aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2017-11-02 17:35:19 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2017-11-02 17:35:19 +0000
commitb6a9311a3edd056eaacbcbae2fcb723df5d99057 (patch)
tree720225dbdc898757e7df9a925ec85ade660013c1 /doc
parent12df5ad9af4981f5d3c31a9819d31618c0f1af51 (diff)
downloadsrc-b6a9311a3edd056eaacbcbae2fcb723df5d99057.tar.gz
src-b6a9311a3edd056eaacbcbae2fcb723df5d99057.zip
Import OpenSSL 1.0.2m.vendor/openssl/1.0.2m
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=325326 svn path=/vendor-crypto/openssl/1.0.2m/; revision=325327; tag=vendor/openssl/1.0.2m
Diffstat (limited to 'doc')
-rw-r--r--doc/apps/asn1parse.pod1
-rw-r--r--doc/apps/ca.pod1
-rw-r--r--doc/apps/ciphers.pod1
-rw-r--r--doc/apps/cms.pod1
-rw-r--r--doc/apps/crl.pod1
-rw-r--r--doc/apps/crl2pkcs7.pod1
-rw-r--r--doc/apps/dgst.pod1
-rw-r--r--doc/apps/dhparam.pod1
-rw-r--r--doc/apps/dsa.pod1
-rw-r--r--doc/apps/dsaparam.pod1
-rw-r--r--doc/apps/ec.pod1
-rw-r--r--doc/apps/ecparam.pod1
-rw-r--r--doc/apps/enc.pod1
-rw-r--r--doc/apps/errstr.pod1
-rw-r--r--doc/apps/gendsa.pod1
-rw-r--r--doc/apps/genpkey.pod1
-rw-r--r--doc/apps/genrsa.pod1
-rw-r--r--doc/apps/nseq.pod1
-rw-r--r--doc/apps/ocsp.pod1
-rw-r--r--doc/apps/passwd.pod1
-rw-r--r--doc/apps/pkcs12.pod1
-rw-r--r--doc/apps/pkcs7.pod1
-rw-r--r--doc/apps/pkcs8.pod1
-rw-r--r--doc/apps/pkey.pod1
-rw-r--r--doc/apps/pkeyparam.pod1
-rw-r--r--doc/apps/pkeyutl.pod1
-rw-r--r--doc/apps/rand.pod1
-rw-r--r--doc/apps/req.pod1
-rw-r--r--doc/apps/rsa.pod1
-rw-r--r--doc/apps/rsautl.pod3
-rw-r--r--doc/apps/s_client.pod3
-rw-r--r--doc/apps/s_server.pod6
-rw-r--r--doc/apps/s_time.pod1
-rw-r--r--doc/apps/sess_id.pod1
-rw-r--r--doc/apps/smime.pod1
-rw-r--r--doc/apps/speed.pod1
-rw-r--r--doc/apps/spkac.pod1
-rw-r--r--doc/apps/ts.pod1
-rw-r--r--doc/apps/tsget.pod1
-rw-r--r--doc/apps/verify.pod1
-rw-r--r--doc/apps/version.pod1
-rw-r--r--doc/apps/x509.pod1
-rw-r--r--doc/crypto/BN_bn2bin.pod5
-rw-r--r--doc/crypto/BN_new.pod4
-rw-r--r--doc/crypto/EVP_EncryptInit.pod3
-rw-r--r--doc/crypto/EVP_PKEY_meth_new.pod376
-rw-r--r--doc/crypto/RSA_padding_add_PKCS1_type_1.pod7
-rw-r--r--doc/crypto/RSA_public_encrypt.pod7
-rw-r--r--doc/crypto/X509_check_private_key.pod54
-rw-r--r--doc/crypto/hmac.pod3
-rw-r--r--doc/ssl/SSL_CTX_set_tlsext_servername_callback.pod (renamed from doc/man3/SSL_CTX_set_tlsext_servername_callback.pod)0
-rw-r--r--doc/ssl/SSL_export_keying_material.pod61
-rw-r--r--doc/ssl/SSL_set_connect_state.pod2
53 files changed, 561 insertions, 12 deletions
diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod
index 76a765daf95b..a84dbc37dc89 100644
--- a/doc/apps/asn1parse.pod
+++ b/doc/apps/asn1parse.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-asn1parse,
asn1parse - ASN.1 parsing tool
=head1 SYNOPSIS
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index c90e6482e584..cc26bf48a3a7 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-ca,
ca - sample minimal CA application
=head1 SYNOPSIS
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 35d40bbf27ae..fa16124d08b8 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ciphers,
ciphers - SSL cipher display and cipher list tool.
