DOC: Fix nits found by new check on SYNOPSIS and OPTIONS consistency

Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15299)
1 year ago · 359efeac3f
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@ -122,9 +122,9 @@ if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
    print STDERR <<EOF;
 Usage:
    CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
    CA.pl -pkcs12 [-extra-pkcs12 parameter] [certname]
    CA.pl -verify [-extra-verify parameter] certfile ...
    CA.pl -revoke [-extra-ca parameter] certfile [reason]
    CA.pl -pkcs12 [certname]
    CA.pl -verify certfile ...
    CA.pl -revoke certfile [reason]
 EOF
    exit 0;
 }
--- a/apps/s_server.c
+++ b/apps/s_server.c
@ -718,7 +718,7 @@ const OPTIONS s_server_options[] = {
    OPT_SECTION("General"),
    {"help", OPT_HELP, '-', "Display this summary"},
    {"ssl_config", OPT_SSL_CONFIG, 's',
     "Configure SSL_CTX using the configuration 'val'"},
     "Configure SSL_CTX using the given configuration value"},
 #ifndef OPENSSL_NO_SSL_TRACE
    {"trace", OPT_TRACE, '-', "trace protocol messages"},
 #endif
@ -786,7 +786,7 @@ const OPTIONS s_server_options[] = {
    {"servername", OPT_SERVERNAME, 's',
     "Servername for HostName TLS extension"},
    {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
     "mismatch send fatal alert (default warning alert)"},
     "On servername mismatch send fatal alert (default warning alert)"},
    {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
    {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
    {"quiet", OPT_QUIET, '-', "No server output"},
@ -823,13 +823,13 @@ const OPTIONS s_server_options[] = {
     "use URI as certificate store to verify CA certificate"},
    {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
    {"ext_cache", OPT_EXT_CACHE, '-',
     "Disable internal cache, setup and use external cache"},
     "Disable internal cache, set up and use external cache"},
    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
     "Close connection on verification error"},
    {"verify_quiet", OPT_VERIFY_QUIET, '-',
     "No verify output except verify errors"},
    {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
    {"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},

 #ifndef OPENSSL_NO_OCSP
    OPT_SECTION("OCSP"),
@ -872,7 +872,7 @@ const OPTIONS s_server_options[] = {
    OPT_SECTION("Network"),
    {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
    {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
    {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
    {"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
    {"read_buf", OPT_READ_BUF, 'p',
     "Default read buffer size to be used for connections"},
    {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
--- a/apps/srp.c
+++ b/apps/srp.c
@ -209,8 +209,8 @@ const OPTIONS srp_options[] = {
 #endif

    OPT_SECTION("Action"),
    {"add", OPT_ADD, '-', "Add a user and srp verifier"},
    {"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"},
    {"add", OPT_ADD, '-', "Add a user and SRP verifier"},
    {"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
    {"delete", OPT_DELETE, '-', "Delete user from verifier file"},
    {"list", OPT_LIST, '-', "List users"},

--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@ -23,11 +23,11 @@ B<-crl> |
 B<-newca>
 [B<-extra-I<cmd>> I<parameter>]

 B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<parameter>] [I<certname>]
 B<CA.pl> B<-pkcs12> [I<certname>]

 B<CA.pl> B<-verify> [B<-extra-verify> I<parameter>] I<certfile> ...
 B<CA.pl> B<-verify> I<certfile> ...

 B<CA.pl> B<-revoke> [B<-extra-ca> I<parameter>] I<certfile> [I<reason>]
 B<CA.pl> B<-revoke> I<certfile> [I<reason>]

 =head1 DESCRIPTION

@ -57,7 +57,7 @@ the correct path of the configuration file.

 =over 4

 =item B<?>, B<-h>, B<-help>
 =item B<-?>, B<-h>, B<-help>

 Prints a usage message.

