Import OpenSSL 1.1.1l

doc/man1/enc.pod

@@ -180,8 +180,8 @@ Debug the BIOs used for I/O.
 
 =item B<-z>
 
-Compress or decompress clear text using zlib before encryption or after
-decryption. This option exists only if OpenSSL with compiled with zlib
+Compress or decompress encrypted data using zlib after encryption or before
+decryption. This option exists only if OpenSSL was compiled with the zlib
 or zlib-dynamic option.
 
 =item B<-none>

doc/man1/s_client.pod

@@ -797,7 +797,7 @@ server.
 
 The B<s_client> utility is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
-accept any certificate chain (trusted or not) sent by the peer. None test
+accept any certificate chain (trusted or not) sent by the peer. Non-test
 applications should B<not> do this as it makes them vulnerable to a MITM
 attack. This behaviour can be changed by with the B<-verify_return_error>
 option: any verify errors are then returned aborting the handshake.

doc/man1/s_server.pod

@@ -701,7 +701,7 @@ disabling the ephemeral DH cipher suites.
 
 =item B<-alpn val>, B<-nextprotoneg val>
 
-These flags enable the Enable the Application-Layer Protocol Negotiation
+These flags enable the Application-Layer Protocol Negotiation
 or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
 IETF standard and replaces NPN.
 The B<val> list is a comma-separated list of supported protocol

doc/man3/BIO_f_ssl.pod

@@ -185,11 +185,6 @@ unencrypted example in L<BIO_s_connect(3)>.
      ERR_print_errors_fp(stderr);
      exit(1);
  }
- if (BIO_do_handshake(sbio) <= 0) {
-     fprintf(stderr, "Error establishing SSL connection\n");
-     ERR_print_errors_fp(stderr);
-     exit(1);
- }
 
  /* XXX Could examine ssl here to get connection info */
 
@@ -298,7 +293,7 @@ be modified to handle this fix or they may free up an already freed BIO.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/BIO_push.pod

@@ -61,8 +61,8 @@ the new chain is B<md1-md2-b64-f>. Data written to B<md1> will be digested
 by B<md1> and B<md2>, B<base64> encoded and written to B<f>.
 
 It should be noted that reading causes data to pass in the reverse
-direction, that is data is read from B<f>, base64 B<decoded> and digested
-by B<md1> and B<md2>. If the call:
+direction, that is data is read from B<f>, B<base64> decoded and digested
+by B<md2> and B<md1>. If the call:
 
  BIO_pop(md2);
 
@@ -79,7 +79,7 @@ The BIO_set_next() function was added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/BN_cmp.pod

@@ -2,42 +2,47 @@
 
 =head1 NAME
 
-BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM comparison and test functions
+BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd - BIGNUM comparison and test functions
 
 =head1 SYNOPSIS
 
  #include <openssl/bn.h>
 
- int BN_cmp(BIGNUM *a, BIGNUM *b);
- int BN_ucmp(BIGNUM *a, BIGNUM *b);
+ int BN_cmp(const BIGNUM *a, const BIGNUM *b);
+ int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
 
- int BN_is_zero(BIGNUM *a);
- int BN_is_one(BIGNUM *a);
- int BN_is_word(BIGNUM *a, BN_ULONG w);
- int BN_is_odd(BIGNUM *a);
+ int BN_is_zero(const BIGNUM *a);
+ int BN_is_one(const BIGNUM *a);
+ int BN_is_word(const BIGNUM *a, const BN_ULONG w);
+ int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w);
+ int BN_is_odd(const BIGNUM *a);
 
 =head1 DESCRIPTION
 
-BN_cmp() compares the numbers B<a> and B<b>. BN_ucmp() compares their
+BN_cmp() compares the numbers I<a> and I<b>. BN_ucmp() compares their
 absolute values.
 
-BN_is_zero(), BN_is_one() and BN_is_word() test if B<a> equals 0, 1,
-or B<w> respectively. BN_is_odd() tests if a is odd.
-
-BN_is_zero(), BN_is_one(), BN_is_word() and BN_is_odd() are macros.
+BN_is_zero(), BN_is_one(), BN_is_word() and BN_abs_is_word() test if
+I<a> equals 0, 1, I<w>, or E<verbar>I<w>E<verbar> respectively.
+BN_is_odd() tests if I<a> is odd.
 
 =head1 RETURN VALUES
 
-BN_cmp() returns -1 if B<a> E<lt> B<b>, 0 if B<a> == B<b> and 1 if
-B<a> E<gt> B<b>. BN_ucmp() is the same using the absolute values
-of B<a> and B<b>.
+BN_cmp() returns -1 if I<a> E<lt> I<b>, 0 if I<a> == I<b> and 1 if
+I<a> E<gt> I<b>. BN_ucmp() is the same using the absolute values
+of I<a> and I<b>.
 
-BN_is_zero(), BN_is_one() BN_is_word() and BN_is_odd() return 1 if
-the condition is true, 0 otherwise.
+BN_is_zero(), BN_is_one() BN_is_word(), BN_abs_is_word() and
+BN_is_odd() return 1 if the condition is true, 0 otherwise.
+
+=head1 HISTORY
+
+Prior to OpenSSL 1.1.0, BN_is_zero(), BN_is_one(), BN_is_word(),
+BN_abs_is_word() and BN_is_odd() were macros.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man3/d2i_PrivateKey.pod

@@ -42,6 +42,10 @@ These functions are similar to the d2i_X509() functions; see L<d2i_X509(3)>.
 
 =head1 NOTES
 
+All the functions that operate on data in memory update the data pointer I<*pp>
+after a successful operation, just like the other d2i and i2d functions;
+see L<d2i_X509(3)>.
+
 All these functions use DER format and unencrypted keys. Applications wishing
 to encrypt or decrypt private keys should use other functions such as
 d2i_PKCS8PrivateKey() instead.
@@ -71,7 +75,7 @@ L<d2i_PKCS8PrivateKey_bio(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy

doc/man7/x509.pod

@@ -11,7 +11,7 @@ x509 - X.509 certificate handling
 =head1 DESCRIPTION
 
 An X.509 certificate is a structured grouping of information about
-an individual, a device, or anything one can imagine.  A X.509 CRL
+an individual, a device, or anything one can imagine.  An X.509 CRL
 (certificate revocation list) is a tool to help determine if a
 certificate is still valid.  The exact definition of those can be
 found in the X.509 document from ITU-T, or in RFC3280 from PKIX.
@@ -24,7 +24,7 @@ X509_REQ is used to express such a certificate request.
 
 To handle some complex parts of a certificate, there are the types
 X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
-a certificate attributes), X509_EXTENSION (to express a certificate
+a certificate attribute), X509_EXTENSION (to express a certificate
 extension) and a few more.
 
 Finally, there's the supertype X509_INFO, which can contain a CRL, a
@@ -63,7 +63,7 @@ L<crypto(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy