[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu May 20 14:25:36 UTC 2021


The branch master has been updated
       via  14d3bb06c9c11b3e13c64611913757c27bc057f2 (commit)
       via  359efeac3f9b99c5f734b90db8a4c5bfadb7323a (commit)
       via  9c1582807b535e5b8499897c6e74fec48440c4fe (commit)
       via  414823d2de6f370cf2102f3418780a428803a70f (commit)
       via  5be56c490e4f34b4f592a692109563ea991ac6c7 (commit)
      from  ee56cec7332ca2c77ee425c544304ce25475db1c (commit)


- Log -----------------------------------------------------------------
commit 14d3bb06c9c11b3e13c64611913757c27bc057f2
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed May 19 09:38:20 2021 +0200

    util/find-doc-nits: Improve helpstr pattern matching
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15299)

commit 359efeac3f9b99c5f734b90db8a4c5bfadb7323a
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon May 17 11:04:40 2021 +0200

    DOC: Fix nits found by new check on SYNOPSIS and OPTIONS consistency
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15299)

commit 9c1582807b535e5b8499897c6e74fec48440c4fe
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sun May 16 15:38:19 2021 +0200

    find-doc-nits: Check that man1 SYNOPSIS and OPTIONS contain same options
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15299)

commit 414823d2de6f370cf2102f3418780a428803a70f
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sun May 16 12:48:50 2021 +0200

    find-doc-nits: Add -m option allowing to select on which of man1,man3,man5,man7 to focus on
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15299)

commit 5be56c490e4f34b4f592a692109563ea991ac6c7
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sun May 16 12:12:32 2021 +0200

    find-doc-nits: Minor improvements of help and diagnostic output
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15299)

-----------------------------------------------------------------------

Summary of changes:
 apps/CA.pl.in                    |  6 +--
 apps/s_server.c                  | 12 +++---
 apps/srp.c                       |  4 +-
 doc/man1/CA.pl.pod               |  8 ++--
 doc/man1/openssl-ec.pod.in       |  4 ++
 doc/man1/openssl-enc.pod.in      |  4 ++
 doc/man1/openssl-ocsp.pod.in     |  7 +++-
 doc/man1/openssl-pkcs8.pod.in    |  4 ++
 doc/man1/openssl-s_server.pod.in | 81 ++++++++++++++++++++++++++++++++++++++--
 doc/man1/openssl-speed.pod.in    |  8 ++++
 doc/man1/openssl-srp.pod.in      | 26 ++++++++++++-
 doc/man1/openssl-ts.pod.in       | 14 ++++++-
 doc/perlvars.pm                  | 13 ++++---
 util/find-doc-nits               | 41 ++++++++++++++------
 14 files changed, 193 insertions(+), 39 deletions(-)

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index c0afb96716..6d1de16516 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -122,9 +122,9 @@ if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
     print STDERR <<EOF;
 Usage:
     CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
-    CA.pl -pkcs12 [-extra-pkcs12 parameter] [certname]
-    CA.pl -verify [-extra-verify parameter] certfile ...
-    CA.pl -revoke [-extra-ca parameter] certfile [reason]
+    CA.pl -pkcs12 [certname]
+    CA.pl -verify certfile ...
+    CA.pl -revoke certfile [reason]
 EOF
     exit 0;
 }
diff --git a/apps/s_server.c b/apps/s_server.c
index 292ffbe762..0ff436be1e 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -718,7 +718,7 @@ const OPTIONS s_server_options[] = {
     OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
     {"ssl_config", OPT_SSL_CONFIG, 's',
-     "Configure SSL_CTX using the configuration 'val'"},
+     "Configure SSL_CTX using the given configuration value"},
 #ifndef OPENSSL_NO_SSL_TRACE
     {"trace", OPT_TRACE, '-', "trace protocol messages"},
 #endif
@@ -786,7 +786,7 @@ const OPTIONS s_server_options[] = {
     {"servername", OPT_SERVERNAME, 's',
      "Servername for HostName TLS extension"},
     {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
-     "mismatch send fatal alert (default warning alert)"},
+     "On servername mismatch send fatal alert (default warning alert)"},
     {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
     {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
     {"quiet", OPT_QUIET, '-', "No server output"},
@@ -823,13 +823,13 @@ const OPTIONS s_server_options[] = {
      "use URI as certificate store to verify CA certificate"},
     {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
     {"ext_cache", OPT_EXT_CACHE, '-',
-     "Disable internal cache, setup and use external cache"},
+     "Disable internal cache, set up and use external cache"},
     {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
      "Close connection on verification error"},
     {"verify_quiet", OPT_VERIFY_QUIET, '-',
      "No verify output except verify errors"},
-    {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
-    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+    {"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
+    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
 
