[openssl] master update

matthias.st.pierre at ncp-e.com matthias.st.pierre at ncp-e.com
Wed Jan 29 17:44:39 UTC 2020


The branch master has been updated
       via  68581885cba2a64c47bae7fdd8674be852d0c74c (commit)
       via  65718c516ec69ff2314d12c7ce57b242ccc3021d (commit)
       via  62742fdd8ca46c5455441b9e5e5ddb746c8d38e2 (commit)
      from  12603de634fe628488066d1f3f2c720ca20d6df9 (commit)


- Log -----------------------------------------------------------------
commit 68581885cba2a64c47bae7fdd8674be852d0c74c
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Jan 24 13:32:34 2020 -0500

    Add -issuer_checks to verify options
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/10873)

commit 65718c516ec69ff2314d12c7ce57b242ccc3021d
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Jan 16 13:40:52 2020 -0500

    Document most missing options
    
    Add cmd-nits make target.
    
    Listing options should stop when it hits the "parameters" separator.
    
    Add missing .pod.in files to doc/man1/build.info
    
    Tweak find-doc-nits to try openssl-XXX before XXX for POD files and
    change an error messavge to be more useful.
    
    Fix the following pages: ca, cms, crl, dgst, enc,
    engine, errstr, gendsa, genrsa, list, ocsp, passwd, pkcs7, pkcs12, rand,
    rehash, req, rsautil, s_server, speed, s_time,
    sess_id, smime, srp, ts, x509.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/10873)

commit 62742fdd8ca46c5455441b9e5e5ddb746c8d38e2
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Jan 20 09:45:27 2020 -0500

    Add more generated man1 doc files
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/10873)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                        |  6 +--
 Configurations/unix-Makefile.tmpl |  7 +++-
 apps/list.c                       |  4 +-
 apps/s_time.c                     |  1 +
 doc/man1/build.info               | 84 ++++++++++++++++++++-------------------
 doc/man1/openssl-ca.pod.in        |  5 +++
 doc/man1/openssl-cms.pod.in       | 39 +++++++++++++++++-
 doc/man1/openssl-crl.pod.in       | 32 +++++++++++++++
 doc/man1/openssl-dgst.pod.in      | 10 +++--
 doc/man1/openssl-enc.pod.in       |  7 +++-
 doc/man1/openssl-engine.pod       |  5 +++
 doc/man1/openssl-errstr.pod       | 18 ++++++---
 doc/man1/openssl-gendsa.pod.in    |  6 +++
 doc/man1/openssl-genrsa.pod.in    |  6 ++-
 doc/man1/openssl-list.pod         | 10 +++++
 doc/man1/openssl-ocsp.pod.in      | 12 ++++++
 doc/man1/openssl-passwd.pod.in    |  5 +++
 doc/man1/openssl-pkcs12.pod.in    | 23 ++++++++++-
 doc/man1/openssl-pkcs7.pod.in     | 11 +++--
 doc/man1/openssl-rand.pod.in      |  3 ++
 doc/man1/openssl-rehash.pod       |  7 ++--
 doc/man1/openssl-req.pod.in       |  1 +
 doc/man1/openssl-rsautl.pod.in    | 22 +++++++++-
 doc/man1/openssl-s_server.pod.in  | 12 ++++++
 doc/man1/openssl-s_time.pod.in    | 19 ++++++++-
 doc/man1/openssl-sess_id.pod      |  1 +
 doc/man1/openssl-smime.pod.in     | 39 ++++++++++++++----
 doc/man1/openssl-speed.pod.in     | 22 ++++++++++
 doc/man1/openssl-srp.pod.in       |  3 ++
 doc/man1/openssl-ts.pod.in        | 11 +++++
 doc/man1/openssl-x509.pod.in      | 33 +++++++++++++++
 doc/perlvars.pm                   |  5 ++-
 util/find-doc-nits                | 17 +++++---
 33 files changed, 396 insertions(+), 90 deletions(-)

diff --git a/.gitignore b/.gitignore
index 691e88a13e..52c845300b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,7 +26,7 @@
 /include/openssl/opensslv.h
 
 # Auto generated doc files
-# If you add to this list, make sure doc/man1/build.info is sync'd!
+# Keep this in sync with doc/man1/build.info
 doc/man1/openssl-ca.pod
 doc/man1/openssl-cms.pod
 doc/man1/openssl-crl.pod
@@ -37,12 +37,9 @@ doc/man1/openssl-dsaparam.pod
 doc/man1/openssl-ec.pod
 doc/man1/openssl-ecparam.pod
 doc/man1/openssl-enc.pod
-doc/man1/openssl-engine.pod
 doc/man1/openssl-gendsa.pod
 doc/man1/openssl-genpkey.pod
 doc/man1/openssl-genrsa.pod
-doc/man1/openssl-info.pod
-doc/man1/openssl-list.pod
 doc/man1/openssl-ocsp.pod
 doc/man1/openssl-passwd.pod
 doc/man1/openssl-pkcs12.pod
@@ -66,7 +63,6 @@ doc/man1/openssl-storeutl.pod
 doc/man1/openssl-ts.pod
 doc/man1/openssl-verify.pod
 doc/man1/openssl-x509.pod
-doc/man1/openssl.pod
 
 # error code files
 /crypto/err/openssl.txt.old
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 62ca26dde5..14e6627d62 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -516,7 +516,7 @@ clean: libclean
 	-$(RM) `find . -name '*{- platform->depext() -}' \! -name '.*' \! -type d -print`
 	-$(RM) `find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -print`
 	$(RM) core
-	$(RM) tags TAGS doc-nits
+	$(RM) tags TAGS doc-nits cmd-nits
 	$(RM) -r test/test-runs
 	$(RM) openssl.pc libcrypto.pc libssl.pc
 	-$(RM) `find . -type l \! -name '.*' -print`
@@ -950,10 +950,13 @@ update: generate errors ordinals
 generate: generate_apps generate_crypto_bn generate_crypto_objects \
           generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids
 
-.PHONY: doc-nits
+.PHONY: doc-nits cmd-nits
 doc-nits: build_generated
 	(cd $(SRCDIR); $(PERL) util/find-doc-nits -n -l -e )
 
+cmd-nits: build_generated apps/openssl
+	(cd $(SRCDIR); $(PERL) util/find-doc-nits -c )
+
 # Test coverage is a good idea for the future
 #coverage: $(PROGRAMS) $(TESTPROGRAMS)
 #	...
diff --git a/apps/list.c b/apps/list.c
index a5382ac24f..ed6f1c71ac 100644
--- a/apps/list.c
+++ b/apps/list.c
@@ -364,10 +364,12 @@ static void list_options_for_command(const char *command)
     for ( ; o->name != NULL; o++) {
         char c = o->valtype;
 
