From 359efeac3f9b99c5f734b90db8a4c5bfadb7323a Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Mon, 17 May 2021 11:04:40 +0200
Subject: [PATCH] DOC: Fix nits found by new check on SYNOPSIS and OPTIONS
 consistency

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
---
 apps/CA.pl.in                    |  6 +--
 apps/s_server.c                  | 12 ++---
 apps/srp.c                       |  4 +-
 doc/man1/CA.pl.pod               |  8 ++--
 doc/man1/openssl-ec.pod.in       |  4 ++
 doc/man1/openssl-enc.pod.in      |  4 ++
 doc/man1/openssl-ocsp.pod.in     |  7 ++-
 doc/man1/openssl-pkcs8.pod.in    |  4 ++
 doc/man1/openssl-s_server.pod.in | 81 ++++++++++++++++++++++++++++++--
 doc/man1/openssl-speed.pod.in    |  8 ++++
 doc/man1/openssl-srp.pod.in      | 26 +++++++++-
 doc/man1/openssl-ts.pod.in       | 14 +++++-
 doc/man1/openssl.pod             | 14 +++---
 doc/perlvars.pm                  | 13 ++---
 14 files changed, 170 insertions(+), 35 deletions(-)

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index c0afb96716..6d1de16516 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -122,9 +122,9 @@ if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
     print STDERR <<EOF;
 Usage:
     CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
-    CA.pl -pkcs12 [-extra-pkcs12 parameter] [certname]
-    CA.pl -verify [-extra-verify parameter] certfile ...
-    CA.pl -revoke [-extra-ca parameter] certfile [reason]
+    CA.pl -pkcs12 [certname]
+    CA.pl -verify certfile ...
+    CA.pl -revoke certfile [reason]
 EOF
     exit 0;
 }
diff --git a/apps/s_server.c b/apps/s_server.c
index 292ffbe762..0ff436be1e 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -718,7 +718,7 @@ const OPTIONS s_server_options[] = {
     OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
     {"ssl_config", OPT_SSL_CONFIG, 's',
-     "Configure SSL_CTX using the configuration 'val'"},
+     "Configure SSL_CTX using the given configuration value"},
 #ifndef OPENSSL_NO_SSL_TRACE
     {"trace", OPT_TRACE, '-', "trace protocol messages"},
 #endif
@@ -786,7 +786,7 @@ const OPTIONS s_server_options[] = {
     {"servername", OPT_SERVERNAME, 's',
      "Servername for HostName TLS extension"},
     {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
-     "mismatch send fatal alert (default warning alert)"},
+     "On servername mismatch send fatal alert (default warning alert)"},
     {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
     {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
     {"quiet", OPT_QUIET, '-', "No server output"},
@@ -823,13 +823,13 @@ const OPTIONS s_server_options[] = {
      "use URI as certificate store to verify CA certificate"},
     {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
     {"ext_cache", OPT_EXT_CACHE, '-',
-     "Disable internal cache, setup and use external cache"},
+     "Disable internal cache, set up and use external cache"},
     {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
      "Close connection on verification error"},
     {"verify_quiet", OPT_VERIFY_QUIET, '-',
      "No verify output except verify errors"},
-    {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
-    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+    {"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
+    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
 
 #ifndef OPENSSL_NO_OCSP
     OPT_SECTION("OCSP"),
@@ -872,7 +872,7 @@ const OPTIONS s_server_options[] = {
     OPT_SECTION("Network"),
     {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
     {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
-    {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
+    {"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
     {"read_buf", OPT_READ_BUF, 'p',
      "Default read buffer size to be used for connections"},
     {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
diff --git a/apps/srp.c b/apps/srp.c
index aad08fb229..48b99da2af 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -209,8 +209,8 @@ const OPTIONS srp_options[] = {
 #endif
 
     OPT_SECTION("Action"),
-    {"add", OPT_ADD, '-', "Add a user and srp verifier"},
-    {"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"},
+    {"add", OPT_ADD, '-', "Add a user and SRP verifier"},
+    {"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
     {"delete", OPT_DELETE, '-', "Delete user from verifier file"},
     {"list", OPT_LIST, '-', "List users"},
 
diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod
index aa2e0058cc..6af02cf59a 100644
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -23,11 +23,11 @@ B<-crl> |
 B<-newca>
 [B<-extra-I<cmd>> I<parameter>]
 
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<parameter>] [I<certname>]
+B<CA.pl> B<-pkcs12> [I<certname>]
 
-B<CA.pl> B<-verify> [B<-extra-verify> I<parameter>] I<certfile> ...
+B<CA.pl> B<-verify> I<certfile> ...
 