 #ifndef OPENSSL_NO_OCSP
     OPT_SECTION("OCSP"),
@@ -872,7 +872,7 @@ const OPTIONS s_server_options[] = {
     OPT_SECTION("Network"),
     {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
     {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
-    {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
+    {"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
     {"read_buf", OPT_READ_BUF, 'p',
      "Default read buffer size to be used for connections"},
     {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
diff --git a/apps/srp.c b/apps/srp.c
index aad08fb229..48b99da2af 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -209,8 +209,8 @@ const OPTIONS srp_options[] = {
 #endif
 
     OPT_SECTION("Action"),
-    {"add", OPT_ADD, '-', "Add a user and srp verifier"},
-    {"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"},
+    {"add", OPT_ADD, '-', "Add a user and SRP verifier"},
+    {"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
     {"delete", OPT_DELETE, '-', "Delete user from verifier file"},
     {"list", OPT_LIST, '-', "List users"},
 
diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod
index aa2e0058cc..6af02cf59a 100644
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -23,11 +23,11 @@ B<-crl> |
 B<-newca>
 [B<-extra-I<cmd>> I<parameter>]
 
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<parameter>] [I<certname>]
+B<CA.pl> B<-pkcs12> [I<certname>]
 
-B<CA.pl> B<-verify> [B<-extra-verify> I<parameter>] I<certfile> ...
+B<CA.pl> B<-verify> I<certfile> ...
 
-B<CA.pl> B<-revoke> [B<-extra-ca> I<parameter>] I<certfile> [I<reason>]
+B<CA.pl> B<-revoke> I<certfile> [I<reason>]
 
 =head1 DESCRIPTION
 
@@ -57,7 +57,7 @@ the correct path of the configuration file.
 
 =over 4
 
-=item B<?>, B<-h>, B<-help>
+=item B<-?>, B<-h>, B<-help>
 
 Prints a usage message.
 
diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in
index e38e405934..8696701257 100644
--- a/doc/man1/openssl-ec.pod.in
+++ b/doc/man1/openssl-ec.pod.in
@@ -100,6 +100,10 @@ Prints out the public, private key components and parameters.
 
 This option prevents output of the encoded version of the key.
 
+=item B<-param_out>
+
+Print the elliptic curve parameters.
+
 =item B<-pubin>
 
 By default, a private key is read from the input file. With this option a
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index 5c94f49173..f424358ab3 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in
@@ -54,6 +54,10 @@ either by itself or in addition to the encryption or decryption.
 
 =over 4
 
+=item B<-I<cipher>>
+
+The cipher to use.
+
 =item B<-help>
 
 Print out a usage message.
diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in
index 0aa06834a9..0116feeaae 100644
--- a/doc/man1/openssl-ocsp.pod.in
+++ b/doc/man1/openssl-ocsp.pod.in
@@ -14,6 +14,7 @@ B<openssl> B<ocsp>
 [B<-out> I<file>]
 [B<-issuer> I<file>]
 [B<-cert> I<file>]
+[B<-no_certs>]
 [B<-serial> I<n>]
 [B<-signer> I<file>]
 [B<-signkey> I<file>]
@@ -23,7 +24,6 @@ B<openssl> B<ocsp>
 [B<-req_text>]
 [B<-resp_text>]
 [B<-text>]
-[B<-no_certs>]
 [B<-reqout> I<file>]
 [B<-respout> I<file>]
 [B<-reqin> I<file>]
@@ -112,6 +112,10 @@ Add the certificate I<filename> to the request. The issuer certificate
 is taken from the previous B<-issuer> option, or an error occurs if no
 issuer certificate is specified.
 
+=item B<-no_certs>
+
+Don't include any certificates in signed request.
+
 =item B<-serial> I<num>
 
 Same as the B<-cert> option except the certificate with serial number
@@ -389,7 +393,6 @@ each child is willing to wait for the client's OCSP response.
 This option is available on POSIX systems (that support the fork() and other
 required unix system-calls).
 