+        if (o->name == OPT_PARAM_STR)
+            break;
+
         if (o->name == OPT_HELP_STR
                 || o->name == OPT_MORE_STR
                 || o->name == OPT_SECTION_STR
-                || o->name == OPT_PARAM_STR
                 || o->name[0] == '\0')
             continue;
         BIO_printf(bio_out, "%s %c\n", o->name, c == '\0' ? '-' : c);
diff --git a/apps/s_time.c b/apps/s_time.c
index d5816a1b16..babbdbe13e 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -89,6 +89,7 @@ const OPTIONS s_time_options[] = {
     {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
     {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
     {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+    {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
     {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
     {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
     {"no-CAfile", OPT_NOCAFILE, '-',
diff --git a/doc/man1/build.info b/doc/man1/build.info
index 2fbbb258b4..13012d4432 100644
--- a/doc/man1/build.info
+++ b/doc/man1/build.info
@@ -1,4 +1,5 @@
 
+# Keep this in sync with .gitignore!
 DEPEND[]= \
          openssl-ca.pod \
          openssl-cms.pod \
@@ -7,8 +8,8 @@ DEPEND[]= \
          openssl-dhparam.pod \
          openssl-dsa.pod \
          openssl-dsaparam.pod \
-         openssl-ecparam.pod \
          openssl-ec.pod \
+         openssl-ecparam.pod \
          openssl-enc.pod \
          openssl-gendsa.pod \
          openssl-genpkey.pod \
@@ -16,8 +17,8 @@ DEPEND[]= \
          openssl-ocsp.pod \
          openssl-passwd.pod \
          openssl-pkcs12.pod \
-         openssl-pkcs8.pod \
          openssl-pkcs7.pod \
+         openssl-pkcs8.pod \
          openssl-pkey.pod \
          openssl-pkeyparam.pod \
          openssl-pkeyutl.pod \
@@ -31,81 +32,82 @@ DEPEND[]= \
          openssl-smime.pod \
          openssl-speed.pod \
          openssl-spkac.pod \
-         openssl-storeutl.pod \
          openssl-srp.pod \
+         openssl-storeutl.pod \
          openssl-ts.pod \
          openssl-verify.pod \
          openssl-x509.pod
 
 DEPEND[openssl-ca.pod]=../perlvars.pm
-GENERATE[openssl-ca.pod]=openssl-ca.pod.in
 DEPEND[openssl-cms.pod]=../perlvars.pm
-GENERATE[openssl-cms.pod]=openssl-cms.pod.in
 DEPEND[openssl-crl.pod]=../perlvars.pm
-GENERATE[openssl-crl.pod]=openssl-crl.pod.in
 DEPEND[openssl-dgst.pod]=../perlvars.pm
-GENERATE[openssl-dgst.pod]=openssl-dgst.pod.in
 DEPEND[openssl-dhparam.pod]=../perlvars.pm
-GENERATE[openssl-dhparam.pod]=openssl-dhparam.pod.in
 DEPEND[openssl-dsa.pod]=../perlvars.pm
-GENERATE[openssl-dsa.pod]=openssl-dsa.pod.in
 DEPEND[openssl-dsaparam.pod]=../perlvars.pm
-GENERATE[openssl-dsaparam.pod]=openssl-dsaparam.pod.in
-DEPEND[openssl-ecparam.pod]=../perlvars.pm
-GENERATE[openssl-ecparam.pod]=openssl-ecparam.pod.in
 DEPEND[openssl-ec.pod]=../perlvars.pm
-GENERATE[openssl-ec.pod]=openssl-ec.pod.in
+DEPEND[openssl-ecparam.pod]=../perlvars.pm
 DEPEND[openssl-enc.pod]=../perlvars.pm
-GENERATE[openssl-enc.pod]=openssl-enc.pod.in
 DEPEND[openssl-gendsa.pod]=../perlvars.pm
-GENERATE[openssl-gendsa.pod]=openssl-gendsa.pod.in
 DEPEND[openssl-genpkey.pod]=../perlvars.pm
-GENERATE[openssl-genpkey.pod]=openssl-genpkey.pod.in
 DEPEND[openssl-genrsa.pod]=../perlvars.pm
-GENERATE[openssl-genrsa.pod]=openssl-genrsa.pod.in
 DEPEND[openssl-ocsp.pod]=../perlvars.pm
-GENERATE[openssl-ocsp.pod]=openssl-ocsp.pod.in
 DEPEND[openssl-passwd.pod]=../perlvars.pm
-GENERATE[openssl-passwd.pod]=openssl-passwd.pod.in
+DEPEND[openssl-pkcs12.pod]=../perlvars.pm
 DEPEND[openssl-pkcs7.pod]=../perlvars.pm
-GENERATE[openssl-pkcs7.pod]=openssl-pkcs7.pod.in
 DEPEND[openssl-pkcs8.pod]=../perlvars.pm
-GENERATE[openssl-pkcs8.pod]=openssl-pkcs8.pod.in
-DEPEND[openssl-pkcs12.pod]=../perlvars.pm
-GENERATE[openssl-pkcs12.pod]=openssl-pkcs12.pod.in
 DEPEND[openssl-pkey.pod]=../perlvars.pm
-GENERATE[openssl-pkey.pod]=openssl-pkey.pod.in
 DEPEND[openssl-pkeyparam.pod]=../perlvars.pm
-GENERATE[openssl-pkeyparam.pod]=openssl-pkeyparam.pod.in
 DEPEND[openssl-pkeyutl.pod]=../perlvars.pm
-GENERATE[openssl-pkeyutl.pod]=openssl-pkeyutl.pod.in
 DEPEND[openssl-rand.pod]=../perlvars.pm
-GENERATE[openssl-rand.pod]=openssl-rand.pod.in
 DEPEND[openssl-req.pod]=../perlvars.pm
-GENERATE[openssl-req.pod]=openssl-req.pod.in
 DEPEND[openssl-rsa.pod]=../perlvars.pm
-GENERATE[openssl-rsa.pod]=openssl-rsa.pod.in
 DEPEND[openssl-rsautl.pod]=../perlvars.pm
-GENERATE[openssl-rsautl.pod]=openssl-rsautl.pod.in
 DEPEND[openssl-s_client.pod]=../perlvars.pm
-GENERATE[openssl-s_client.pod]=openssl-s_client.pod.in
 DEPEND[openssl-s_server.pod]=../perlvars.pm
-GENERATE[openssl-s_server.pod]=openssl-s_server.pod.in
 DEPEND[openssl-s_time.pod]=../perlvars.pm
-GENERATE[openssl-s_time.pod]=openssl-s_time.pod.in
 DEPEND[openssl-smime.pod]=../perlvars.pm
-GENERATE[openssl-smime.pod]=openssl-smime.pod.in
 DEPEND[openssl-speed.pod]=../perlvars.pm
-GENERATE[openssl-speed.pod]=openssl-speed.pod.in
 DEPEND[openssl-spkac.pod]=../perlvars.pm
-GENERATE[openssl-spkac.pod]=openssl-spkac.pod.in
-DEPEND[openssl-storeutl.pod]=../perlvars.pm
-GENERATE[openssl-storeutl.pod]=openssl-storeutl.pod.in
 DEPEND[openssl-srp.pod]=../perlvars.pm
-GENERATE[openssl-srp.pod]=openssl-srp.pod.in
+DEPEND[openssl-storeutl.pod]=../perlvars.pm
 DEPEND[openssl-ts.pod]=../perlvars.pm
-GENERATE[openssl-ts.pod]=openssl-ts.pod.in
 DEPEND[openssl-verify.pod]=../perlvars.pm
-GENERATE[openssl-verify.pod]=openssl-verify.pod.in
 DEPEND[openssl-x509.pod]=../perlvars.pm
+
+GENERATE[openssl-ca.pod]=openssl-ca.pod.in
+GENERATE[openssl-cms.pod]=openssl-cms.pod.in
+GENERATE[openssl-crl.pod]=openssl-crl.pod.in
+GENERATE[openssl-dgst.pod]=openssl-dgst.pod.in
+GENERATE[openssl-dhparam.pod]=openssl-dhparam.pod.in
+GENERATE[openssl-dsa.pod]=openssl-dsa.pod.in
+GENERATE[openssl-dsaparam.pod]=openssl-dsaparam.pod.in
+GENERATE[openssl-ec.pod]=openssl-ec.pod.in
+GENERATE[openssl-ecparam.pod]=openssl-ecparam.pod.in
+GENERATE[openssl-enc.pod]=openssl-enc.pod.in
+GENERATE[openssl-gendsa.pod]=openssl-gendsa.pod.in
+GENERATE[openssl-genpkey.pod]=openssl-genpkey.pod.in
+GENERATE[openssl-genrsa.pod]=openssl-genrsa.pod.in
+GENERATE[openssl-ocsp.pod]=openssl-ocsp.pod.in
+GENERATE[openssl-passwd.pod]=openssl-passwd.pod.in
+GENERATE[openssl-pkcs12.pod]=openssl-pkcs12.pod.in
+GENERATE[openssl-pkcs7.pod]=openssl-pkcs7.pod.in
+GENERATE[openssl-pkcs8.pod]=openssl-pkcs8.pod.in
+GENERATE[openssl-pkey.pod]=openssl-pkey.pod.in
+GENERATE[openssl-pkeyparam.pod]=openssl-pkeyparam.pod.in
+GENERATE[openssl-pkeyutl.pod]=openssl-pkeyutl.pod.in
+GENERATE[openssl-rand.pod]=openssl-rand.pod.in
+GENERATE[openssl-req.pod]=openssl-req.pod.in
+GENERATE[openssl-rsa.pod]=openssl-rsa.pod.in
+GENERATE[openssl-rsautl.pod]=openssl-rsautl.pod.in
+GENERATE[openssl-s_client.pod]=openssl-s_client.pod.in
+GENERATE[openssl-s_server.pod]=openssl-s_server.pod.in
+GENERATE[openssl-s_time.pod]=openssl-s_time.pod.in
+GENERATE[openssl-smime.pod]=openssl-smime.pod.in
+GENERATE[openssl-speed.pod]=openssl-speed.pod.in
+GENERATE[openssl-spkac.pod]=openssl-spkac.pod.in
+GENERATE[openssl-srp.pod]=openssl-srp.pod.in
+GENERATE[openssl-storeutl.pod]=openssl-storeutl.pod.in
+GENERATE[openssl-ts.pod]=openssl-ts.pod.in
+GENERATE[openssl-verify.pod]=openssl-verify.pod.in
 GENERATE[openssl-x509.pod]=openssl-x509.pod.in
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 6d351ae1cc..720db228cb 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -23,6 +23,7 @@ B<openssl> B<ca>
 [B<-crl_CA_compromise> I<time>]
 [B<-crldays> I<days>]
 [B<-crlhours> I<hours>]
+[B<-crlsec> I<seconds>]
 [B<-crlexts> I<section>]
 [B<-startdate> I<date>]
 [B<-enddate> I<date>]
@@ -326,6 +327,10 @@ now to place in the CRL nextUpdate field.
 