=head1 SYNOPSIS
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index ac69804228cc..4a7783d47a4e 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-cms,
cms - CMS utility
=head1 SYNOPSIS
diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod
index 044a9da91545..cdced1c742c0 100644
--- a/doc/apps/crl.pod
+++ b/doc/apps/crl.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-crl,
crl - CRL utility
=head1 SYNOPSIS
diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod
index 3797bc0df4ef..18654c5afa0e 100644
--- a/doc/apps/crl2pkcs7.pod
+++ b/doc/apps/crl2pkcs7.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-crl2pkcs7,
crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.
=head1 SYNOPSIS
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index b27bb946b1b2..72d6c87fabca 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dgst,
dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests
=head1 SYNOPSIS
diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod
index 1cd4c76663c5..018d9935085a 100644
--- a/doc/apps/dhparam.pod
+++ b/doc/apps/dhparam.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dhparam,
dhparam - DH parameter manipulation and generation
=head1 SYNOPSIS
diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod
index 8bf6cc9dcad6..77d66089beac 100644
--- a/doc/apps/dsa.pod
+++ b/doc/apps/dsa.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dsa,
dsa - DSA key processing
=head1 SYNOPSIS
diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod
index ba5ec4d72cdf..446903491357 100644
--- a/doc/apps/dsaparam.pod
+++ b/doc/apps/dsaparam.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-dsaparam,
dsaparam - DSA parameter manipulation and generation
=head1 SYNOPSIS
diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod
index 5c7b45d4e75e..658eac5d509f 100644
--- a/doc/apps/ec.pod
+++ b/doc/apps/ec.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ec,
ec - EC key processing
=head1 SYNOPSIS
diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod
index 88e9d1e83d02..ba2f3b9ae274 100644
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ecparam,
ecparam - EC parameter manipulation and generation
=head1 SYNOPSIS
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index 41791ad6713c..aceafcd4d557 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-enc,
enc - symmetric cipher routines
=head1 SYNOPSIS
diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod
index b3c6ccfc9cbd..0dee51c844ef 100644
--- a/doc/apps/errstr.pod
+++ b/doc/apps/errstr.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-errstr,
errstr - lookup error codes
=head1 SYNOPSIS
diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod
index d9f56be890f8..2c8e5c86f208 100644
--- a/doc/apps/gendsa.pod
+++ b/doc/apps/gendsa.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-gendsa,
gendsa - generate a DSA private key from a set of parameters
=head1 SYNOPSIS
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod
index 929edcd26ff0..4d09fc0937c5 100644
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-genpkey,
genpkey - generate a private key
=head1 SYNOPSIS
diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index f4ed9593ae26..8be06834f507 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-genrsa,
genrsa - generate an RSA private key
=head1 SYNOPSIS
diff --git a/doc/apps/nseq.pod b/doc/apps/nseq.pod
index 989c3108fb83..de441fa87a4d 100644
--- a/doc/apps/nseq.pod
+++ b/doc/apps/nseq.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-nseq,
nseq - create or examine a netscape certificate sequence
=head1 SYNOPSIS
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 1bb7958d20e5..9e2716f00820 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ocsp,
ocsp - Online Certificate Status Protocol utility
=head1 SYNOPSIS
diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod
index f44982549bf1..7f74ce016d92 100644
--- a/doc/apps/passwd.pod
+++ b/doc/apps/passwd.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-passwd,
passwd - compute password hashes
=head1 SYNOPSIS
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index 744984838dc7..debc9ea27a27 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-pkcs12,
pkcs12 - PKCS#12 file utility
=head1 SYNOPSIS
diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod
index acfb8100f078..651e9371c105 100644
--- a/doc/apps/pkcs7.pod
+++ b/doc/apps/pkcs7.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-pkcs7,
pkcs7 - PKCS#7 utility
=head1 SYNOPSIS
diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod
index 6901f1f3f211..f741741e5ad2 100644
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-pkcs8,
pkcs8 - PKCS#8 format private key conversion tool
=head1 SYNOPSIS
diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod
index 4851223f3fcd..6db8a6238393 100644
--- a/doc/apps/pkey.pod
+++ b/doc/apps/pkey.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-pkey,
pkey - public or private key processing tool
=head1 SYNOPSIS
diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod
index 154f6721af4a..27c10a6a745c 100644
--- a/doc/apps/pkeyparam.pod
+++ b/doc/apps/pkeyparam.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-pkeyparam,
pkeyparam - public key algorithm parameter processing tool
=head1 SYNOPSIS
diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod
index 5da347c97d32..78b3b02a7d96 100644
--- a/doc/apps/pkeyutl.pod
+++ b/doc/apps/pkeyutl.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-pkeyutl,
pkeyutl - public key algorithm utility
=head1 SYNOPSIS
diff --git a/doc/apps/rand.pod b/doc/apps/rand.pod
index d1d213ef43cb..94df10d939e0 100644
--- a/doc/apps/rand.pod
+++ b/doc/apps/rand.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-rand,
rand - generate pseudo-random bytes
=head1 SYNOPSIS
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 1682ba5143dd..20b2f39e90f2 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-req,
req - PKCS#10 certificate request and certificate generating utility.