-B<CA.pl> B<-revoke> [B<-extra-ca> I<parameter>] I<certfile> [I<reason>]
+B<CA.pl> B<-revoke> I<certfile> [I<reason>]
 
 =head1 DESCRIPTION
 
@@ -57,7 +57,7 @@ the correct path of the configuration file.
 
 =over 4
 
-=item B<?>, B<-h>, B<-help>
+=item B<-?>, B<-h>, B<-help>
 
 Prints a usage message.
 
diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in
index e38e405934..8696701257 100644
--- a/doc/man1/openssl-ec.pod.in
+++ b/doc/man1/openssl-ec.pod.in
@@ -100,6 +100,10 @@ Prints out the public, private key components and parameters.
 
 This option prevents output of the encoded version of the key.
 
+=item B<-param_out>
+
+Print the elliptic curve parameters.
+
 =item B<-pubin>
 
 By default, a private key is read from the input file. With this option a
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index 5c94f49173..f424358ab3 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@@ -54,6 +54,10 @@ either by itself or in addition to the encryption or decryption.
 
 =over 4
 
+=item B<-I<cipher>>
+
+The cipher to use.
+
 =item B<-help>
 
 Print out a usage message.
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 0aa06834a9..0116feeaae 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -14,6 +14,7 @@ B<openssl> B<ocsp>
 [B<-out> I<file>]
 [B<-issuer> I<file>]
 [B<-cert> I<file>]
+[B<-no_certs>]
 [B<-serial> I<n>]
 [B<-signer> I<file>]
 [B<-signkey> I<file>]
@@ -23,7 +24,6 @@ B<openssl> B<ocsp>
 [B<-req_text>]
 [B<-resp_text>]
 [B<-text>]
-[B<-no_certs>]
 [B<-reqout> I<file>]
 [B<-respout> I<file>]
 [B<-reqin> I<file>]
@@ -112,6 +112,10 @@ Add the certificate I<filename> to the request. The issuer certificate
 is taken from the previous B<-issuer> option, or an error occurs if no
 issuer certificate is specified.
 
+=item B<-no_certs>
+
+Don't include any certificates in signed request.
+
 =item B<-serial> I<num>
 
 Same as the B<-cert> option except the certificate with serial number
@@ -389,7 +393,6 @@ each child is willing to wait for the client's OCSP response.
 This option is available on POSIX systems (that support the fork() and other
 required unix system-calls).
 
-
 =item B<-nmin> I<minutes>, B<-ndays> I<days>
 
 Number of minutes or days when fresh revocation information is available:
diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in
index 100c5afd6f..2af61203e9 100644
--- a/doc/man1/openssl-pkcs8.pod.in
+++ b/doc/man1/openssl-pkcs8.pod.in
@@ -101,6 +101,10 @@ When creating new PKCS#8 containers, use a given number of iterations on
 the password in deriving the encryption key for the PKCS#8 output.
 High values increase the time required to brute-force a PKCS#8 container.
 
+=item B<-noiter>
+
+When creating new PKCS#8 containers, use 1 as iteration count.
+
 =item B<-nocrypt>
 
 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index c7ce886b6f..27522fc04b 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -77,13 +77,13 @@ B<openssl> B<s_server>
 [B<-no_proxy> I<addresses>]
 [B<-status_url> I<val>]
 [B<-status_file> I<infile>]
+[B<-ssl_config> I<val>]
 [B<-trace>]
 [B<-security_debug>]
 [B<-security_debug_verbose>]
 [B<-brief>]
 [B<-rev>]
 [B<-async>]
-[B<-ssl_config> I<val>]
 [B<-max_send_frag> I<+int>]
 [B<-split_send_frag> I<+int>]
 [B<-max_pipelines> I<+int>]
@@ -123,9 +123,9 @@ B<openssl> B<s_server>
 [B<-listen>]
 [B<-sctp>]
 [B<-sctp_label_bug>]
+[B<-use_srtp> I<val>]
 [B<-no_dhe>]
 [B<-nextprotoneg> I<val>]
-[B<-use_srtp> I<val>]
 [B<-alpn> I<val>]
 [B<-sendfile>]
 [B<-keylogfile> I<outfile>]
@@ -303,6 +303,14 @@ This option translated a line feed from the terminal into CR+LF.
 