--- a/doc/man1/openssl-ec.pod.in
+++ b/doc/man1/openssl-ec.pod.in
@ -100,6 +100,10 @@ Prints out the public, private key components and parameters.

 This option prevents output of the encoded version of the key.

 =item B<-param_out>

 Print the elliptic curve parameters.

 =item B<-pubin>

 By default, a private key is read from the input file. With this option a
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@ -54,6 +54,10 @@ either by itself or in addition to the encryption or decryption.

 =over 4

 =item B<-I<cipher>>

 The cipher to use.

 =item B<-help>

 Print out a usage message.
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@ -14,6 +14,7 @@ B<openssl> B<ocsp>
 [B<-out> I<file>]
 [B<-issuer> I<file>]
 [B<-cert> I<file>]
 [B<-no_certs>]
 [B<-serial> I<n>]
 [B<-signer> I<file>]
 [B<-signkey> I<file>]
@ -23,7 +24,6 @@ B<openssl> B<ocsp>
 [B<-req_text>]
 [B<-resp_text>]
 [B<-text>]
 [B<-no_certs>]
 [B<-reqout> I<file>]
 [B<-respout> I<file>]
 [B<-reqin> I<file>]
@ -112,6 +112,10 @@ Add the certificate I<filename> to the request. The issuer certificate
 is taken from the previous B<-issuer> option, or an error occurs if no
 issuer certificate is specified.

 =item B<-no_certs>

 Don't include any certificates in signed request.

 =item B<-serial> I<num>

 Same as the B<-cert> option except the certificate with serial number
@ -389,7 +393,6 @@ each child is willing to wait for the client's OCSP response.
 This option is available on POSIX systems (that support the fork() and other
 required unix system-calls).


 =item B<-nmin> I<minutes>, B<-ndays> I<days>

 Number of minutes or days when fresh revocation information is available:
--- a/doc/man1/openssl-pkcs8.pod.in
+++ b/doc/man1/openssl-pkcs8.pod.in
@ -101,6 +101,10 @@ When creating new PKCS#8 containers, use a given number of iterations on
 the password in deriving the encryption key for the PKCS#8 output.
 High values increase the time required to brute-force a PKCS#8 container.

 =item B<-noiter>

 When creating new PKCS#8 containers, use 1 as iteration count.

 =item B<-nocrypt>

 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@ -77,13 +77,13 @@ B<openssl> B<s_server>
 [B<-no_proxy> I<addresses>]
 [B<-status_url> I<val>]
 [B<-status_file> I<infile>]
 [B<-ssl_config> I<val>]
 [B<-trace>]
 [B<-security_debug>]
 [B<-security_debug_verbose>]
 [B<-brief>]
 [B<-rev>]
 [B<-async>]
 [B<-ssl_config> I<val>]
 [B<-max_send_frag> I<+int>]
 [B<-split_send_frag> I<+int>]
 [B<-max_pipelines> I<+int>]
@ -123,9 +123,9 @@ B<openssl> B<s_server>
 [B<-listen>]
 [B<-sctp>]
 [B<-sctp_label_bug>]
 [B<-use_srtp> I<val>]
 [B<-no_dhe>]
 [B<-nextprotoneg> I<val>]
 [B<-use_srtp> I<val>]
 [B<-alpn> I<val>]
 [B<-sendfile>]
 [B<-keylogfile> I<outfile>]
@ -303,6 +303,14 @@ This option translated a line feed from the terminal into CR+LF.

 Print extensive debugging information including a hex dump of all traffic.

 =item B<-security_debug>

 Print output from SSL/TLS security framework.

 =item B<-security_debug_verbose>

 Print more output from SSL/TLS security framework

 =item B<-msg>

 Show all protocol messages with hex dump.
@ -377,6 +385,10 @@ DH).

 Inhibit printing of session and certificate information.

 =item B<-no_resume_ephemeral>

 Disable caching and tickets if ephemeral (EC)DH is used.