=head1 SYNOPSIS
diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod
index 21cbf8ee009b..7e43e0f3d062 100644
--- a/doc/apps/rsa.pod
+++ b/doc/apps/rsa.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-rsa,
rsa - RSA key processing tool
=head1 SYNOPSIS
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod
index 1a498c2f62e0..e16ce29cf609 100644
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-rsautl,
rsautl - RSA utility
=head1 SYNOPSIS
@@ -105,7 +106,7 @@ Recover the signed data
Examine the raw signed data:
- openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
+ openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index b45acbc5e3e4..d9413a0cf211 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-s_client,
s_client - SSL/TLS client program
=head1 SYNOPSIS
@@ -197,12 +198,14 @@ Can be used to override the implicit B<-ign_eof> after B<-quiet>.
=item B<-psk_identity identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
+The default value is "Client_identity" (without the quotes).
=item B<-psk key>
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
+This option must be provided in order to use a PSK cipher.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 1fe93ddfbebb..9916fc3ef6a3 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-s_server,
s_server - SSL/TLS server program
=head1 SYNOPSIS
@@ -219,6 +220,7 @@ Use the PSK identity hint B<hint> when using a PSK cipher suite.
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
+This option must be provided in order to use a PSK cipher.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
@@ -403,10 +405,6 @@ a web browser the command:
can be used for example.
-Most web browsers (in particular Netscape and MSIE) only support RSA cipher
-suites, so they cannot connect to servers which don't use a certificate
-carrying an RSA key or a version of OpenSSL with RSA disabled.
-
Although specifying an empty list of CAs when requesting a client certificate
is strictly speaking a protocol violation, some SSL clients interpret this to
mean any CA is acceptable. This is useful for debugging purposes.
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index 9082d876feeb..1fa02800a419 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-s_time,
s_time - SSL/TLS performance timing program
=head1 SYNOPSIS
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod
index 9988d2cd3d5d..0771baef1173 100644
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-sess_id,
sess_id - SSL/TLS session handling utility
=head1 SYNOPSIS
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 04a83ca8e427..fbf60da27faf 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-smime,
smime - S/MIME utility
=head1 SYNOPSIS
diff --git a/doc/apps/speed.pod b/doc/apps/speed.pod
index 1cd1998d1675..2bfe91e371cb 100644
--- a/doc/apps/speed.pod
+++ b/doc/apps/speed.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-speed,
speed - test library performance
=head1 SYNOPSIS
diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod
index 97fb80e4016b..b8a5477a063e 100644
--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-spkac,
spkac - SPKAC printing and generating utility
=head1 SYNOPSIS
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index d6aa47d3144d..5da019b2eb2f 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-ts,
ts - Time Stamping Authority tool (client/server)
=head1 SYNOPSIS
diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod
index 56db985c4bb1..4856c850d8e1 100644
--- a/doc/apps/tsget.pod
+++ b/doc/apps/tsget.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-tsget,
tsget - Time Stamping HTTP/HTTPS client
=head1 SYNOPSIS
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index b3767325ae07..321d5ac7e126 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-verify,
verify - Utility to verify certificates.
