-RSA_private_encrypt() signs the B<flen> bytes at B<from> (usually a
-message digest with an algorithm identifier) using the private key
-B<rsa> and stores the signature in B<to>. B<to> must point to
-B<RSA_size(rsa)> bytes of memory.
-
-B<padding> denotes one of the following modes:
-
-=over 4
-
-=item RSA_PKCS1_PADDING
-
-PKCS #1 v1.5 padding. This function does not handle the
-B<algorithmIdentifier> specified in PKCS #1. When generating or
-verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
-used.
-
-=item RSA_NO_PADDING
-
-Raw RSA signature. This mode should I<only> be used to implement
-cryptographically sound padding modes in the application code.
-Signing user data directly with RSA is insecure.
-
-=back
-
-RSA_public_decrypt() recovers the message digest from the B<flen>
-bytes long signature at B<from> using the signer's public key
-B<rsa>. B<to> must point to a memory section large enough to hold the
-message digest (which is smaller than B<RSA_size(rsa) -
-11>). B<padding> is the padding mode that was used to sign the data.
-
-=head1 RETURN VALUES
-
-RSA_private_encrypt() returns the size of the signature (i.e.,
-RSA_size(rsa)). RSA_public_decrypt() returns the size of the
-recovered message digest.
-
-On error, -1 is returned; the error codes can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
-
-=head1 HISTORY
-
-The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
-available since SSLeay 0.9.0.
-
-=cut
diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod
deleted file mode 100644
index 4d7c1f2cac7a..000000000000
--- a/doc/crypto/RSA_public_encrypt.pod
+++ /dev/null
@@ -1,91 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_public_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- int RSA_private_decrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
-=head1 DESCRIPTION
-
-RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a
-session key) using the public key B<rsa> and stores the ciphertext in
-B<to>. B<to> must point to RSA_size(B<rsa>) bytes of memory.
-
-B<padding> denotes one of the following modes:
-
-=over 4
-
-=item RSA_PKCS1_PADDING
-
-PKCS #1 v1.5 padding. This currently is the most widely used mode.
-
-=item RSA_PKCS1_OAEP_PADDING
-
-EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty
-encoding parameter. This mode is recommended for all new applications.
-
-=item RSA_SSLV23_PADDING
-
-PKCS #1 v1.5 padding with an SSL-specific modification that denotes
-that the server is SSL3 capable.
-
-=item RSA_NO_PADDING
-
-Raw RSA encryption. This mode should I<only> be used to implement
-cryptographically sound padding modes in the application code.
-Encrypting user data directly with RSA is insecure.
-
-=back
-
-B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, less than RSA_size(B<rsa>) - 41 for
-RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
-The random number generator must be seeded prior to calling
-RSA_public_encrypt().
-
-RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
-private key B<rsa> and stores the plaintext in B<to>. B<to> must point
-to a memory section large enough to hold the decrypted data (which is
-smaller than RSA_size(B<rsa>)). B<padding> is the padding mode that
-was used to encrypt the data.
-
-=head1 RETURN VALUES
-
-RSA_public_encrypt() returns the size of the encrypted data (i.e.,
-RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
-recovered plaintext.
-
-On error, -1 is returned; the error codes can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 WARNING
-
-Decryption failures in the RSA_PKCS1_PADDING mode leak information
-which can potentially be used to mount a Bleichenbacher padding oracle
-attack. This is an inherent weakness in the PKCS #1 v1.5 padding
-design. Prefer RSA_PKCS1_OAEP_PADDING.
-
-=head1 CONFORMING TO
-
-SSL, PKCS #1 v2.0
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_size(3)|RSA_size(3)>
-
-=head1 HISTORY
-
-The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
-available since SSLeay 0.9.0, OAEP was added in OpenSSL 0.9.2b.
-
-=cut
diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod
deleted file mode 100644
index 0ef078118651..000000000000
--- a/doc/crypto/RSA_set_method.pod
+++ /dev/null
@@ -1,206 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_set_default_method, RSA_get_default_method, RSA_set_method,
-RSA_get_method, RSA_PKCS1_SSLeay, RSA_null_method, RSA_flags,
-RSA_new_method - select RSA method
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- void RSA_set_default_method(const RSA_METHOD *meth);
-
- RSA_METHOD *RSA_get_default_method(void);
-
- int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
-
- RSA_METHOD *RSA_get_method(const RSA *rsa);
-
- RSA_METHOD *RSA_PKCS1_SSLeay(void);
-
- RSA_METHOD *RSA_null_method(void);
-
- int RSA_flags(const RSA *rsa);
-
- RSA *RSA_new_method(RSA_METHOD *method);
-
-=head1 DESCRIPTION
-
-An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
-operations. By modifying the method, alternative implementations such as
-hardware accelerators may be used. IMPORTANT: See the NOTES section for
-important information about how these RSA API functions are affected by the
-use of B<ENGINE> API calls.