 =item B<-tlsextdebug>

 Print a hex dump of any TLS extensions received from the server.
@ -426,6 +438,14 @@ option is enabled the peer does not need to send the close_notify alert and a
 closed connection will be treated as if the close_notify alert was received.
 For more information on shutting down a connection, see L<SSL_shutdown(3)>.

 =item B<-servername>

 Servername for HostName TLS extension.

 =item B<-servername_fatal>

 On servername mismatch send fatal alert (default: warning alert).

 =item B<-id_prefix> I<val>

 Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
@ -433,12 +453,40 @@ for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
 servers, when each of which might be generating a unique range of session
 IDs (e.g. with a certain prefix).

 =item B<-keymatexport>

 Export keying material using label.

 =item B<-keymatexportlen>

 Export the given number of bytes of keying material; default 20.

 =item B<-no_cache>

 Disable session cache.

 =item B<-ext_cache>.

 Disable internal cache, set up and use external cache.

 =item B<-verify_return_error>

 Verification errors normally just print a message but allow the
 connection to continue, for debugging purposes.
 If this option is used, then verification errors close the connection.

 =item B<-verify_quiet>

 No verify output except verify errors.

 =item B<-ign_eof>

 Ignore input EOF (default: when B<-quiet>).

 =item B<-no_ign_eof>

 Do not ignore input EOF.

 =item B<-status>

 Enables certificate status request support (aka OCSP stapling).
@ -482,6 +530,10 @@ Any given query component is handled as part of the path component.
 Overrides any OCSP responder URLs from the certificate and always provides the
 OCSP Response stored in the file. The file must be in DER format.

 =item B<-ssl_config> I<val>

 Configure SSL_CTX using the given configuration value.

 =item B<-trace>

 Show verbose trace output of protocol messages. OpenSSL needs to be compiled
@ -622,6 +674,14 @@ will be used.

 Turns on non blocking I/O.

 =item B<-timeout>

 Enable timeouts.

 =item B<-mtu>

 Set link-layer MTU.

 =item B<-psk_identity> I<val>

 Expect the client to send PSK identity I<val> when using a PSK
@ -644,6 +704,16 @@ This option must be provided in order to use a PSK cipher.
 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
 Note that this will only work if TLSv1.3 is negotiated.

 =item B<-srpvfile>

 The verifier file for SRP.
 This option is deprecated.

 =item B<-srpuserseed>

 A seed string for a default user salt.
 This option is deprecated.

 =item B<-listen>

 This option can only be used in conjunction with one of the DTLS options above.
@ -669,6 +739,10 @@ older broken implementations but breaks interoperability with correct
 implementations. Must be used in conjunction with B<-sctp>. This option is only
 available where OpenSSL has support for SCTP enabled.

 =item B<-use_srtp>

 Offer SRTP key management with a colon-separated profile list.

 =item B<-no_dhe>

 If this option is set then no DH parameters will be loaded effectively
@ -849,7 +923,8 @@ The -no_alt_chains option was added in OpenSSL 1.1.0.
 The
 -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.

 The B<-engine> option was deprecated in OpenSSL 3.0.
 The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
 option were deprecated in OpenSSL 3.0.

 =head1 COPYRIGHT

--- a/doc/man1/openssl-speed.pod.in
+++ b/doc/man1/openssl-speed.pod.in
@ -81,6 +81,14 @@ C<openssl speed -cmac aes128>.

 Time the decryption instead of encryption. Affects only the EVP testing.

 =item B<-mb>

 Enable multi-block mode on EVP-named cipher.

 =item B<-aead>

 Benchmark EVP-named AEAD cipher in TLS-like sequence.