=head1 SYNOPSIS
diff --git a/doc/apps/version.pod b/doc/apps/version.pod
index 58f543bc3e64..675b0f84d6a7 100644
--- a/doc/apps/version.pod
+++ b/doc/apps/version.pod
@@ -2,6 +2,7 @@
=head1 NAME
+openssl-version,
version - print OpenSSL version information
=head1 SYNOPSIS
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 1479a7495716..d50625862ac3 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -3,6 +3,7 @@
=head1 NAME
+openssl-x509,
x509 - Certificate display and signing utility
=head1 SYNOPSIS
diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod
index 3bed47f8f1d5..f6bb484f902f 100644
--- a/doc/crypto/BN_bn2bin.pod
+++ b/doc/crypto/BN_bn2bin.pod
@@ -70,8 +70,9 @@ BN_bn2bin() returns the length of the big-endian number placed at B<to>.
BN_bin2bn() returns the B<BIGNUM>, NULL on error.
BN_bn2hex() and BN_bn2dec() return a null-terminated string, or NULL
-on error. BN_hex2bn() and BN_dec2bn() return the number's length in
-hexadecimal or decimal digits, and 0 on error.
+on error. BN_hex2bn() and BN_dec2bn() return the number of characters
+used in parsing, or 0 on error, in which
+case no new B<BIGNUM> will be created.
BN_print_fp() and BN_print() return 1 on success, 0 on write errors.
diff --git a/doc/crypto/BN_new.pod b/doc/crypto/BN_new.pod
index ab7a105e3ad7..d446603191af 100644
--- a/doc/crypto/BN_new.pod
+++ b/doc/crypto/BN_new.pod
@@ -30,10 +30,12 @@ to the value 0.
BN_free() frees the components of the B<BIGNUM>, and if it was created
by BN_new(), also the structure itself. BN_clear_free() additionally
overwrites the data before the memory is returned to the system.
+If B<a> is NULL, nothing is done.
=head1 RETURN VALUES
-BN_new() returns a pointer to the B<BIGNUM>. If the allocation fails,
+BN_new() returns a pointer to the B<BIGNUM> initialised to the value 0.
+If the allocation fails,
it returns B<NULL> and sets an error code that can be obtained
by L<ERR_get_error(3)|ERR_get_error(3)>.
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index 0c0a30c1ffa0..dc9a2d76c5f6 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -395,8 +395,7 @@ processed (e.g. after an EVP_EncryptFinal() call).
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag);
Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal
-when decrypting data and must be made B<before> any data is processed (e.g.
-before any EVP_DecryptUpdate() call).
+when decrypting data.
=head1 CCM Mode
diff --git a/doc/crypto/EVP_PKEY_meth_new.pod b/doc/crypto/EVP_PKEY_meth_new.pod
new file mode 100644
index 000000000000..041492a8f0fb
--- /dev/null
+++ b/doc/crypto/EVP_PKEY_meth_new.pod
@@ -0,0 +1,376 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find,
+EVP_PKEY_meth_add0, EVP_PKEY_METHOD,
+EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup,
+EVP_PKEY_meth_set_paramgen, EVP_PKEY_meth_set_keygen, EVP_PKEY_meth_set_sign,
+EVP_PKEY_meth_set_verify, EVP_PKEY_meth_set_verify_recover, EVP_PKEY_meth_set_signctx,
+EVP_PKEY_meth_set_verifyctx, EVP_PKEY_meth_set_encrypt, EVP_PKEY_meth_set_decrypt,
+EVP_PKEY_meth_set_derive, EVP_PKEY_meth_set_ctrl,
+EVP_PKEY_meth_get_init, EVP_PKEY_meth_get_copy, EVP_PKEY_meth_get_cleanup,
+EVP_PKEY_meth_get_paramgen, EVP_PKEY_meth_get_keygen, EVP_PKEY_meth_get_sign,
+EVP_PKEY_meth_get_verify, EVP_PKEY_meth_get_verify_recover, EVP_PKEY_meth_get_signctx,
+EVP_PKEY_meth_get_verifyctx, EVP_PKEY_meth_get_encrypt, EVP_PKEY_meth_get_decrypt,
+EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl
+- manipulating EVP_PKEY_METHOD structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
+
+ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+ void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth);
+ void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth);
+
+ void EVP_PKEY_meth_set_init(EVP_PKEY_METHOD *pmeth,
+ int (*init) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_set_copy(EVP_PKEY_METHOD *pmeth,
+ int (*copy) (EVP_PKEY_CTX *dst,
+ EVP_PKEY_CTX *src));
+ void EVP_PKEY_meth_set_cleanup(EVP_PKEY_METHOD *pmeth,
+ void (*cleanup) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_set_paramgen(EVP_PKEY_METHOD *pmeth,
+ int (*paramgen_init) (EVP_PKEY_CTX *ctx),
+ int (*paramgen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_set_keygen(EVP_PKEY_METHOD *pmeth,
+ int (*keygen_init) (EVP_PKEY_CTX *ctx),
+ int (*keygen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *pmeth,
+ int (*sign_init) (EVP_PKEY_CTX *ctx),