-
-Initially, the default RSA_METHOD is the OpenSSL internal implementation,
-as returned by RSA_PKCS1_SSLeay().
-
-RSA_set_default_method() makes B<meth> the default method for all RSA
-structures created later. B<NB>: This is true only whilst no ENGINE has
-been set as a default for RSA, so this function is no longer recommended.
-
-RSA_get_default_method() returns a pointer to the current default
-RSA_METHOD. However, the meaningfulness of this result is dependent on
-whether the ENGINE API is being used, so this function is no longer
-recommended.
-
-RSA_set_method() selects B<meth> to perform all operations using the key
-B<rsa>. This will replace the RSA_METHOD used by the RSA key and if the
-previous method was supplied by an ENGINE, the handle to that ENGINE will
-be released during the change. It is possible to have RSA keys that only
-work with certain RSA_METHOD implementations (eg. from an ENGINE module
-that supports embedded hardware-protected keys), and in such cases
-attempting to change the RSA_METHOD for the key can have unexpected
-results.
-
-RSA_get_method() returns a pointer to the RSA_METHOD being used by B<rsa>.
-This method may or may not be supplied by an ENGINE implementation, but if
-it is, the return value can only be guaranteed to be valid as long as the
-RSA key itself is valid and does not have its implementation changed by
-RSA_set_method().
-
-RSA_flags() returns the B<flags> that are set for B<rsa>'s current
-RSA_METHOD. See the BUGS section.
-
-RSA_new_method() allocates and initializes an RSA structure so that
-B<engine> will be used for the RSA operations. If B<engine> is NULL, the
-default ENGINE for RSA operations is used, and if no default ENGINE is set,
-the RSA_METHOD controlled by RSA_set_default_method() is used.
-
-RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
-
-RSA_new_method() allocates and initializes an B<RSA> structure so that
-B<method> will be used for the RSA operations. If B<method> is B<NULL>,
-the default method is used.
-
-=head1 THE RSA_METHOD STRUCTURE
-
- typedef struct rsa_meth_st
- {
- /* name of the implementation */
- const char *name;
-
- /* encrypt */
- int (*rsa_pub_enc)(int flen, unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- /* verify arbitrary data */
- int (*rsa_pub_dec)(int flen, unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- /* sign arbitrary data */
- int (*rsa_priv_enc)(int flen, unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- /* decrypt */
- int (*rsa_priv_dec)(int flen, unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-
- /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some
- implementations) */
- int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
-
- /* compute r = a ^ p mod m (May be NULL for some implementations) */
- int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-
- /* called at RSA_new */
- int (*init)(RSA *rsa);
-
- /* called at RSA_free */
- int (*finish)(RSA *rsa);
-
- /* RSA_FLAG_EXT_PKEY - rsa_mod_exp is called for private key
- * operations, even if p,q,dmp1,dmq1,iqmp
- * are NULL
- * RSA_FLAG_SIGN_VER - enable rsa_sign and rsa_verify
- * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
- */
- int flags;
-
- char *app_data; /* ?? */
-
- /* sign. For backward compatibility, this is used only
- * if (flags & RSA_FLAG_SIGN_VER)
- */
- int (*rsa_sign)(int type,
- const unsigned char *m, unsigned int m_length,
- unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
- /* verify. For backward compatibility, this is used only
- * if (flags & RSA_FLAG_SIGN_VER)
- */
- int (*rsa_verify)(int dtype,
- const unsigned char *m, unsigned int m_length,
- const unsigned char *sigbuf, unsigned int siglen,
- const RSA *rsa);
- /* keygen. If NULL builtin RSA key generation will be used */
- int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
-
- } RSA_METHOD;
-
-=head1 RETURN VALUES
-
-RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_method()
-and RSA_get_method() return pointers to the respective RSA_METHODs.
-
-RSA_set_default_method() returns no value.
-
-RSA_set_method() returns a pointer to the old RSA_METHOD implementation
-that was replaced. However, this return value should probably be ignored
-because if it was supplied by an ENGINE, the pointer could be invalidated
-at any time if the ENGINE is unloaded (in fact it could be unloaded as a
-result of the RSA_set_method() function releasing its handle to the
-ENGINE). For this reason, the return type may be replaced with a B<void>
-declaration in a future release.
-
-RSA_new_method() returns NULL and sets an error code that can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
-it returns a pointer to the newly allocated structure.
-
-=head1 NOTES
-
-As of version 0.9.7, RSA_METHOD implementations are grouped together with
-other algorithmic APIs (eg. DSA_METHOD, EVP_CIPHER, etc) into B<ENGINE>
-modules. If a default ENGINE is specified for RSA functionality using an
-ENGINE API function, that will override any RSA defaults set using the RSA
-API (ie. RSA_set_default_method()). For this reason, the ENGINE API is the
-recommended way to control default implementations for use in RSA and other
-cryptographic algorithms.