 The number of hours before the next CRL is due.
 
+=item B<-crlsec> I<num>
+
+The number of seconds before the next CRL is due.
+
 =item B<-revoke> I<filename>
 
 A filename containing a certificate to revoke.
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index 3a919edae5..1965a952be 100644
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -11,8 +11,13 @@ B<openssl> B<cms>
 [B<-help>]
 [B<-encrypt>]
 [B<-decrypt>]
+[B<-debug_decrypt>]
 [B<-sign>]
 [B<-verify>]
+[B<-verify_retcode>]
+[B<-no_attr_verify>]
+[B<-nosigs>]
+[B<-no_content_verify>]
 [B<-cmsout>]
 [B<-resign>]
 [B<-cades>]
@@ -22,6 +27,7 @@ B<openssl> B<cms>
 [B<-digest_verify>]
 [B<-compress>]
 [B<-uncompress>]
+[B<-EncryptedData_decrypt>]
 [B<-EncryptedData_encrypt>]
 [B<-sign_receipt>]
 [B<-verify_receipt> I<receipt>]
@@ -34,7 +40,6 @@ B<openssl> B<cms>
 [B<-stream>]
 [B<-indef>]
 [B<-noindef>]
-[B<-noindef>]
 [B<-content> I<filename>]
 [B<-text>]
 [B<-noout>]
@@ -50,6 +55,7 @@ B<openssl> B<cms>
 [B<-crlfeol>]
 [B<-asciicrlf>]
 [B<-nodetach>]
+[B<-certfile> I<file>]
 [B<-certsout> I<file>]
 [B<-signer> I<file>]
 [B<-recip> I<file>]
@@ -59,6 +65,7 @@ B<openssl> B<cms>
 [B<-receipt_request_from> I<emailaddress>]
 [B<-receipt_request_to> I<emailaddress>]
 [B<-receipt_request_print>]
+[B<-pwri_password> I<password>]
 [B<-secretkey> I<key>]
 [B<-secretkeyid> I<id>]
 [B<-econtent_type> I<type>]
@@ -71,6 +78,7 @@ B<openssl> B<cms>
 {- $OpenSSL::safe::opt_v_synopsis -}
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
 [I<cert.pem> ...]
 
 =for openssl ifdef des-wrap engine
@@ -123,6 +131,22 @@ to the output file.
 Verify signed mail. Expects a signed mail message on input and outputs
 the signed data. Both clear text and opaque signing is supported.
 
+=item B<-verify_retcode>
+
+Exit nonzero on verification failure.
+
+=item B<-no_attr_verify>
+
+Do not verify signed attribute signatures.
+
+=item B<-no_content_verify>
+
+Do not verify signed content signatures.
+
+=item B<-nosigs>
+
+Don't verify message signature.
+
 =item B<-cmsout>
 
 Takes an input message and writes out a PEM encoded CMS structure.
@@ -164,6 +188,11 @@ Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
 compiled with B<zlib> support for this option to work, otherwise it will
 output an error.
 