 =item B<-primes> I<num>

 Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
--- a/doc/man1/openssl-srp.pod.in
+++ b/doc/man1/openssl-srp.pod.in
@ -15,7 +15,6 @@ B<openssl srp>
 [B<-delete>]
 [B<-list>]
 [B<-name> I<section>]
 [B<-config> I<file>]
 [B<-srpvfile> I<file>]
 [B<-gn> I<identifier>]
 [B<-userinfo> I<text>]
@ -23,6 +22,7 @@ B<openssl srp>
 [B<-passout> I<arg>]
 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_provider_synopsis -}
 {- $OpenSSL::safe::opt_config_synopsis -}
 [I<user> ...]

 =head1 DESCRIPTION
@ -49,6 +49,26 @@ Display an option summary.

 Generate verbose output while processing.

 =item B<-add>

 Add a user and SRP verifier.

 =item B<-modify>

 Modify the SRP verifier of an existing user.

 =item B<-delete>

 Delete user from verifier file.

 =item B<-list>

 List users.

 =item B<-name>

 The particular SRP definition to use.

 =item B<-srpvfile> I<file>

 If the config file is not specified,
@ -72,8 +92,12 @@ see L<openssl-passphrase-options(1)>.

 {- $OpenSSL::safe::opt_engine_item -}

 {- $OpenSSL::safe::opt_r_item -}

 {- $OpenSSL::safe::opt_provider_item -}

 {- $OpenSSL::safe::opt_config_item -}

 {- $OpenSSL::safe::opt_r_synopsis -}

 =back
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@ -106,11 +106,23 @@ requests either by ftp or e-mail.

 Print out a usage message.

 =item B<-query>

 Generate a TS query. For details see L</Timestamp Request generation>.

 =item B<-reply>

 Generate a TS reply. For details see L</Timestamp Response generation>.

 =item B<-verify>

 Verify a TS response. For details see L</Timestamp Response verification>.

 =back

 =head2 Timestamp Request generation

 The B<-query> switch can be used for creating and printing a timestamp
 The B<-query> command can be used for creating and printing a timestamp
 request with the following options:

 =over 4
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@ -13,13 +13,13 @@ I<command>

 B<openssl>
 B<list>
 B<-standard-commands> |
 B<-digest-commands> |
 B<-cipher-commands> |
 B<-cipher-algorithms> |
 B<-digest-algorithms> |
 B<-mac-algorithms> |
 B<-public-key-algorithms>
 B<standard-commands> |
 B<digest-commands> |
 B<cipher-commands> |
 B<cipher-algorithms> |
 B<digest-algorithms> |
 B<mac-algorithms> |
 B<public-key-algorithms>

 B<openssl> B<no->I<XXX> [ I<options> ]

--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@ -58,14 +58,14 @@ $OpenSSL::safe::opt_v_item = ""

 # Extended validation options.
 $OpenSSL::safe::opt_x_synopsis = ""
 . "[B<-xkey>] I<infile>\n"
 . "[B<-xkey> I<infile>]\n"
 . "[B<-xcert> I<file>]\n"
 . "[B<-xchain>] I<file>\n"
 . "[B<-xchain_build>] I<file>\n"
 . "[B<-xchain> I<file>]\n"
 . "[B<-xchain_build> I<file>]\n"
 . "[B<-xcertform> B<DER>|B<PEM>]>\n"
 . "[B<-xkeyform> B<DER>|B<PEM>]>";
 $OpenSSL::safe::opt_x_item = ""
 . "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
 . "=item B<-xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
 . "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
 . "B<-xkeyform> B<DER>|B<PEM>\n"
 . "\n"
@ -203,8 +203,9 @@ $OpenSSL::safe::opt_s_synopsis = ""
 . "[B<-no_middlebox>]";
 $OpenSSL::safe::opt_s_item = ""
 . "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
 . "B<-client_renegotiation>, B<_immediate_renegotiation>\n"
 . "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
 . "B<-client_renegotiation>, B<_immediate_renegotiation>,\n"
 . "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
 . "B<-immediate_renegotiation>, B<-no_resumption_on_reneg>,\n"
 . "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
 . "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
 . "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"