-
-=head1 BUGS
-
-The behaviour of RSA_flags() is a mis-feature that is left as-is for now
-to avoid creating compatibility problems. RSA functionality, such as the
-encryption functions, are controlled by the B<flags> value in the RSA key
-itself, not by the B<flags> value in the RSA_METHOD attached to the RSA key
-(which is what this function returns). If the flags element of an RSA key
-is changed, the changes will be honoured by RSA functionality but will not
-be reflected in the return value of the RSA_flags() function - in effect
-RSA_flags() behaves more like an RSA_default_flags() function (which does
-not currently exist).
-
-=head1 SEE ALSO
-
-L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
-
-=head1 HISTORY
-
-RSA_new_method() and RSA_set_default_method() appeared in SSLeay 0.8.
-RSA_get_default_method(), RSA_set_method() and RSA_get_method() as
-well as the rsa_sign and rsa_verify components of RSA_METHOD were
-added in OpenSSL 0.9.4.
-
-RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
-replaced RSA_set_default_method() and RSA_get_default_method()
-respectively, and RSA_set_method() and RSA_new_method() were altered to use
-B<ENGINE>s rather than B<RSA_METHOD>s during development of the engine
-version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the ENGINE
-API was restructured so that this change was reversed, and behaviour of the
-other functions resembled more closely the previous behaviour. The
-behaviour of defaults in the ENGINE API now transparently overrides the
-behaviour of defaults in the RSA API without requiring changing these
-function prototypes.
-
-=cut
diff --git a/doc/crypto/RSA_sign.pod b/doc/crypto/RSA_sign.pod
deleted file mode 100644
index fc16b1f4f806..000000000000
--- a/doc/crypto/RSA_sign.pod
+++ /dev/null
@@ -1,66 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_sign, RSA_verify - RSA signatures
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
- unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-
- int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
- unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
-
-=head1 DESCRIPTION
-
-RSA_sign() signs the message digest B<m> of size B<m_len> using the
-private key B<rsa> as specified in PKCS #1 v2.0. It stores the
-signature in B<sigret> and the signature size in B<siglen>. B<sigret>
-must point to RSA_size(B<rsa>) bytes of memory.
-Note that PKCS #1 adds meta-data, placing limits on the size of the
-key that can be used.
-See L<RSA_private_encrypt(3)|RSA_private_encrypt(3)> for lower-level
-operations.
-
-B<type> denotes the message digest algorithm that was used to generate
-B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
-see L<objects(3)|objects(3)> for details. If B<type> is B<NID_md5_sha1>,
-an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
-and no algorithm identifier) is created.
-
-RSA_verify() verifies that the signature B<sigbuf> of size B<siglen>
-matches a given message digest B<m> of size B<m_len>. B<type> denotes
-the message digest algorithm that was used to generate the signature.
-B<rsa> is the signer's public key.
-
-=head1 RETURN VALUES
-
-RSA_sign() returns 1 on success, 0 otherwise. RSA_verify() returns 1
-on successful verification, 0 otherwise.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 BUGS
-
-Certain signatures with an improper algorithm identifier are accepted
-for compatibility with SSLeay 0.4.5 :-)
-
-=head1 CONFORMING TO
-
-SSL, PKCS #1 v2.0
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_public_decrypt(3)|RSA_public_decrypt(3)>
-
-=head1 HISTORY
-
-RSA_sign() and RSA_verify() are available in all versions of SSLeay
-and OpenSSL.
-
-=cut
diff --git a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
deleted file mode 100644
index e70380bbfc96..000000000000
--- a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
+++ /dev/null
@@ -1,59 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING - RSA signatures
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
- unsigned int m_len, unsigned char *sigret, unsigned int *siglen,
- RSA *rsa);
-
- int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
- unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
- RSA *rsa);
-
-=head1 DESCRIPTION
-
-RSA_sign_ASN1_OCTET_STRING() signs the octet string B<m> of size
-B<m_len> using the private key B<rsa> represented in DER using PKCS #1
-padding. It stores the signature in B<sigret> and the signature size
-in B<siglen>. B<sigret> must point to B<RSA_size(rsa)> bytes of
-memory.
-
-B<dummy> is ignored.
-
-The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING().
-
-RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
-of size B<siglen> is the DER representation of a given octet string
-B<m> of size B<m_len>. B<dummy> is ignored. B<rsa> is the signer's
-public key.
-
-=head1 RETURN VALUES
-
-RSA_sign_ASN1_OCTET_STRING() returns 1 on success, 0 otherwise.
-RSA_verify_ASN1_OCTET_STRING() returns 1 on successful verification, 0
-otherwise.