+=item B<-EncryptedData_decrypt>
+
+Decrypt content using supplied symmetric key and algorithm using a CMS
+B<EncryptedData> type and output the content.
+
 =item B<-EncryptedData_encrypt>
 
 Encrypt content using supplied symmetric key and algorithm using a CMS
@@ -214,7 +243,7 @@ The signed receipt format for use with the B<-receipt_verify>; the default
 is B<SMIME>.
 See L<openssl(1)/Format Options> for details.
 
-=item B<-stream>, B<-indef>, B<-noindef>
+=item B<-stream>, B<-indef>
 
 The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without
@@ -385,6 +414,10 @@ option B<must> but supplied if a signed receipt it requested.
 For the B<-verify> operation print out the contents of any signed receipt
 requests.
 
+=item B<-pwri_password> I<password>
+
+Specify password for recipient.
+
 =item B<-secretkey> I<key>
 
 Specify symmetric key to use. The key must be supplied in hex format and be
@@ -442,6 +475,8 @@ Any verification errors cause the command to exit.
 
 {- $OpenSSL::safe::opt_r_item -}
 
+{- $OpenSSL::safe::opt_engine_item -}
+
 =item I<cert.pem> ...
 
 One or more certificates of message recipients: used when encrypting
diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in
index 680a11d06c..c1272c2580 100644
--- a/doc/man1/openssl-crl.pod.in
+++ b/doc/man1/openssl-crl.pod.in
@@ -11,12 +11,19 @@ B<openssl> B<crl>
 [B<-help>]
 [B<-inform> B<DER>|B<PEM>]
 [B<-outform> B<DER>|B<PEM>]
+[B<-key> I<filename>]
 [B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
 [B<-text>]
 [B<-in> I<filename>]
 [B<-out> I<filename>]
+[B<-gendelta> I<filename>]
+[B<-badsig>]
+[B<-verify>]
 [B<-noout>]
 [B<-hash>]
+[B<-hash_old>]
+[B<-fingerprint>]
+[B<-crlnumber>]
 [B<-issuer>]
 [B<-lastupdate>]
 [B<-nextupdate>]
@@ -42,6 +49,10 @@ Print out a usage message.
 The input and output formats of the CRL; the default is B<PEM>.
 See L<openssl(1)/Format Options> for details.
 
+=item B<-key> I<filename>
+
+The private key to be used to sign the CRL.
+
 =item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
 
 The format of the private key file; the default is B<PEM>.
@@ -57,14 +68,35 @@ option is not specified.
 Specifies the output filename to write to or standard output by
 default.
 
+=item B<-gendelta> I<filename>
+
+Output a comparison of the main CRL and the one specified here.
+
+=item B<-badsig>
+
+Corrupt the signature before writing it; this can be useful
+for testing.
+
 =item B<-text>
 
 Print out the CRL in text form.
 
+=item B<-verify>
+
+Verify the signature in the CRL.
+
 =item B<-noout>
 
 Don't output the encoded version of the CRL.
 
+=item B<-fingerprint>
+
+Output the fingerprint of the CRL.
+
+=item B<-crlnumber>
+
+Output the number of the CRL.
+
 =item B<-hash>
 
 Output a hash of the issuer name. This can be use to lookup CRLs in
diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in
index bd7b41cb37..caa5b0a45a 100644
--- a/doc/man1/openssl-dgst.pod.in
+++ b/doc/man1/openssl-dgst.pod.in
@@ -12,6 +12,7 @@ B<openssl> B<dgst>|I<digest>
 [B<-help>]
 [B<-c>]
 [B<-d>]
+[B<-debug>]
 [B<-list>]
 [B<-hex>]
 [B<-binary>]
@@ -25,10 +26,11 @@ B<openssl> B<dgst>|I<digest>
 [B<-signature> I<filename>]
 [B<-sigopt> I<nm>:I<v>]
 [B<-hmac> I<key>]
+[B<-mac> I<alg>]
+[B<-macopt> I<nm>:I<v>]
 [B<-fips-fingerprint>]
-[B<-engine> I<id>]
-[B<-engine_impl> I<id>]
 {- $OpenSSL::safe::opt_engine_synopsis -}
+[B<-engine_impl> I<id>]
 {- $OpenSSL::safe::opt_r_synopsis -}
 [I<file> ...]
 
@@ -62,7 +64,7 @@ supported digests, use the command C<list --digest-commands>.
 Print out the digest in two digit groups separated by colons, only relevant if
 the B<-hex> option is given as well.
 
-=item B<-d>
+=item B<-d>, B<-debug>
 
 Print out BIO debugging information.
 
@@ -177,7 +179,7 @@ Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
 The engine is not used for digests unless the B<-engine_impl> option is
 used or it is configured to do so, see L<config(5)/Engine Configuration Module>.
 
-=item B<-engine_impl>
+=item B<-engine_impl> I<id>
 
 When used with the B<-engine> option, it specifies to also use
 engine I<id> for digest operations.
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index cff127d211..515a452f70 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@@ -35,12 +35,13 @@ B<openssl> B<enc>|I<cipher>
 [B<-P>]
 [B<-bufsize> I<number>]
 [B<-nopad>]
+[B<-v>]
 [B<-debug>]
 [B<-none>]
 {- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 
-=for openssl ifdef z engine
+=for openssl ifdef z engine ciphers
 
 B<openssl> I<cipher> [B<...>]
 
@@ -176,6 +177,10 @@ Set the buffer size for I/O.
 
 Disable standard block padding.
 
+=item B<-v>
+
+Verbose print; display some statistics about I/O and buffer sizes.
+
 =item B<-debug>
 
 Debug the BIOs used for I/O.
diff --git a/doc/man1/openssl-engine.pod b/doc/man1/openssl-engine.pod
index 30e391fd4e..7110ceecbc 100644
--- a/doc/man1/openssl-engine.pod
+++ b/doc/man1/openssl-engine.pod
@@ -7,6 +7,7 @@ openssl-engine - load and query engines
 =head1 SYNOPSIS
 
 B<openssl engine>
+[B<-help>]
 [B<-v>]
 [B<-vv>]
 [B<-vvv>]
@@ -29,6 +30,10 @@ Only those specified are queried.
 
 =over 4
 
+=item B<-help>
+
+Display an option summary.
+
 =item B<-v> B<-vv> B<-vvv> B<-vvvv>
 
 Provides information about each specified engine. The first flag lists
diff --git a/doc/man1/openssl-errstr.pod b/doc/man1/openssl-errstr.pod
index b19b9da75c..ea838d9eb2 100644
--- a/doc/man1/openssl-errstr.pod
+++ b/doc/man1/openssl-errstr.pod
@@ -6,24 +6,32 @@ openssl-errstr - lookup error codes
 
 =head1 SYNOPSIS
 
-B<openssl errstr> I<error_code>
+B<openssl errstr>
+[B<-help>]
+I<error_code...>
 
 =head1 DESCRIPTION
 
-Sometimes an application will not load error message and only
+Sometimes an application will not load error message texts and only
 numerical forms will be available. This command can be
 used to display the meaning of the hex code. The hex code is the hex digits
 after the second colon.
 