+ int (*sign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_set_verify(EVP_PKEY_METHOD *pmeth,
+ int (*verify_init) (EVP_PKEY_CTX *ctx),
+ int (*verify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_set_verify_recover(EVP_PKEY_METHOD *pmeth,
+ int (*verify_recover_init) (EVP_PKEY_CTX
+ *ctx),
+ int (*verify_recover) (EVP_PKEY_CTX
+ *ctx,
+ unsigned char
+ *sig,
+ size_t *siglen,
+ const unsigned
+ char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_set_signctx(EVP_PKEY_METHOD *pmeth,
+ int (*signctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (*signctx) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig,
+ size_t *siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_set_verifyctx(EVP_PKEY_METHOD *pmeth,
+ int (*verifyctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (*verifyctx) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ int siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *pmeth,
+ int (*encrypt_init) (EVP_PKEY_CTX *ctx),
+ int (*encryptfn) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *pmeth,
+ int (*decrypt_init) (EVP_PKEY_CTX *ctx),
+ int (*decrypt) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_set_derive(EVP_PKEY_METHOD *pmeth,
+ int (*derive_init) (EVP_PKEY_CTX *ctx),
+ int (*derive) (EVP_PKEY_CTX *ctx,
+ unsigned char *key,
+ size_t *keylen));
+ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
+ void *p2),
+ int (*ctrl_str) (EVP_PKEY_CTX *ctx,
+ const char *type,
+ const char *value));
+
+ void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth,
+ int (**pinit) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth,
+ int (**pcopy) (EVP_PKEY_CTX *dst,
+ EVP_PKEY_CTX *src));
+ void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth,
+ void (**pcleanup) (EVP_PKEY_CTX *ctx));
+ void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth,
+ int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
+ int (**pparamgen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth,
+ int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
+ int (**pkeygen) (EVP_PKEY_CTX *ctx,
+ EVP_PKEY *pkey));
+ void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth,
+ int (**psign_init) (EVP_PKEY_CTX *ctx),
+ int (**psign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_init) (EVP_PKEY_CTX *ctx),
+ int (**pverify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ size_t siglen,
+ const unsigned char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth,
+ int (**pverify_recover_init) (EVP_PKEY_CTX
+ *ctx),
+ int (**pverify_recover) (EVP_PKEY_CTX
+ *ctx,
+ unsigned char
+ *sig,
+ size_t *siglen,
+ const unsigned
+ char *tbs,
+ size_t tbslen));
+ void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth,
+ int (**psignctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**psignctx) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig,
+ size_t *siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth,
+ int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
+ EVP_MD_CTX *mctx),
+ int (**pverifyctx) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig,
+ int siglen,
+ EVP_MD_CTX *mctx));
+ void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pencryptfn) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth,
+ int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
+ int (**pdecrypt) (EVP_PKEY_CTX *ctx,
+ unsigned char *out,
+ size_t *outlen,
+ const unsigned char *in,
+ size_t inlen));
+ void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth,
+ int (**pderive_init) (EVP_PKEY_CTX *ctx),
+ int (**pderive) (EVP_PKEY_CTX *ctx,
+ unsigned char *key,
+ size_t *keylen));
+ void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth,
+ int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
+ void *p2),
+ int (**pctrl_str) (EVP_PKEY_CTX *ctx,
+ const char *type,
+ const char *value));
+
+=head1 DESCRIPTION
+
+B<EVP_PKEY_METHOD> is a structure which holds a set of methods for a
+specific public key cryptographic algorithm. Those methods are usually
+used to perform different jobs, such as generating a key, signing or
+verifying, encrypting or decrypting, etc.
+
+There are two places where the B<EVP_PKEY_METHOD> objects are stored: one
+is a built-in static array representing the standard methods for different
+algorithms, and the other one is a stack of user-defined application-specific
+methods, which can be manipulated by using L<EVP_PKEY_meth_add0(3)>.
+
+The B<EVP_PKEY_METHOD> objects are usually referenced by B<EVP_PKEY_CTX>
+objects.