-
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
-
-=head1 BUGS
-
-These functions serve no recognizable purpose.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
-L<RSA_verify(3)|RSA_verify(3)>
-
-=head1 HISTORY
-
-RSA_sign_ASN1_OCTET_STRING() and RSA_verify_ASN1_OCTET_STRING() were
-added in SSLeay 0.8.
-
-=cut
diff --git a/doc/crypto/RSA_size.pod b/doc/crypto/RSA_size.pod
deleted file mode 100644
index 5b7f835f95d6..000000000000
--- a/doc/crypto/RSA_size.pod
+++ /dev/null
@@ -1,33 +0,0 @@
-=pod
-
-=head1 NAME
-
-RSA_size - get RSA modulus size
-
-=head1 SYNOPSIS
-
- #include <openssl/rsa.h>
-
- int RSA_size(const RSA *rsa);
-
-=head1 DESCRIPTION
-
-This function returns the RSA modulus size in bytes. It can be used to
-determine how much memory must be allocated for an RSA encrypted
-value.
-
-B<rsa-E<gt>n> must not be B<NULL>.
-
-=head1 RETURN VALUE
-
-The size in bytes.
-
-=head1 SEE ALSO
-
-L<rsa(3)|rsa(3)>
-
-=head1 HISTORY
-
-RSA_size() is available in all versions of SSLeay and OpenSSL.
-
-=cut
diff --git a/doc/crypto/SMIME_read_CMS.pod b/doc/crypto/SMIME_read_CMS.pod
deleted file mode 100644
index acc5524c1400..000000000000
--- a/doc/crypto/SMIME_read_CMS.pod
+++ /dev/null
@@ -1,70 +0,0 @@
-=pod
-
-=head1 NAME
-
- SMIME_read_CMS - parse S/MIME message.
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- CMS_ContentInfo *SMIME_read_CMS(BIO *in, BIO **bcont);
-
-=head1 DESCRIPTION
-
-SMIME_read_CMS() parses a message in S/MIME format.
-
-B<in> is a BIO to read the message from.
-
-If cleartext signing is used then the content is saved in a memory bio which is
-written to B<*bcont>, otherwise B<*bcont> is set to NULL.
-
-The parsed CMS_ContentInfo structure is returned or NULL if an
-error occurred.
-
-=head1 NOTES
-
-If B<*bcont> is not NULL then the message is clear text signed. B<*bcont> can
-then be passed to CMS_verify() with the B<CMS_DETACHED> flag set.
-
-Otherwise the type of the returned structure can be determined
-using CMS_get0_type().
-
-To support future functionality if B<bcont> is not NULL B<*bcont> should be
-initialized to NULL. For example:
-
- BIO *cont = NULL;
- CMS_ContentInfo *cms;
-
- cms = SMIME_read_CMS(in, &cont);
-
-=head1 BUGS
-
-The MIME parser used by SMIME_read_CMS() is somewhat primitive. While it will
-handle most S/MIME messages more complex compound formats may not work.
-
-The parser assumes that the CMS_ContentInfo structure is always base64 encoded
-and will not handle the case where it is in binary format or uses quoted
-printable format.
-
-The use of a memory BIO to hold the signed content limits the size of message
-which can be processed due to memory restraints: a streaming single pass option
-should be available.
-
-=head1 RETURN VALUES
-
-SMIME_read_CMS() returns a valid B<CMS_ContentInfo> structure or B<NULL>
-if an error occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_type(3)|CMS_type(3)>
-L<SMIME_read_CMS(3)|SMIME_read_CMS(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>
-
-=head1 HISTORY
-
-SMIME_read_CMS() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/SMIME_read_PKCS7.pod b/doc/crypto/SMIME_read_PKCS7.pod
deleted file mode 100644
index 9d4671594180..000000000000
--- a/doc/crypto/SMIME_read_PKCS7.pod
+++ /dev/null
@@ -1,73 +0,0 @@
-=pod
-
-=head1 NAME
-
-SMIME_read_PKCS7 - parse S/MIME message.
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont);
-
-=head1 DESCRIPTION
-
-SMIME_read_PKCS7() parses a message in S/MIME format.
-
-B<in> is a BIO to read the message from.
-
-If cleartext signing is used then the content is saved in
-a memory bio which is written to B<*bcont>, otherwise
-B<*bcont> is set to B<NULL>.
-
-The parsed PKCS#7 structure is returned or B<NULL> if an
-error occurred.
-
-=head1 NOTES
-
-If B<*bcont> is not B<NULL> then the message is clear text
-signed. B<*bcont> can then be passed to PKCS7_verify() with
-the B<PKCS7_DETACHED> flag set.
-
-Otherwise the type of the returned structure can be determined
-using PKCS7_type().