 Print extensive debugging information including a hex dump of all traffic.
 
+=item B<-security_debug>
+
+Print output from SSL/TLS security framework.
+
+=item B<-security_debug_verbose>
+
+Print more output from SSL/TLS security framework
+
 =item B<-msg>
 
 Show all protocol messages with hex dump.
@@ -377,6 +385,10 @@ DH).
 
 Inhibit printing of session and certificate information.
 
+=item B<-no_resume_ephemeral>
+
+Disable caching and tickets if ephemeral (EC)DH is used.
+
 =item B<-tlsextdebug>
 
 Print a hex dump of any TLS extensions received from the server.
@@ -426,6 +438,14 @@ option is enabled the peer does not need to send the close_notify alert and a
 closed connection will be treated as if the close_notify alert was received.
 For more information on shutting down a connection, see L<SSL_shutdown(3)>.
 
+=item B<-servername>
+
+Servername for HostName TLS extension.
+
+=item B<-servername_fatal>
+
+On servername mismatch send fatal alert (default: warning alert).
+
 =item B<-id_prefix> I<val>
 
 Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
@@ -433,12 +453,40 @@ for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
 servers, when each of which might be generating a unique range of session
 IDs (e.g. with a certain prefix).
 
+=item B<-keymatexport>
+
+Export keying material using label.
+
+=item B<-keymatexportlen>
+
+Export the given number of bytes of keying material; default 20.
+
+=item B<-no_cache>
+
+Disable session cache.
+
+=item B<-ext_cache>.
+
+Disable internal cache, set up and use external cache.
+
 =item B<-verify_return_error>
 
 Verification errors normally just print a message but allow the
 connection to continue, for debugging purposes.
 If this option is used, then verification errors close the connection.
 
+=item B<-verify_quiet>
+
+No verify output except verify errors.
+
+=item B<-ign_eof>
+
+Ignore input EOF (default: when B<-quiet>).
+
+=item B<-no_ign_eof>
+
+Do not ignore input EOF.
+
 =item B<-status>
 
 Enables certificate status request support (aka OCSP stapling).
@@ -482,6 +530,10 @@ Any given query component is handled as part of the path component.
 Overrides any OCSP responder URLs from the certificate and always provides the
 OCSP Response stored in the file. The file must be in DER format.
 
+=item B<-ssl_config> I<val>
+
+Configure SSL_CTX using the given configuration value.
+
 =item B<-trace>
 
 Show verbose trace output of protocol messages. OpenSSL needs to be compiled
@@ -622,6 +674,14 @@ will be used.
 
 Turns on non blocking I/O.
 
+=item B<-timeout>
+
+Enable timeouts.
+
+=item B<-mtu>
+
+Set link-layer MTU.
+
 =item B<-psk_identity> I<val>
 
 Expect the client to send PSK identity I<val> when using a PSK
@@ -644,6 +704,16 @@ This option must be provided in order to use a PSK cipher.
 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
 Note that this will only work if TLSv1.3 is negotiated.
 
+=item B<-srpvfile>
+
+The verifier file for SRP.
+This option is deprecated.
+
+=item B<-srpuserseed>
+
+A seed string for a default user salt.
+This option is deprecated.
+
 =item B<-listen>
 
 This option can only be used in conjunction with one of the DTLS options above.
@@ -669,6 +739,10 @@ older broken implementations but breaks interoperability with correct
 implementations. Must be used in conjunction with B<-sctp>. This option is only
 available where OpenSSL has support for SCTP enabled.
 
+=item B<-use_srtp>
+
+Offer SRTP key management with a colon-separated profile list.
+
 =item B<-no_dhe>
 
 If this option is set then no DH parameters will be loaded effectively
@@ -849,7 +923,8 @@ The -no_alt_chains option was added in OpenSSL 1.1.0.
 The
 -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
 
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
+option were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in
index 0dbb19da4c..bfe992797a 100644
--- a/doc/man1/openssl-speed.pod.in
+++ b/doc/man1/openssl-speed.pod.in
@@ -81,6 +81,14 @@ C<openssl speed -cmac aes128>.
 
 Time the decryption instead of encryption. Affects only the EVP testing.
 