 =head1 OPTIONS
 
-None.
+=over 4
+
+=item B<-help>
+
+Display a usage message.
+
+=back
 
 =head1 EXAMPLES
 
 The error code:
 
- 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
+ 27594:error:2006D080:lib(32)::reason(128)::107:
 
 can be displayed with:
 
@@ -31,7 +39,7 @@ can be displayed with:
 
 to produce the error message:
 
- error:2006D080:BIO routines:BIO_new_file:no such file
+ error:2006D080:BIO routines::no such file
 
 =head1 COPYRIGHT
 
diff --git a/doc/man1/openssl-gendsa.pod.in b/doc/man1/openssl-gendsa.pod.in
index 46b9c70bba..e98d662a5a 100644
--- a/doc/man1/openssl-gendsa.pod.in
+++ b/doc/man1/openssl-gendsa.pod.in
@@ -10,6 +10,7 @@ openssl-gendsa - generate a DSA private key from a set of parameters
 B<openssl> B<gendsa>
 [B<-help>]
 [B<-out> I<filename>]
+[B<-passout> I<arg>]
 [B<-aes128>]
 [B<-aes192>]
 [B<-aes256>]
@@ -47,6 +48,11 @@ Print out a usage message.
 Output the key to the specified file. If this argument is not specified then
 standard output is used.
 
+=item B<-passout> I<arg>
+
+The passphrase used for the output file.
+See L<openssl(1)/Pass Phrase Options>.
+
 =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
 
 These options encrypt the private key with specified
diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in
index 8a815ee960..ed264332ba 100644
--- a/doc/man1/openssl-genrsa.pod.in
+++ b/doc/man1/openssl-genrsa.pod.in
@@ -23,7 +23,9 @@ B<openssl> B<genrsa>
 [B<-des>]
 [B<-des3>]
 [B<-idea>]
-[B<-f4>|B<-3>]
+[B<-F4>]
+[B<-f4>]
+[B<-3>]
 [B<-primes> I<num>]
 [B<-verbose>]
 {- $OpenSSL::safe::opt_r_synopsis -}
@@ -61,7 +63,7 @@ cipher before outputting it. If none of these options is
 specified no encryption is used. If encryption is used a pass phrase is prompted
 for if it is not supplied via the B<-passout> argument.
 
-=item B<-F4>|B<-3>
+=item B<-F4>, B<-f4>, B<-3>
 
 The public exponent to use, either 65537 or 3. The default is 65537.
 
diff --git a/doc/man1/openssl-list.pod b/doc/man1/openssl-list.pod
index 5388b478a5..88bcc751e6 100644
--- a/doc/man1/openssl-list.pod
+++ b/doc/man1/openssl-list.pod
@@ -21,6 +21,8 @@ B<openssl list>
 [B<-public-key-methods>]
 [B<-engines>]
 [B<-disabled>]
+[B<-objects>]
+[B<-options> I<command>]
 
 =head1 DESCRIPTION
 
@@ -92,6 +94,14 @@ of the installation.
 Display a list of built in objects, i.e. OIDs with names.  They're listed in the
 format described in L<config(5)/ASN1 Object Configuration Module>.
 
+=item B<-options> I<command>
+
+Output a two-column list of the options accepted by the specified I<command>.
+The first is the option name, and the second is a one-character indication
+of what type of parameter it takes, if any.
+This is an internal option, used for checking that the documentation
+is complete.
+
 =back
 
 =head2 Display of algorithm names
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index a866a38ebc..c04d3659b9 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -30,6 +30,7 @@ B<openssl> B<ocsp>
 [B<-host> I<host>:I<port>]
 [B<-multi> I<process-count>]
 [B<-header>]
+[B<-timeout> I<seconds>]
 [B<-path>]
 [B<-VAfile> I<file>]
 [B<-validity_period> I<n>]
@@ -52,6 +53,8 @@ B<openssl> B<ocsp>
 [B<-passin> I<arg>]
 [B<-rother> I<file>]
 [B<-rsigopt> I<nm>:I<v>]
+[B<-rmd> I<digest>]
+[B<-badsig>]
 [B<-resp_no_certs>]
 [B<-nmin> I<n>]
 [B<-ndays> I<n>]
@@ -328,6 +331,15 @@ see L<openssl(1)/Pass Phrase Options>.
 Pass options to the signature algorithm when signing OCSP responses.
 Names and values of these options are algorithm-specific.
 
+=item B<-rmd> I<digest>
+
+The digest to use when signing the response.
+
+=item B<-badsig>
+
+Corrupt the response signature before writing it; this can be useful
+for testing.
+
 =item B<-port> I<portnum>
 
 Port to listen for OCSP requests on. The port may also be specified
diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in
index 93039090a3..83ef7ba674 100644
--- a/doc/man1/openssl-passwd.pod.in
+++ b/doc/man1/openssl-passwd.pod.in
@@ -21,6 +21,7 @@ B<openssl passwd>
 [B<-noverify>]
 [B<-quiet>]
 [B<-table>]
+[B<-reverse>]
 {- $OpenSSL::safe::opt_r_synopsis -}
 [I<password>]
 
@@ -93,6 +94,10 @@ Don't output warnings when passwords given at the command line are truncated.
 In the output list, prepend the cleartext password and a TAB character
 to each password hash.
 
+=item B<-reverse>
+
+When the B<-table> option is used, reverse the order of cleartext and hash.
+
 {- $OpenSSL::safe::opt_r_item -}
 
 =back
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index bc2f4963d5..7d562b002e 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -24,8 +24,22 @@ B<openssl> B<pkcs12>
 [B<-cacerts>]
 [B<-nokeys>]
 [B<-info>]
-[B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>]
-[B<-iter> I<count> | B<-noiter> | B<-nomaciter>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-aes128>]
+[B<-aes192>]
+[B<-aes256>]
+[B<-aria128>]
+[B<-aria192>]
+[B<-aria256>]
+[B<-camellia128>]
+[B<-camellia192>]
+[B<-camellia256>]
+[B<-nodes>]
+[B<-iter> I<count>]
+[B<-noiter>]
+[B<-nomaciter>]
 [B<-maciter>]
 [B<-nomac>]
 [B<-twopass>]
@@ -38,6 +52,7 @@ B<openssl> B<pkcs12>
 [B<-password> I<arg>]
 [B<-passin> I<arg>]
 [B<-passout> I<arg>]
+[B<-LMK>]
 [B<-CSP> I<name>]
 {- $OpenSSL::safe::opt_trust_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
@@ -264,6 +279,10 @@ to be needed to use MAC iterations counts but they are now used by default.
 
 Don't attempt to provide the MAC integrity.
 