-
 =item B<-nmin> I<minutes>, B<-ndays> I<days>
 
 Number of minutes or days when fresh revocation information is available:
diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in
index 100c5afd6f..2af61203e9 100644
--- a/doc/man1/openssl-pkcs8.pod.in
+++ b/doc/man1/openssl-pkcs8.pod.in
@@ -101,6 +101,10 @@ When creating new PKCS#8 containers, use a given number of iterations on
 the password in deriving the encryption key for the PKCS#8 output.
 High values increase the time required to brute-force a PKCS#8 container.
 
+=item B<-noiter>
+
+When creating new PKCS#8 containers, use 1 as iteration count.
+
 =item B<-nocrypt>
 
 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index c7ce886b6f..27522fc04b 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -77,13 +77,13 @@ B<openssl> B<s_server>
 [B<-no_proxy> I<addresses>]
 [B<-status_url> I<val>]
 [B<-status_file> I<infile>]
+[B<-ssl_config> I<val>]
 [B<-trace>]
 [B<-security_debug>]
 [B<-security_debug_verbose>]
 [B<-brief>]
 [B<-rev>]
 [B<-async>]
-[B<-ssl_config> I<val>]
 [B<-max_send_frag> I<+int>]
 [B<-split_send_frag> I<+int>]
 [B<-max_pipelines> I<+int>]
@@ -123,9 +123,9 @@ B<openssl> B<s_server>
 [B<-listen>]
 [B<-sctp>]
 [B<-sctp_label_bug>]
+[B<-use_srtp> I<val>]
 [B<-no_dhe>]
 [B<-nextprotoneg> I<val>]
-[B<-use_srtp> I<val>]
 [B<-alpn> I<val>]
 [B<-sendfile>]
 [B<-keylogfile> I<outfile>]
@@ -303,6 +303,14 @@ This option translated a line feed from the terminal into CR+LF.
 
 Print extensive debugging information including a hex dump of all traffic.
 
+=item B<-security_debug>
+
+Print output from SSL/TLS security framework.
+
+=item B<-security_debug_verbose>
+
+Print more output from SSL/TLS security framework
+
 =item B<-msg>
 
 Show all protocol messages with hex dump.
@@ -377,6 +385,10 @@ DH).
 
 Inhibit printing of session and certificate information.
 
+=item B<-no_resume_ephemeral>
+
+Disable caching and tickets if ephemeral (EC)DH is used.
+
 =item B<-tlsextdebug>
 
 Print a hex dump of any TLS extensions received from the server.
@@ -426,6 +438,14 @@ option is enabled the peer does not need to send the close_notify alert and a
 closed connection will be treated as if the close_notify alert was received.
 For more information on shutting down a connection, see L<SSL_shutdown(3)>.
 
+=item B<-servername>
+
+Servername for HostName TLS extension.
+
+=item B<-servername_fatal>
+
+On servername mismatch send fatal alert (default: warning alert).
+
 =item B<-id_prefix> I<val>
 
 Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
@@ -433,12 +453,40 @@ for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
 servers, when each of which might be generating a unique range of session
 IDs (e.g. with a certain prefix).
 
+=item B<-keymatexport>
+
+Export keying material using label.
+
+=item B<-keymatexportlen>
+
+Export the given number of bytes of keying material; default 20.
+
+=item B<-no_cache>
+
+Disable session cache.
+
+=item B<-ext_cache>.
+
+Disable internal cache, set up and use external cache.
+
 =item B<-verify_return_error>
 
 Verification errors normally just print a message but allow the
 connection to continue, for debugging purposes.
 If this option is used, then verification errors close the connection.
 
+=item B<-verify_quiet>
+
+No verify output except verify errors.
+
+=item B<-ign_eof>
+
+Ignore input EOF (default: when B<-quiet>).
+
+=item B<-no_ign_eof>
+
+Do not ignore input EOF.
+
 =item B<-status>
 
 Enables certificate status request support (aka OCSP stapling).
@@ -482,6 +530,10 @@ Any given query component is handled as part of the path component.
 Overrides any OCSP responder URLs from the certificate and always provides the
 OCSP Response stored in the file. The file must be in DER format.
 
+=item B<-ssl_config> I<val>
+
+Configure SSL_CTX using the given configuration value.
+
 =item B<-trace>
 
 Show verbose trace output of protocol messages. OpenSSL needs to be compiled
@@ -622,6 +674,14 @@ will be used.
 
 Turns on non blocking I/O.
 