+
+=head2 Methods
+
+The methods are the underlying implementations of a particular public key
+algorithm present by the B<EVP_PKEY_CTX> object.
+
+ int (*init) (EVP_PKEY_CTX *ctx);
+ int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
+ void (*cleanup) (EVP_PKEY_CTX *ctx);
+
+The init() method is called to initialize algorithm-specific data when a new
+B<EVP_PKEY_CTX> is created. As opposed to init(), the cleanup() method is called
+when an B<EVP_PKEY_CTX> is freed. The copy() method is called when an B<EVP_PKEY_CTX>
+is being duplicated. Refer to L<EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_CTX_new_id(3)>,
+L<EVP_PKEY_CTX_free(3)> and L<EVP_PKEY_CTX_dup(3)>.
+
+ int (*paramgen_init) (EVP_PKEY_CTX *ctx);
+ int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+
+The paramgen_init() and paramgen() methods deal with key parameter generation.
+They are called by L<EVP_PKEY_paramgen_init(3)> and L<EVP_PKEY_paramgen(3)> to
+handle the parameter generation process.
+
+ int (*keygen_init) (EVP_PKEY_CTX *ctx);
+ int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+
+The keygen_init() and keygen() methods are used to generate the actual key for
+the specified algorithm. They are called by L<EVP_PKEY_keygen_init(3)> and
+L<EVP_PKEY_keygen(3)>.
+
+ int (*sign_init) (EVP_PKEY_CTX *ctx);
+ int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen);
+
+The sign_init() and sign() methods are used to generate the signature of a
+piece of data using a private key. They are called by L<EVP_PKEY_sign_init(3)>
+and L<EVP_PKEY_sign(3)>.
+
+ int (*verify_init) (EVP_PKEY_CTX *ctx);
+ int (*verify) (EVP_PKEY_CTX *ctx,
+ const unsigned char *sig, size_t siglen,
+ const unsigned char *tbs, size_t tbslen);
+
+The verify_init() and verify() methods are used to verify whether a signature is
+valid. They are called by L<EVP_PKEY_verify_init(3)> and L<EVP_PKEY_verify(3)>.
+
+ int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
+ int (*verify_recover) (EVP_PKEY_CTX *ctx,
+ unsigned char *rout, size_t *routlen,
+ const unsigned char *sig, size_t siglen);
+
+The verify_recover_init() and verify_recover() methods are used to verify a
+signature and then recover the digest from the signature (for instance, a
+signature that was generated by RSA signing algorithm). They are called by
+L<EVP_PKEY_verify_recover_init(3)> and L<EVP_PKEY_verify_recover(3)>.
+
+ int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+ int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+ EVP_MD_CTX *mctx);
+
+The signctx_init() and signctx() methods are used to sign a digest present by
+a B<EVP_MD_CTX> object. They are called by the EVP_DigestSign functions. See
+L<EVP_DigestSignInit(3)> for detail.
+
+ int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+ int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
+ EVP_MD_CTX *mctx);
+
+The verifyctx_init() and verifyctx() methods are used to verify a signature
+against the data in a B<EVP_MD_CTX> object. They are called by the various
+EVP_DigestVerify functions. See L<EVP_DigestVerifyInit(3)> for detail.
+
+ int (*encrypt_init) (EVP_PKEY_CTX *ctx);
+ int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+ const unsigned char *in, size_t inlen);
+
+The encrypt_init() and encrypt() methods are used to encrypt a piece of data.
+They are called by L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)>.
+
+ int (*decrypt_init) (EVP_PKEY_CTX *ctx);
+ int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+ const unsigned char *in, size_t inlen);
+
+The decrypt_init() and decrypt() methods are used to decrypt a piece of data.
+They are called by L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)>.
+
+ int (*derive_init) (EVP_PKEY_CTX *ctx);
+ int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
+
+The derive_init() and derive() methods are used to derive the shared secret
+from a public key algorithm (for instance, the DH algorithm). They are called by
+L<EVP_PKEY_derive_init(3)> and L<EVP_PKEY_derive(3)>.
+
+ int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
+ int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
+
+The ctrl() and ctrl_str() methods are used to adjust algorithm-specific
+settings. See L<EVP_PKEY_CTX_ctrl(3)> and related functions for detail.
+
+ int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen);
+ int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
+ size_t siglen, const unsigned char *tbs,
+ size_t tbslen);
+
+The digestsign() and digestverify() methods are used to generate or verify
+a signature in a one-shot mode. They could be called by L<EVP_DigetSign(3)>
+and L<EVP_DigestVerify(3)>.