+=item B<-LMK>
+
+Add the "Local Key Set" identifier to the attributes.
+
 =item B<-CSP> I<name>
 
 Write I<name> as a Microsoft CSP name.
diff --git a/doc/man1/openssl-pkcs7.pod.in b/doc/man1/openssl-pkcs7.pod.in
index f62b69b52b..77ef9f9558 100644
--- a/doc/man1/openssl-pkcs7.pod.in
+++ b/doc/man1/openssl-pkcs7.pod.in
@@ -17,6 +17,7 @@ B<openssl> B<pkcs7>
 [B<-outform> B<DER>|B<PEM>]
 [B<-in> I<filename>]
 [B<-out> I<filename>]
+[B<-print>]
 [B<-print_certs>]
 [B<-text>]
 [B<-noout>]
@@ -30,8 +31,6 @@ This command processes PKCS#7 files.  Note that it only understands PKCS#7
 v 1.5 as specified in IETF RFC 2315.  It cannot currently parse CMS as
 described in IETF RFC 2630.
 
-There is no option to print out all the fields of a PKCS#7 file.
-
 =head1 OPTIONS
 
 =over 4
@@ -57,6 +56,10 @@ option is not specified.
 Specifies the output filename to write to or standard output by
 default.
 
+=item B<-print>
+
+Print out the full PKCS7 object.
+
 =item B<-print_certs>
 
 Prints out any certificates or CRLs contained in the file. They are
@@ -64,13 +67,13 @@ preceded by their subject and issuer names in one line format.
 
 =item B<-text>
 
-Prints out certificates details in full rather than just subject and
+Prints out certificate details in full rather than just subject and
 issuer names.
 
 =item B<-noout>
 
 Don't output the encoded version of the PKCS#7 structure (or certificates
-is B<-print_certs> is set).
+if B<-print_certs> is set).
 
 {- $OpenSSL::safe::opt_engine_item -}
 
diff --git a/doc/man1/openssl-rand.pod.in b/doc/man1/openssl-rand.pod.in
index fd41da379d..61c74df466 100644
--- a/doc/man1/openssl-rand.pod.in
+++ b/doc/man1/openssl-rand.pod.in
@@ -12,6 +12,7 @@ B<openssl rand>
 [B<-out> I<file>]
 [B<-base64>]
 [B<-hex>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 I<num>
 
@@ -42,6 +43,8 @@ Perform base64 encoding on the output.
 
 Show the output as a hex string.
 
+{- $OpenSSL::safe::opt_engine_item -}
+
 {- $OpenSSL::safe::opt_r_item -}
 
 =back
diff --git a/doc/man1/openssl-rehash.pod b/doc/man1/openssl-rehash.pod
index eed2864446..241f225380 100644
--- a/doc/man1/openssl-rehash.pod
+++ b/doc/man1/openssl-rehash.pod
@@ -15,6 +15,7 @@ B<rehash>
 [B<-h>]
 [B<-help>]
 [B<-old>]
+[B<-compat>]
 [B<-n>]
 [B<-v>]
 [I<directory>] ...
@@ -29,9 +30,9 @@ B<c_rehash>
 
 =head1 DESCRIPTION
 
-On some platforms, this command isn't available, and the external
-script B<c_rehash> has to be used instead.  They are functionally
-equivalent, except for minor differences noted below.
+This command is generally equivalent to the external
+script B<c_rehash>,
+except for minor differences noted below.
 
 B<openssl rehash> scans directories and calculates a hash value of
 each F<.pem>, F<.crt>, F<.cer>, or F<.crl>
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index cd49679d04..598e6a8d54 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -22,6 +22,7 @@ B<openssl> B<req>
 [B<-modulus>]
 [B<-new>]
 [B<-newkey> I<arg>]
+[B<-pkeyopt> I<opt>:I<value>]
 [B<-nodes>]
 [B<-key> I<filename>]
 [B<-keyform> B<DER>|B<PEM>]
diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
index 9cabb5f173..628e83c87c 100644
--- a/doc/man1/openssl-rsautl.pod.in
+++ b/doc/man1/openssl-rsautl.pod.in
@@ -10,6 +10,8 @@ openssl-rsautl - RSA utility
 B<openssl> B<rsautl>
 [B<-help>]
 [B<-in> I<file>]
+[B<-passin> I<arg>]
+[B<-rev>]
 [B<-out> I<file>]
 [B<-inkey> I<file>]
 [B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
@@ -20,10 +22,16 @@ B<openssl> B<rsautl>
 [B<-encrypt>]
 [B<-decrypt>]
 [B<-pkcs>]
+[B<-x931>]
+[B<-oaep>]
+[B<-ssl>]
+[B<-raw>]
+[B<-pkcs>]
 [B<-ssl>]
 [B<-raw>]
 [B<-hexdump>]
 [B<-asn1parse>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 
 =for openssl ifdef engine
@@ -46,6 +54,15 @@ Print out a usage message.
 This specifies the input filename to read data from or standard input
 if this option is not specified.
 
+=item B<-passin> I<arg>
+
+The passphrase used in the output file.
+See see L<openssl(1)/Pass Phrase Options>.
+
+=item B<-rev>
+
+Reverse the order of the input.
+
 =item B<-out> I<filename>
 
 Specifies the output filename to write to or standard output by
@@ -85,9 +102,10 @@ Encrypt the input data using an RSA public key.
 
 Decrypt the input data using an RSA private key.
 
-=item B<-pkcs>, B<-oaep>, B<-ssl>, B<-raw>
+=item B<-pkcs>, B<-oaep>, B<-x931> B<-ssl>, B<-raw>
 
 The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+ANSI X9.31,
 special padding used in SSL v2 backwards compatible handshakes,
 or no padding, respectively.
 For signatures, only B<-pkcs> and B<-raw> can be used.
@@ -101,6 +119,8 @@ Hex dump the output data.
 Parse the ASN.1 output data, this is useful when combined with the
 B<-verify> option.
 
+{- $OpenSSL::safe::opt_engine_item -}
+
 {- $OpenSSL::safe::opt_r_item -}
 
 =back
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index a35ddf289e..78119281db 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -50,6 +50,7 @@ B<openssl> B<s_server>
 [B<-id_prefix> I<val>]
 [B<-keymatexport> I<val>]
 [B<-keymatexportlen> I<+int>]
+[B<-CRLform> B<DER>|B<PEM>]
 [B<-CRL> I<infile>]
 [B<-crl_download>]
 [B<-cert_chain> I<infile>]
@@ -125,7 +126,9 @@ B<openssl> B<s_server>
 [B<-alpn> I<val>]
 [B<-keylogfile> I<outfile>]
 [B<-max_early_data> I<int>]
+[B<-recv_max_early_data> I<int>]
 [B<-early_data>]
+[B<-stateless>]
 [B<-anti_replay>]
 [B<-no_anti_replay>]
 [B<-http_server_binmode>]
@@ -615,11 +618,20 @@ and any incoming early data (when used in conjunction with the B<-early_data>
 flag). The default value is approximately 16k. The argument must be an integer
 greater than or equal to 0.
 
+=item B<-recv_max_early_data> I<int>
+
+Specify the hard limit on the maximum number of early data bytes that will
+be accepted.
+
 =item B<-early_data>
 
 Accept early data where possible. Cannot be used in conjunction with B<-www>,
 B<-WWW>, B<-HTTP> or B<-rev>.
 