+=item B<-timeout>
+
+Enable timeouts.
+
+=item B<-mtu>
+
+Set link-layer MTU.
+
 =item B<-psk_identity> I<val>
 
 Expect the client to send PSK identity I<val> when using a PSK
@@ -644,6 +704,16 @@ This option must be provided in order to use a PSK cipher.
 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
 Note that this will only work if TLSv1.3 is negotiated.
 
+=item B<-srpvfile>
+
+The verifier file for SRP.
+This option is deprecated.
+
+=item B<-srpuserseed>
+
+A seed string for a default user salt.
+This option is deprecated.
+
 =item B<-listen>
 
 This option can only be used in conjunction with one of the DTLS options above.
@@ -669,6 +739,10 @@ older broken implementations but breaks interoperability with correct
 implementations. Must be used in conjunction with B<-sctp>. This option is only
 available where OpenSSL has support for SCTP enabled.
 
+=item B<-use_srtp>
+
+Offer SRTP key management with a colon-separated profile list.
+
 =item B<-no_dhe>
 
 If this option is set then no DH parameters will be loaded effectively
@@ -849,7 +923,8 @@ The -no_alt_chains option was added in OpenSSL 1.1.0.
 The
 -allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
 
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
+option were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in
index 0dbb19da4c..bfe992797a 100644
--- a/doc/man1/openssl-speed.pod.in
+++ b/doc/man1/openssl-speed.pod.in
@@ -81,6 +81,14 @@ C<openssl speed -cmac aes128>.
 
 Time the decryption instead of encryption. Affects only the EVP testing.
 
+=item B<-mb>
+
+Enable multi-block mode on EVP-named cipher.
+
+=item B<-aead>
+
+Benchmark EVP-named AEAD cipher in TLS-like sequence.
+
 =item B<-primes> I<num>
 
 Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in
index c15d866704..26f7ebcef9 100644
--- a/doc/man1/openssl-srp.pod.in
+++ b/doc/man1/openssl-srp.pod.in
@@ -15,7 +15,6 @@ B<openssl srp>
 [B<-delete>]
 [B<-list>]
 [B<-name> I<section>]
-[B<-config> I<file>]
 [B<-srpvfile> I<file>]
 [B<-gn> I<identifier>]
 [B<-userinfo> I<text>]
@@ -23,6 +22,7 @@ B<openssl srp>
 [B<-passout> I<arg>]
 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
 {- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_config_synopsis -}
 [I<user> ...]
 
 =head1 DESCRIPTION
@@ -49,6 +49,26 @@ Display an option summary.
 
 Generate verbose output while processing.
 
+=item B<-add>
+
+Add a user and SRP verifier.
+
+=item B<-modify>
+
+Modify the SRP verifier of an existing user.
+
+=item B<-delete>
+
+Delete user from verifier file.
+
+=item B<-list>
+
+List users.
+
+=item B<-name>
+
+The particular SRP definition to use.
+
 =item B<-srpvfile> I<file>
 
 If the config file is not specified,
@@ -72,8 +92,12 @@ see L<openssl-passphrase-options(1)>.
 
 {- $OpenSSL::safe::opt_engine_item -}
 
+{- $OpenSSL::safe::opt_r_item -}
+
 {- $OpenSSL::safe::opt_provider_item -}
 
+{- $OpenSSL::safe::opt_config_item -}
+
 {- $OpenSSL::safe::opt_r_synopsis -}
 
 =back
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index cf7d5f0260..6f71820202 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -106,11 +106,23 @@ requests either by ftp or e-mail.
 
 Print out a usage message.
 
+=item B<-query>
+
+Generate a TS query. For details see L</Timestamp Request generation>.
+
+=item B<-reply>
+
+Generate a TS reply. For details see L</Timestamp Response generation>.
+
+=item B<-verify>
+
+Verify a TS response. For details see L</Timestamp Response verification>.
+
 =back
 
 =head2 Timestamp Request generation
 
-The B<-query> switch can be used for creating and printing a timestamp
+The B<-query> command can be used for creating and printing a timestamp
 request with the following options:
 
 =over 4
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index ab52a086ee..71f3888d58 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -58,14 +58,14 @@ $OpenSSL::safe::opt_v_item = ""
 