+
+=head2 Functions
+
+EVP_PKEY_meth_new() creates and returns a new B<EVP_PKEY_METHOD> object,
+and associates the given B<id> and B<flags>. The following flags are
+supported:
+
+ EVP_PKEY_FLAG_AUTOARGLEN
+ EVP_PKEY_FLAG_SIGCTX_CUSTOM
+
+If an B<EVP_PKEY_METHOD> is set with the B<EVP_PKEY_FLAG_AUTOARGLEN> flag, the
+maximum size of the output buffer will be automatically calculated or checked
+in corresponding EVP methods by the EVP framework. Thus the implementations of
+these methods don't need to care about handling the case of returning output
+buffer size by themselves. For details on the output buffer size, refer to
+L<EVP_PKEY_sign(3)>.
+
+The B<EVP_PKEY_FLAG_SIGCTX_CUSTOM> is used to indicate the signctx() method
+of an B<EVP_PKEY_METHOD> is always called by the EVP framework while doing a
+digest signing operation by calling L<EVP_DigestSignFinal(3)>.
+
+EVP_PKEY_meth_free() frees an existing B<EVP_PKEY_METHOD> pointed by
+B<pmeth>.
+
+EVP_PKEY_meth_copy() copies an B<EVP_PKEY_METHOD> object from B<src>
+to B<dst>.
+
+EVP_PKEY_meth_find() finds an B<EVP_PKEY_METHOD> object with the B<id>.
+This function first searches through the user-defined method objects and
+then the built-in objects.
+
+EVP_PKEY_meth_add0() adds B<pmeth> to the user defined stack of methods.
+
+The EVP_PKEY_meth_set functions set the corresponding fields of
+B<EVP_PKEY_METHOD> structure with the arguments passed.
+
+The EVP_PKEY_meth_get functions get the corresponding fields of
+B<EVP_PKEY_METHOD> structure to the arguments provided.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_meth_new() returns a pointer to a new B<EVP_PKEY_METHOD>
+object or returns NULL on error.
+
+EVP_PKEY_meth_free() and EVP_PKEY_meth_copy() do not return values.
+
+EVP_PKEY_meth_find() returns a pointer to the found B<EVP_PKEY_METHOD>
+object or returns NULL if not found.
+
+EVP_PKEY_meth_add0() returns 1 if method is added successfully or 0
+if an error occurred.
+
+All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return
+values. For the 'get' functions, function pointers are returned by
+arguments.
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
index b8f678fe729d..f20f815d4786 100644
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -104,6 +104,13 @@ The RSA_padding_check_xxx() functions return the length of the
recovered data, -1 on error. Error codes can be obtained by calling
L<ERR_get_error(3)|ERR_get_error(3)>.
+=head1 WARNING
+
+The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+information which can potentially be used to mount a Bleichenbacher
+padding oracle attack. This is an inherent weakness in the PKCS #1
+v1.5 padding design. Prefer PKCS1_OAEP padding.
+
=head1 SEE ALSO
L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod
index 0541f348b3e2..4d7c1f2cac7a 100644
--- a/doc/crypto/RSA_public_encrypt.pod
+++ b/doc/crypto/RSA_public_encrypt.pod
@@ -67,6 +67,13 @@ recovered plaintext.
On error, -1 is returned; the error codes can be
obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+=head1 WARNING
+
+Decryption failures in the RSA_PKCS1_PADDING mode leak information
+which can potentially be used to mount a Bleichenbacher padding oracle
+attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+design. Prefer RSA_PKCS1_OAEP_PADDING.
+
=head1 CONFORMING TO
SSL, PKCS #1 v2.0
diff --git a/doc/crypto/X509_check_private_key.pod b/doc/crypto/X509_check_private_key.pod
new file mode 100644
index 000000000000..a1fb07b1097e
--- /dev/null
+++ b/doc/crypto/X509_check_private_key.pod
@@ -0,0 +1,54 @@
+=pod
+
+=head1 NAME
+
+X509_check_private_key, X509_REQ_check_private_key - check the consistency
+of a private key with the public key in an X509 certificate or certificate
+request
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int X509_check_private_key(X509 *x, EVP_PKEY *k);
+
+ int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
+
+=head1 DESCRIPTION
+
+X509_check_private_key() function checks the consistency of private
+key B<k> with the public key in B<x>.