+=item B<-stateless>
+
+Require TLSv1.3 cookies.
+
 =item B<-anti_replay>, B<-no_anti_replay>
 
 Switches replay protection on or off, respectively. Replay protection is on by
diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in
index 1d87c8c0dd..cf8759108a 100644
--- a/doc/man1/openssl-s_time.pod.in
+++ b/doc/man1/openssl-s_time.pod.in
@@ -17,11 +17,16 @@ B<openssl> B<s_time>
 [B<-new>]
 [B<-verify> I<depth>]
 [B<-time> I<seconds>]
-{- $OpenSSL::safe::opt_versiontls_synopsis -}
+[B<-ssl3>]
+[B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-tls1_3>]
 [B<-bugs>]
 [B<-cipher> I<cipherlist>]
 [B<-ciphersuites> I<val>]
 {- $OpenSSL::safe::opt_name_synopsis -}
+[B<-cafile> I<file>]
 {- $OpenSSL::safe::opt_trust_synopsis -}
 
 =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3
@@ -117,7 +122,13 @@ can establish.
 
 {- $OpenSSL::safe::opt_trust_item -}
 
-{- $OpenSSL::safe::opt_versiontls_item -}
+=item B<-cafile> I<file>
+
+This is an obsolete synonym for B<-CAfile>.
+
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
+
+See L<openssl(1)/TLS Version Options>.
 
 =back
 
@@ -162,6 +173,10 @@ be able to measure the performance of all protocols with all servers.
 The B<-verify> option should really exit if the server verification
 fails.
 
+=head1 HISTORY
+
+The B<-cafile> option was deprecated in OpenSSL 3.0.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,
diff --git a/doc/man1/openssl-sess_id.pod b/doc/man1/openssl-sess_id.pod
index 9bd31a351e..ff90231fa2 100644
--- a/doc/man1/openssl-sess_id.pod
+++ b/doc/man1/openssl-sess_id.pod
@@ -13,6 +13,7 @@ B<openssl> B<sess_id>
 [B<-in> I<filename>]
 [B<-out> I<filename>]
 [B<-text>]
+[B<-cert>]
 [B<-noout>]
 [B<-context> I<ID>]
 
diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in
index 55bd34f72e..e9500924ef 100644
--- a/doc/man1/openssl-smime.pod.in
+++ b/doc/man1/openssl-smime.pod.in
@@ -21,6 +21,14 @@ B<openssl> B<smime>
 [B<-in> I<file>]
 [B<-certfile> I<file>]
 [B<-signer> I<file>]
+[B<-nointern>]
+[B<-noverify>]
+[B<-nochain>]
+[B<-nosigs>]
+[B<-nocerts>]
+[B<-noattr>]
+[B<-nodetach>]
+[B<-nosmimecap>]
 [B<-recip> I< file>]
 [B<-inform> B<DER>|B<PEM>|B<SMIME>]
 [B<-outform> B<DER>|B<PEM>|B<SMIME>]
@@ -38,6 +46,7 @@ B<openssl> B<smime>
 [B<-stream>]
 [B<-md> I<digest>]
 {- $OpenSSL::safe::opt_trust_synopsis -}
+{- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_v_synopsis -}
 I<cert.pem> ...
@@ -178,7 +187,7 @@ Do not verify the signers certificate of a signed message.
 
 =item B<-nochain>
 
-Do not do chain verification of signers certificates: that is don't
+Do not do chain verification of signers certificates; that is, do not
 use the certificates in the signed message as untrusted CAs.
 
 =item B<-nosigs>
@@ -198,6 +207,17 @@ Normally when a message is signed a set of attributes are included which
 include the signing time and supported symmetric algorithms. With this
 option they are not included.
 
+=item B<-nodetach>
+
+When signing a message use opaque signing. This form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the MIME type multipart/signed is used.
+
+=item B<-nosmimecap>
+
+When signing a message, do not include the B<SMIMECapabilities> attribute.
+
 =item B<-binary>
 
 Normally the input message is converted to "canonical" format which is
@@ -210,13 +230,6 @@ is useful when handling binary data which may not be in MIME format.
 Normally the output file uses a single B<LF> as end of line. When this
 option is present B<CRLF> is used instead.
 
-=item B<-nodetach>
-
-When signing a message use opaque signing: this form is more resistant
-to translation by mail relays but it cannot be read by mail agents that
-do not support S/MIME.  Without this option cleartext signing with
-the MIME type multipart/signed is used.
-
 =item B<-certfile> I<file>
 
 Allows additional certificates to be specified. When signing these will
@@ -230,6 +243,14 @@ used multiple times if more than one signer is required. If a message is being
 verified then the signers certificates will be written to this file if the
 verification was successful.
 
+=item B<-nocerts>
+
+Don't include signers certificate when signing.
+
+=item B<-noattr>
+
+Don't include any signed attributes when signing.
+
 =item B<-recip> I<file>
 
 The recipients certificate when decrypting a message. This certificate
@@ -263,6 +284,8 @@ Any verification errors cause the command to exit.
 
 {- $OpenSSL::safe::opt_trust_item -}
 
+{- $OpenSSL::safe::opt_engine_item -}
+
 {- $OpenSSL::safe::opt_r_item -}
 
 =item I<cert.pem> ...
diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in
index 6e1bb642e1..669b206fe6 100644
--- a/doc/man1/openssl-speed.pod.in
+++ b/doc/man1/openssl-speed.pod.in
@@ -13,10 +13,16 @@ B<openssl speed>
 [B<-evp> I<algo>]
 [B<-hmac> I<algo>]
 [B<-cmac> I<algo>]
+[B<-mb>]
+[B<-aead>]
+[B<-multi> I<num>]
+[B<-async_jobs> I<num>]
+[B<-misalign> I<num>]
 [B<-decrypt>]
 [B<-primes> I<num>]
 [B<-seconds> I<num>]
 [B<-bytes> I<num>]
+[B<-mr>]
 {- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_engine_synopsis -}
 [I<algorithm> ...]
@@ -51,6 +57,18 @@ If I<algo> is an AEAD cipher, then you can pass B<-aead> to benchmark a
 TLS-like sequence. And if I<algo> is a multi-buffer capable cipher, e.g.
 aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
 
+=item B<-multi> I<num>
+
+Run multiple operations in parallel.
+
+=item B<-async_jobs> I<num>
+
+Enable async mode and start specified number of jobs.
+
+=item B<-misalign> I<num>
+
+Misalign the buffers by the specified number of bytes.
+
 =item B<-hmac> I<digest>
 
 Time the HMAC algorithm using the specified message digest.
@@ -77,6 +95,10 @@ Run benchmarks for I<num> seconds.
 
 Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
 
+=item B<-mr>
+
+Produce the summary in a mechanical, machine-readable, format.
+
 {- $OpenSSL::safe::opt_r_item -}
 
 {- $OpenSSL::safe::opt_engine_item -}
diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in
index 47dfe40aa7..e9955d5c40 100644
--- a/doc/man1/openssl-srp.pod.in
+++ b/doc/man1/openssl-srp.pod.in
@@ -21,6 +21,7 @@ B<openssl srp>
 [B<-userinfo> I<text>]
 [B<-passin> I<arg>]
 [B<-passout> I<arg>]
+{- $OpenSSL::safe::opt_engine_synopsis -}
 {- $OpenSSL::safe::opt_r_synopsis -}
 [I<user> ...]
 
@@ -71,6 +72,8 @@ The password source for the input and output file.
 For more information about the format of B<arg>
 see L<openssl(1)/Pass Phrase Options>.
 
+{- $OpenSSL::safe::opt_engine_item -}
+
 {- $OpenSSL::safe::opt_r_synopsis -}
 
 =back
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index b9c3692c62..b9e911827d 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -7,6 +7,9 @@ openssl-ts - Time Stamping Authority tool (client/server)
 
 =head1 SYNOPSIS
 
+B<openssl> B<ts>
+B<-help>
+
 B<openssl> B<ts>
 B<-query>
 [B<-config> I<configfile>]
@@ -95,6 +98,14 @@ requests either by ftp or e-mail.
 
 =head1 OPTIONS
 
+=over 4
+
+=item B<-help>
+
+Print out a usage message.
+
+=back
+
 =head2 Timestamp Request generation
 
 The B<-query> switch can be used for creating and printing a timestamp
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index a69d219f74..3da2b0d122 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -19,7 +19,9 @@ B<openssl> B<x509>
 [B<-serial>]
 [B<-hash>]
 [B<-subject_hash>]
+[B<-subject_hash_old>]
 [B<-issuer_hash>]
+[B<-issuer_hash_old>]
 [B<-ocspid>]
 [B<-subject>]
 [B<-issuer>]
@@ -44,6 +46,7 @@ B<openssl> B<x509>
 [B<-days> I<arg>]
 [B<-set_serial> I<n>]
 [B<-signkey> I<filename>]
+[B<-badsig>]
 [B<-passin> I<arg>]
 [B<-x509toreq>]
 [B<-req>]
@@ -52,11 +55,16 @@ B<openssl> B<x509>
 [B<-CAcreateserial>]
 [B<-CAserial> I<filename>]
 [B<-new>]
+[B<-next_serial>]
+[B<-nocert>]
 [B<-force_pubkey> I<filename>]
 [B<-subj> I<arg>]
 [B<-text>]
 [B<-ext> I<extensions>]
 [B<-certopt> I<option>]
+[B<-checkhost> I<host>]
+[B<-checkemail> I<host>]
+[B<-checkip> I<ipaddr>]
 [B<-C>]
 [B<-I<digest>>]
 [B<-clrext>]
@@ -155,6 +163,18 @@ can be a single option or multiple options separated by commas. The
 B<-certopt> switch may be also be used more than once to set multiple
 options. See the L</Text Options> section for more information.
 
+=item B<-checkhost> I<host>
+
+Check that the certificate matches the specified host.
+
+=item B<-checkemail> I<email>
+
+Check that the certificate matches the specified email address.
+
+=item B<-checkip> I<ipaddr>
+
+Check that the certificate matches the specified IP address.
+
 =item B<-noout>
 
 This option prevents output of the encoded version of the certificate.
@@ -340,6 +360,11 @@ and the end date to a value determined by the B<-days> option.
 It retains any certificate extensions unless the B<-clrext> option is supplied;
 this includes, for example, any existing key identifier extensions.
 
+=item B<-badsig>
+
+Corrupt the signature before writing it; this can be useful
+for testing.
+
 =item B<-sigopt> I<nm>:I<v>
 
 Pass options to the signature algorithm during sign or verify operations.
@@ -449,6 +474,14 @@ Generate a certificate from scratch, not using an input certificate
 or certificate request. So the B<-in> option must not be used in this case.
 Instead, the B<-subj> and <-force_pubkey> options need to be given.
 
+=item B<-next_serial>
+
+Set the serial to be one more than the number in the certificate.
+
+=item B<-nocert>
+
+Do not generate or output a certificate.
+
 =item B<-force_pubkey> I<filename>
 
 When a certificate is created set its public key to the key in I<filename>
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index b2047bdca0..c20f4aedaa 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -38,7 +38,8 @@ $OpenSSL::safe::opt_v_synopsis = ""
 . "[B<-verify_hostname> I<hostname>]\n"
 . "[B<-verify_ip> I<ip>]\n"
 . "[B<-verify_name> I<name>]\n"
-. "[B<-x509_strict>]\n";
+. "[B<-x509_strict>]\n"
+. "[B<-issuer_checks>]\n";
 $OpenSSL::safe::opt_v_item = ""
 . "=item B<-allow_proxy_certs>, B<-attime>, B<-no_check_time>,\n"
 . "B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,\n"
@@ -47,7 +48,7 @@ $OpenSSL::safe::opt_v_item = ""
 . "B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,\n"
 . "B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,\n"
 . "B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,\n"
-. "B<-verify_ip>, B<-verify_name>, B<-x509_strict>\n"
+. "B<-verify_ip>, B<-verify_name>, B<-x509_strict> B<-issuer_checks>\n"
 . "\n"
 . "Set various options of certificate chain verification.\n"
 . "See L<openssl(1)/Verification Options> for details.";
diff --git a/util/find-doc-nits b/util/find-doc-nits
index 3daf58182f..293f603b79 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -808,8 +808,14 @@ sub checkflags {
             }
             next;
         }
-        next unless /\[B<-([^ >]+)/;
-        my $opt = $1;
+        my $opt;
+        if ( /\[B<-([^ >]+)/ ) {
+            $opt = $1;
+        } elsif ( /^B<-([^ >]+)/ ) {
+            $opt = $1;
+        } else {
+            next;
+        }
         $opt = $1 if $opt =~ /I<(.*)/;
         $docopts{$1} = 1;
     }
@@ -826,7 +832,7 @@ sub checkflags {
     my @unimpl = sort grep { !defined $cmdopts{$_} } keys %docopts;
     foreach ( @unimpl ) {
         next if defined $skips{$_} || defined $localskips{$_};
-        err("$cmd documented but not implemented -$_");
+        err("$doc: $cmd does not implement -$_");
     }
 }
 
@@ -852,8 +858,9 @@ if ( $opt_c ) {
     # See if each has a manpage.
     foreach my $cmd ( @commands ) {
         next if $cmd eq 'help' || $cmd eq 'exit';
-        my $doc = "doc/man1/$cmd.pod";
-        $doc = "doc/man1/openssl-$cmd.pod" if -f "doc/man1/openssl-$cmd.pod";
+        my $doc = "doc/man1/openssl-$cmd.pod";
+        # Handle "tsget" and "CA.pl" pod pages
+        $doc = "doc/man1/$cmd.pod" if -f "doc/man1/$cmd.pod";
         if ( ! -f "$doc" ) {
             err("$doc does not exist");
         } else {


More information about the openssl-commits mailing list