-
-To support future functionality if B<bcont> is not B<NULL>
-B<*bcont> should be initialized to B<NULL>. For example:
-
- BIO *cont = NULL;
- PKCS7 *p7;
-
- p7 = SMIME_read_PKCS7(in, &cont);
-
-=head1 BUGS
-
-The MIME parser used by SMIME_read_PKCS7() is somewhat primitive.
-While it will handle most S/MIME messages more complex compound
-formats may not work.
-
-The parser assumes that the PKCS7 structure is always base64
-encoded and will not handle the case where it is in binary format
-or uses quoted printable format.
-
-The use of a memory BIO to hold the signed content limits the size
-of message which can be processed due to memory restraints: a
-streaming single pass option should be available.
-
-=head1 RETURN VALUES
-
-SMIME_read_PKCS7() returns a valid B<PKCS7> structure or B<NULL>
-is an error occurred. The error can be obtained from ERR_get_error(3).
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_type(3)|PKCS7_type(3)>
-L<SMIME_read_PKCS7(3)|SMIME_read_PKCS7(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
-
-=head1 HISTORY
-
-SMIME_read_PKCS7() was added to OpenSSL 0.9.5
-
-=cut
diff --git a/doc/crypto/SMIME_write_CMS.pod b/doc/crypto/SMIME_write_CMS.pod
deleted file mode 100644
index 04bedfb42977..000000000000
--- a/doc/crypto/SMIME_write_CMS.pod
+++ /dev/null
@@ -1,64 +0,0 @@
-=pod
-
-=head1 NAME
-
- SMIME_write_CMS - convert CMS structure to S/MIME format.
-
-=head1 SYNOPSIS
-
- #include <openssl/cms.h>
-
- int SMIME_write_CMS(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
-
-=head1 DESCRIPTION
-
-SMIME_write_CMS() adds the appropriate MIME headers to a CMS
-structure to produce an S/MIME message.
-
-B<out> is the BIO to write the data to. B<cms> is the appropriate
-B<CMS_ContentInfo> structure. If streaming is enabled then the content must be
-supplied in the B<data> argument. B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-The following flags can be passed in the B<flags> parameter.
-
-If B<CMS_DETACHED> is set then cleartext signing will be used, this option only
-makes sense for SignedData where B<CMS_DETACHED> is also set when CMS_sign() is
-called.
-
-If the B<CMS_TEXT> flag is set MIME headers for type B<text/plain> are added to
-the content, this only makes sense if B<CMS_DETACHED> is also set.
-
-If the B<CMS_STREAM> flag is set streaming is performed. This flag should only
-be set if B<CMS_STREAM> was also set in the previous call to a CMS_ContentInfo
-creation function.
-
-If cleartext signing is being used and B<CMS_STREAM> not set then the data must
-be read twice: once to compute the signature in CMS_sign() and once to output
-the S/MIME message.
-
-If streaming is performed the content is output in BER format using indefinite
-length constructed encoding except in the case of signed data with detached
-content where the content is absent and DER format is used.
-
-=head1 BUGS
-
-SMIME_write_CMS() always base64 encodes CMS structures, there should be an
-option to disable this.
-
-=head1 RETURN VALUES
-
-SMIME_write_CMS() returns 1 for success or 0 for failure.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>
-
-=head1 HISTORY
-
-SMIME_write_CMS() was added to OpenSSL 0.9.8
-
-=cut
diff --git a/doc/crypto/SMIME_write_PKCS7.pod b/doc/crypto/SMIME_write_PKCS7.pod
deleted file mode 100644
index ca6bd027635f..000000000000
--- a/doc/crypto/SMIME_write_PKCS7.pod
+++ /dev/null
@@ -1,65 +0,0 @@
-=pod
-
-=head1 NAME
-
-SMIME_write_PKCS7 - convert PKCS#7 structure to S/MIME format.
-
-=head1 SYNOPSIS
-
- #include <openssl/pkcs7.h>
-
- int SMIME_write_PKCS7(BIO *out, PKCS7 *p7, BIO *data, int flags);
-
-=head1 DESCRIPTION
-
-SMIME_write_PKCS7() adds the appropriate MIME headers to a PKCS#7
-structure to produce an S/MIME message.
-
-B<out> is the BIO to write the data to. B<p7> is the appropriate B<PKCS7>
-structure. If streaming is enabled then the content must be supplied in the
-B<data> argument. B<flags> is an optional set of flags.
-
-=head1 NOTES
-
-The following flags can be passed in the B<flags> parameter.
-
-If B<PKCS7_DETACHED> is set then cleartext signing will be used,
-this option only makes sense for signedData where B<PKCS7_DETACHED>
-is also set when PKCS7_sign() is also called.
-
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain>
-are added to the content, this only makes sense if B<PKCS7_DETACHED>
-is also set.