+
+X509_REQ_check_private_key() is equivalent to X509_check_private_key()
+except that B<x> represents a certificate request of structure B<X509_REQ>.
+
+=head1 RETURN VALUE
+
+X509_check_private_key() and X509_REQ_check_private_key() return 1 if
+the keys match each other, and 0 if not.
+
+If the key is invalid or an error occurred, the reason code can be
+obtained using L<ERR_get_error(3)>.
+
+=head1 BUGS
+
+The B<check_private_key> functions don't check if B<k> itself is indeed
+a private key or not. It merely compares the public materials (e.g. exponent
+and modulus of an RSA key) and/or key parameters (e.g. EC params of an EC key)
+of a key pair. So if you pass a public key to these functions in B<k>, it will
+return success.
+
+=head1 SEE ALSO
+
+L<ERR_get_error(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/hmac.pod b/doc/crypto/hmac.pod
index 2c8f20a20188..ca9798af62c3 100644
--- a/doc/crypto/hmac.pod
+++ b/doc/crypto/hmac.pod
@@ -38,7 +38,8 @@ B<key_len> bytes long.
It places the result in B<md> (which must have space for the output of
the hash function, which is no more than B<EVP_MAX_MD_SIZE> bytes).
If B<md> is NULL, the digest is placed in a static array. The size of
-the output is placed in B<md_len>, unless it is B<NULL>.
+the output is placed in B<md_len>, unless it is B<NULL>. Note: passing a NULL
+value for B<md> to use the static array is not thread safe.
B<evp_md> can be EVP_sha1(), EVP_ripemd160() etc.
diff --git a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod b/doc/ssl/SSL_CTX_set_tlsext_servername_callback.pod
index 3b0a50956d9b..3b0a50956d9b 100644
--- a/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_servername_callback.pod
diff --git a/doc/ssl/SSL_export_keying_material.pod b/doc/ssl/SSL_export_keying_material.pod
new file mode 100644
index 000000000000..ccb99ec9a8e0
--- /dev/null
+++ b/doc/ssl/SSL_export_keying_material.pod
@@ -0,0 +1,61 @@
+=pod
+
+=head1 NAME
+
+SSL_export_keying_material - obtain keying material for application use
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen,
+ const unsigned char *context,
+ size_t contextlen, int use_context);
+
+=head1 DESCRIPTION
+
+During the creation of a TLS or DTLS connection shared keying material is
+established between the two endpoints. The function SSL_export_keying_material()
+enables an application to use some of this keying material for its own purposes
+in accordance with RFC5705.
+
+An application may need to securely establish the context within which this
+keying material will be used. For example this may include identifiers for the
+application session, application algorithms or parameters, or the lifetime of
+the context. The context value is left to the application but must be the same
+on both sides of the communication.
+
+For a given SSL connection B<s>, B<olen> bytes of data will be written to
+B<out>. The application specific context should be supplied in the location
+pointed to by B<context> and should be B<contextlen> bytes long. Provision of
+a context is optional. If the context should be omitted entirely then
+B<use_context> should be set to 0. Otherwise it should be any other value. If
+B<use_context> is 0 then the values of B<context> and B<contextlen> are ignored.
+Note that a zero length context is treated differently to no context at all, and
+will result in different keying material being returned.
+
+An application specific label should be provided in the location pointed to by
+B<label> and should be B<llen> bytes long. Typically this will be a value from
+the IANA Exporter Label Registry
+(L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
+Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
+to be used without registration.
+
+Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
+above. Attempting to use it in SSLv3 will result in an error.
+
+=head1 RETURN VALUES
+
+SSL_export_keying_material() returns 0 or -1 on failure or 1 on success.
+
+=head1 COPYRIGHT
+
+Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/ssl/SSL_set_connect_state.pod b/doc/ssl/SSL_set_connect_state.pod
index d88a057deffa..14facc6a57c9 100644
--- a/doc/ssl/SSL_set_connect_state.pod
+++ b/doc/ssl/SSL_set_connect_state.pod
@@ -25,7 +25,7 @@ it was either assigned a dedicated client method, a dedicated server
method, or a generic method, that can be used for both client and
server connections. (The method might have been changed with
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> or
-SSL_set_ssl_method().)
+SSL_set_ssl_method(3).)
When beginning a new handshake, the SSL engine must know whether it must
call the connect (client) or accept (server) routines. Even though it may