+=item B<-mb>
+
+Enable multi-block mode on EVP-named cipher.
+
+=item B<-aead>
+
+Benchmark EVP-named AEAD cipher in TLS-like sequence.
+
 =item B<-primes> I<num>
 
 Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in
index c15d866704..26f7ebcef9 100644
--- a/doc/man1/openssl-srp.pod.in
+++ b/doc/man1/openssl-srp.pod.in
@@ -15,7 +15,6 @@ B<openssl srp>
 [B<-delete>]
 [B<-list>]
 [B<-name> I<section>]
-[B<-config> I<file>]
 [B<-srpvfile> I<file>]
 [B<-gn> I<identifier>]
 [B<-userinfo> I<text>]
@@ -23,6 +22,7 @@ B<openssl srp>
 [B<-passout> I<arg>]
 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_config_synopsis -}
 [I<user> ...]
 
 =head1 DESCRIPTION
@@ -49,6 +49,26 @@ Display an option summary.
 
 Generate verbose output while processing.
 
+=item B<-add>
+
+Add a user and SRP verifier.
+
+=item B<-modify>
+
+Modify the SRP verifier of an existing user.
+
+=item B<-delete>
+
+Delete user from verifier file.
+
+=item B<-list>
+
+List users.
+
+=item B<-name>
+
+The particular SRP definition to use.
+
 =item B<-srpvfile> I<file>
 
 If the config file is not specified,
@@ -72,8 +92,12 @@ see L<openssl-passphrase-options(1)>.
 
 {- $OpenSSL::safe::opt_engine_item -}
 
+{- $OpenSSL::safe::opt_r_item -}
+
 {- $OpenSSL::safe::opt_provider_item -}
 
+{- $OpenSSL::safe::opt_config_item -}
+
 {- $OpenSSL::safe::opt_r_synopsis -}
 
 =back
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index cf7d5f0260..6f71820202 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -106,11 +106,23 @@ requests either by ftp or e-mail.
 
 Print out a usage message.
 
+=item B<-query>
+
+Generate a TS query. For details see L</Timestamp Request generation>.
+
+=item B<-reply>
+
+Generate a TS reply. For details see L</Timestamp Response generation>.
+
+=item B<-verify>
+
+Verify a TS response. For details see L</Timestamp Response verification>.
+
 =back
 
 =head2 Timestamp Request generation
 
-The B<-query> switch can be used for creating and printing a timestamp
+The B<-query> command can be used for creating and printing a timestamp
 request with the following options:
 
 =over 4
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index 78b98ab7a6..3b47ae9729 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -13,13 +13,13 @@ I<command>
 
 B<openssl>
 B<list>
-B<-standard-commands> |
-B<-digest-commands> |
-B<-cipher-commands> |
-B<-cipher-algorithms> |
-B<-digest-algorithms> |
-B<-mac-algorithms> |
-B<-public-key-algorithms>
+B<standard-commands> |
+B<digest-commands> |
+B<cipher-commands> |
+B<cipher-algorithms> |
+B<digest-algorithms> |
+B<mac-algorithms> |
+B<public-key-algorithms>
 
 B<openssl> B<no->I<XXX> [ I<options> ]
 
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index ab52a086ee..71f3888d58 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -58,14 +58,14 @@ $OpenSSL::safe::opt_v_item = ""
 
 # Extended validation options.
 $OpenSSL::safe::opt_x_synopsis = ""
-. "[B<-xkey>] I<infile>\n"
+. "[B<-xkey> I<infile>]\n"
 . "[B<-xcert> I<file>]\n"
-. "[B<-xchain>] I<file>\n"
-. "[B<-xchain_build>] I<file>\n"
+. "[B<-xchain> I<file>]\n"
+. "[B<-xchain_build> I<file>]\n"
 . "[B<-xcertform> B<DER>|B<PEM>]>\n"
 . "[B<-xkeyform> B<DER>|B<PEM>]>";
 $OpenSSL::safe::opt_x_item = ""
-. "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
+. "=item B<-xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
 . "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
 . "B<-xkeyform> B<DER>|B<PEM>\n"
 . "\n"
@@ -203,8 +203,9 @@ $OpenSSL::safe::opt_s_synopsis = ""
 . "[B<-no_middlebox>]";
 $OpenSSL::safe::opt_s_item = ""
 . "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
-. "B<-client_renegotiation>, B<_immediate_renegotiation>\n"
-. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
+. "B<-client_renegotiation>, B<_immediate_renegotiation>,\n"
+. "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
+. "B<-immediate_renegotiation>, B<-no_resumption_on_reneg>,\n"
 . "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
 . "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
 . "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
-- 
2.39.2