-
-If the B<PKCS7_STREAM> flag is set streaming is performed. This flag should
-only be set if B<PKCS7_STREAM> was also set in the previous call to
-PKCS7_sign() or B<PKCS7_encrypt()>.
-
-If cleartext signing is being used and B<PKCS7_STREAM> not set then
-the data must be read twice: once to compute the signature in PKCS7_sign()
-and once to output the S/MIME message.
-
-If streaming is performed the content is output in BER format using indefinite
-length constructuted encoding except in the case of signed data with detached
-content where the content is absent and DER format is used.
-
-=head1 BUGS
-
-SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there
-should be an option to disable this.
-
-=head1 RETURN VALUES
-
-SMIME_write_PKCS7() returns 1 for success or 0 for failure.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
-
-=head1 HISTORY
-
-SMIME_write_PKCS7() was added to OpenSSL 0.9.5
-
-=cut
diff --git a/doc/crypto/SSLeay_version.pod b/doc/crypto/SSLeay_version.pod
deleted file mode 100644
index 1500c2af9126..000000000000
--- a/doc/crypto/SSLeay_version.pod
+++ /dev/null
@@ -1,74 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSLeay_version - retrieve version/build information about OpenSSL library
-
-=head1 SYNOPSIS
-
- #include <openssl/crypto.h>
-
- const char *SSLeay_version(int type);
-
-=head1 DESCRIPTION
-
-SSLeay_version() returns a pointer to a constant string describing the
-version of the OpenSSL library or giving information about the library
-build.
-
-The following B<type> values are supported:
-
-=over 4
-
-=item SSLEAY_VERSION
-
-The version of the OpenSSL library including the release date.
-
-=item SSLEAY_CFLAGS
-
-The compiler flags set for the compilation process in the form
-"compiler: ..." if available or "compiler: information not available"
-otherwise.
-
-=item SSLEAY_BUILT_ON
-
-The date of the build process in the form "built on: ..." if available
-or "built on: date not available" otherwise.
-
-=item SSLEAY_PLATFORM
-
-The "Configure" target of the library build in the form "platform: ..."
-if available or "platform: information not available" otherwise.
-
-=item SSLEAY_DIR
-
-The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "...""
-if available or "OPENSSLDIR: N/A" otherwise.
-
-=back
-
-=head1 RETURN VALUES
-
-The following return values can occur:
-
-=over 4
-
-=item "not available"
-
-An invalid value for B<type> was given.
-
-=item Pointer to constant string
-
-Textual description.
-
-=back
-
-=head1 SEE ALSO
-
-L<crypto(3)|crypto(3)>
-
-=head1 HISTORY
-
-B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
-
-=cut
diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod
deleted file mode 100644
index 4716e7ee7542..000000000000
--- a/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ /dev/null
@@ -1,74 +0,0 @@
-=pod
-
-=head1 NAME
-
-X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data,
-X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data,
-X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID,
-X509_NAME_ENTRY_create_by_OBJ - X509_NAME_ENTRY utility functions
-
-=head1 SYNOPSIS
-
- #include <openssl/x509.h>
-
- ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
- ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
-
- int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj);
- int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len);
-
- X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len);
- X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len);
- X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len);
-
-=head1 DESCRIPTION
-
-X509_NAME_ENTRY_get_object() retrieves the field name of B<ne> in
-and B<ASN1_OBJECT> structure.
-
-X509_NAME_ENTRY_get_data() retrieves the field value of B<ne> in
-and B<ASN1_STRING> structure.
-
-X509_NAME_ENTRY_set_object() sets the field name of B<ne> to B<obj>.
-
-X509_NAME_ENTRY_set_data() sets the field value of B<ne> to string type
-B<type> and value determined by B<bytes> and B<len>.
-
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID()
-and X509_NAME_ENTRY_create_by_OBJ() create and return an
-B<X509_NAME_ENTRY> structure.
-
-=head1 NOTES
-
-X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be
-used to examine an B<X509_NAME_ENTRY> function as returned by
-X509_NAME_get_entry() for example.
-
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(),
-and X509_NAME_ENTRY_create_by_OBJ() create and return an
-
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(),
-X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data()
-are seldom used in practice because B<X509_NAME_ENTRY> structures
-are almost always part of B<X509_NAME> structures and the
-corresponding B<X509_NAME> functions are typically used to
-create and add new entries in a single operation.
-
-The arguments of these functions support similar options to the similarly
-named ones of the corresponding B<X509_NAME> functions such as
-X509_NAME_add_entry_by_txt(). So for example B<type> can be set to
-B<MBSTRING_ASC> but in the case of X509_set_data() the field name must be
-set first so the relevant field information can be looked up internally.
-
-=head1 RETURN VALUES
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/X509_NAME_add_entry_by_txt.pod b/doc/crypto/X509_NAME_add_entry_by_txt.pod
deleted file mode 100644
index 3bdc07fcfbea..000000000000
--- a/doc/crypto/X509_NAME_add_entry_by_txt.pod
+++ /dev/null
@@ -1,116 +0,0 @@
-=pod
-
-=head1 NAME
-
-X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID,
-X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions
-
-=head1 SYNOPSIS
-
- #include <openssl/x509.h>
-
- int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set);
-
- int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set);
-
- int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set);
-
- int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set);
-
- X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
-
-=head1 DESCRIPTION
-
-X509_NAME_add_entry_by_txt(), X509_NAME_add_entry_by_OBJ() and
-X509_NAME_add_entry_by_NID() add a field whose name is defined
-by a string B<field>, an object B<obj> or a NID B<nid> respectively.
-The field value to be added is in B<bytes> of length B<len>. If
-B<len> is -1 then the field length is calculated internally using
-strlen(bytes).
-
-The type of field is determined by B<type> which can either be a
-definition of the type of B<bytes> (such as B<MBSTRING_ASC>) or a
-standard ASN1 type (such as B<V_ASN1_IA5STRING>). The new entry is
-added to a position determined by B<loc> and B<set>.
-
-X509_NAME_add_entry() adds a copy of B<X509_NAME_ENTRY> structure B<ne>
-to B<name>. The new entry is added to a position determined by B<loc>
-and B<set>. Since a copy of B<ne> is added B<ne> must be freed up after
-the call.
-
-X509_NAME_delete_entry() deletes an entry from B<name> at position
-B<loc>. The deleted entry is returned and must be freed up.
-
-=head1 NOTES
-
-The use of string types such as B<MBSTRING_ASC> or B<MBSTRING_UTF8>
-is strongly recommended for the B<type> parameter. This allows the
-internal code to correctly determine the type of the field and to
-apply length checks according to the relevant standards. This is
-done using ASN1_STRING_set_by_NID().
-
-If instead an ASN1 type is used no checks are performed and the
-supplied data in B<bytes> is used directly.
-
-In X509_NAME_add_entry_by_txt() the B<field> string represents
-the field name using OBJ_txt2obj(field, 0).
-
-The B<loc> and B<set> parameters determine where a new entry should
-be added. For almost all applications B<loc> can be set to -1 and B<set>
-to 0. This adds a new entry to the end of B<name> as a single valued
-RelativeDistinguishedName (RDN).
-
-B<loc> actually determines the index where the new entry is inserted:
-if it is -1 it is appended.
-
-B<set> determines how the new type is added. If it is zero a
-new RDN is created.
-
-If B<set> is -1 or 1 it is added to the previous or next RDN
-structure respectively. This will then be a multivalued RDN:
-since multivalues RDNs are very seldom used B<set> is almost
-always set to zero.
-
-=head1 EXAMPLES
-
-Create an B<X509_NAME> structure:
-
-"C=UK, O=Disorganized Organization, CN=Joe Bloggs"
-
- X509_NAME *nm;
- nm = X509_NAME_new();
- if (nm == NULL)
- /* Some error */
- if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC,
- "UK", -1, -1, 0))
- /* Error */
- if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC,
- "Disorganized Organization", -1, -1, 0))
- /* Error */
- if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
- "Joe Bloggs", -1, -1, 0))
- /* Error */
-
-=head1 RETURN VALUES
-
-X509_NAME_add_entry_by_txt(), X509_NAME_add_entry_by_OBJ(),
-X509_NAME_add_entry_by_NID() and X509_NAME_add_entry() return 1 for
-success of 0 if an error occurred.
-
-X509_NAME_delete_entry() returns either the deleted B<X509_NAME_ENTRY>
-structure of B<NULL> if an error occurred.
-
-=head1 BUGS
-
-B<type> can still be set to B<V_ASN1_APP_CHOOSE> to use a
-different algorithm to determine field types. Since this form does
-not understand multicharacter types, performs no length checks and
-can result in invalid field types its use is strongly discouraged.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>
-
-=head1 HISTORY
-
-=cut
diff --git a/doc/crypto/X509_NAME_get_index_by_NID.pod b/doc/crypto/X509_NAME_get_index_by_NID.pod
deleted file mode 100644
index cdec4b1d6db4..000000000000
--- a/doc/crypto/X509_NAME_get_index_by_NID.pod
+++ /dev/null
@@ -1,118 +0,0 @@
-=pod
-
-=head1 NAME
-
-X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry,
-X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ -
-X509_NAME lookup and enumeration functions
-
-=head1 SYNOPSIS
-
- #include <openssl/x509.h>
-
- int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos);
- int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos);
-
- int X509_NAME_entry_count(X509_NAME *name);
- X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc);
-
- int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len);
- int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len);
-
-=head1 DESCRIPTION
-
-These functions allow an B<X509_NAME> structure to be examined. The
-B<X509_NAME> structure is the same as the B<Name> type defined in
-RFC2459 (and elsewhere) and used for example in certificate subject
-and issuer names.
-
-X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve
-the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos>
-should initially be set to -1. If there are no more entries -1 is returned.
-If B<nid> is invalid (doesn't correspond to a valid OID) then -2 is returned.
-
-X509_NAME_entry_count() returns the total number of entries in B<name>.
-
-X509_NAME_get_entry() retrieves the B<X509_NAME_ENTRY> from B<name>
-corresponding to index B<loc>. Acceptable values for B<loc> run from
-0 to (X509_NAME_entry_count(name) - 1). The value returned is an
-internal pointer which must not be freed.
-
-X509_NAME_get_text_by_NID(), X509_NAME_get_text_by_OBJ() retrieve
-the "text" from the first entry in B<name> which matches B<nid> or
-B<obj>, if no such entry exists -1 is returned. At most B<len> bytes
-will be written and the text written to B<buf> will be null
-terminated. The length of the output string written is returned
-excluding the terminating null. If B<buf> is <NULL> then the amount
-of space needed in B<buf> (excluding the final null) is returned.
-
-=head1 NOTES
-
-X509_NAME_get_text_by_NID() and X509_NAME_get_text_by_OBJ() are
-legacy functions which have various limitations which make them
-of minimal use in practice. They can only find the first matching
-entry and will copy the contents of the field verbatim: this can
-be highly confusing if the target is a muticharacter string type
-like a BMPString or a UTF8String.
-
-For a more general solution X509_NAME_get_index_by_NID() or
-X509_NAME_get_index_by_OBJ() should be used followed by
-X509_NAME_get_entry() on any matching indices and then the
-various B<X509_NAME_ENTRY> utility functions on the result.
-
-The list of all relevant B<NID_*> and B<OBJ_* codes> can be found in
-the source code header files E<lt>openssl/obj_mac.hE<gt> and/or
-E<lt>openssl/objects.hE<gt>.
-
-Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID()
-should check for the return value of -2. Alternatively the NID validity
-can be determined first by checking OBJ_nid2obj(nid) is not NULL.
-
-=head1 EXAMPLES
-
-Process all entries:
-
- int i;
- X509_NAME_ENTRY *e;
-
- for (i = 0; i < X509_NAME_entry_count(nm); i++)
- {
- e = X509_NAME_get_entry(nm, i);
- /* Do something with e */
- }
-
-Process all commonName entries:
-
- int lastpos = -1;
- X509_NAME_ENTRY *e;
-
- for (;;)
- {
- lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
- if (lastpos == -1)
- break;
- e = X509_NAME_get_entry(nm, lastpos);
- /* Do something with e */
- }
-
-=head1 RETURN VALUES
-
-X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ()
-return the index of the next matching entry or -1 if not found.
-X509_NAME_get_index_by_NID() can also return -2 if the supplied
-NID is invalid.
-
-X509_NAME_entry_count() returns the total number of entries.
-
-X509_NAME_get_entry() returns an B<X509_NAME> pointer to the
-requested entry or B<NULL> if the index is invalid.
-
-=head1 SEE ALSO
-
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>
-
-=head1 HISTORY
-
-TBA
-
-=cut
diff --git a/doc/crypto/X509_NAME_print_ex.pod b/doc/crypto/X509_NAME_print_ex.pod
deleted file mode 100644
index d73520f35e89..000000000000
--- a/doc/crypto/X509_NAME_print_ex.pod
+++ /dev/null
@@ -1,107 +0,0 @@
-=pod
-
-=head1 NAME
-
-X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print,
-X509_NAME_oneline - X509_NAME printing routines.
-
-=head1 SYNOPSIS
-
- #include <openssl/x509.h>
-
- int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
- int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
- char * X509_NAME_oneline(X509_NAME *a,char *buf,int size);
- int X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
-
-=head1 DESCRIPTION
-
-X509_NAME_print_ex() prints a human readable version of B<nm> to BIO B<out>. Each
-line (for multiline formats) is indented by B<indent> spaces. The output format
-can be extensively customised by use of the B<flags> parameter.
-
-X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output is
-written to FILE pointer B<fp>.
-
-X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>.
-If B<buf> is B<NULL> then a buffer is dynamically allocated and returned, and
-B<size> is ignored.
-Otherwise, at most B<size> bytes will be written, including the ending '\0',
-and B<buf> is returned.
-
-X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
-characters. Multiple lines are used if the output (including indent) exceeds
-80 characters.
-
-=head1 NOTES
-
-The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which
-produce a non standard output form, they don't handle multi character fields and
-have various quirks and inconsistencies. Their use is strongly discouraged in new
-applications.
-
-Although there are a large number of possible flags for most purposes
-B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
-As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page
-for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example
-B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used.
-