 # Extended validation options.
 $OpenSSL::safe::opt_x_synopsis = ""
-. "[B<-xkey>] I<infile>\n"
+. "[B<-xkey> I<infile>]\n"
 . "[B<-xcert> I<file>]\n"
-. "[B<-xchain>] I<file>\n"
-. "[B<-xchain_build>] I<file>\n"
+. "[B<-xchain> I<file>]\n"
+. "[B<-xchain_build> I<file>]\n"
 . "[B<-xcertform> B<DER>|B<PEM>]>\n"
 . "[B<-xkeyform> B<DER>|B<PEM>]>";
 $OpenSSL::safe::opt_x_item = ""
-. "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
+. "=item B<-xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
 . "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
 . "B<-xkeyform> B<DER>|B<PEM>\n"
 . "\n"
@@ -203,8 +203,9 @@ $OpenSSL::safe::opt_s_synopsis = ""
 . "[B<-no_middlebox>]";
 $OpenSSL::safe::opt_s_item = ""
 . "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
-. "B<-client_renegotiation>, B<_immediate_renegotiation>\n"
-. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
+. "B<-client_renegotiation>, B<_immediate_renegotiation>,\n"
+. "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
+. "B<-immediate_renegotiation>, B<-no_resumption_on_reneg>,\n"
 . "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
 . "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
 . "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
diff --git a/util/find-doc-nits b/util/find-doc-nits
index 815880ad01..c62307a9ce 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -35,6 +35,7 @@ our($opt_s);
 our($opt_o);
 our($opt_h);
 our($opt_l);
+our($opt_m);
 our($opt_n);
 our($opt_p);
 our($opt_u);
@@ -45,11 +46,12 @@ our($opt_c);
 sub help {
     print <<EOF;
 Find small errors (nits) in documentation.  Options:
-    -c List undocumented commands and options
+    -c List undocumented commands, undocumented options and unimplemented options.
     -d Detailed list of undocumented (implies -u)
     -e Detailed list of new undocumented (implies -v)
     -h Print this help message
     -l Print bogus links
+    -m Name(s) of manuals to focus on. Default: man1,man3,man5,man7
     -n Print nits in POD pages
     -o Causes -e/-v to count symbols added since 1.1.1 as new (implies -v)
     -u Count undocumented functions
@@ -58,7 +60,7 @@ EOF
     exit;
 }
 
-getopts('cdehlnouv');
+getopts('cdehlm:nouv');
 
 help() if $opt_h;
 $opt_u = 1 if $opt_d;
@@ -78,7 +80,11 @@ my $temp = '/tmp/docnits.txt';
 my $OUT;
 my $status = 0;
 
-my @sections = ( 'man1', 'man3', 'man5', 'man7' );
+$opt_m = "man1,man3,man5,man7" unless $opt_m;
+die "Argument of -m option may contain only man1, man3, man5, and/or man7"
+    unless $opt_m =~ /^(man[1357][, ]?)*$/;
+my @sections = ( split /[, ]/, $opt_m );
+
 my %mandatory_sections = (
     '*' => [ 'NAME', 'DESCRIPTION', 'COPYRIGHT' ],
     1   => [ 'SYNOPSIS', 'OPTIONS' ],
@@ -148,7 +154,7 @@ my %collected_results = ();
 #                       - exclusive selectors, only applicable together with
 #                         any of the manual selectors.  If any of these are
 #                         present, only the manuals from the given sections
-#                         will be include.  If none of these are present,
+#                         will be included.  If none of these are present,
 #                         the manuals from all sections will be returned.
 #
 # All returned manual files come from configdata.pm.
@@ -543,8 +549,10 @@ sub option_check {
         err($id, "Malformed option [1] in SYNOPSIS: $&");
     }
 
+    my @synopsis;
     while ( $synopsis =~ /$markup_re/msg ) {
         my $found = $&;
+        push @synopsis, $found if $found =~ /^B<-/;
         print STDERR "$id:DEBUG[option_check] SYNOPSIS: found $found\n"
             if $debug;
         my $option_uw = normalise_option($id, $filename, $found);
@@ -554,6 +562,7 @@ sub option_check {
 
     # In OPTIONS, we look for =item paragraphs.
     # (?=^\s*$) detects an empty line.
+    my @options;
     while ( $options =~ /=item\s+(.*?)(?=^\s*$)/msg ) {
         my $item = $&;
 
@@ -567,8 +576,19 @@ sub option_check {
             my $option_uw = normalise_option($id, $filename, $found);
             err($id, "Malformed option in OPTIONS: $found")
                 if defined $option_uw && $option_uw eq '';
+            if ($found =~ /^B<-/) {
+                push @options, $found;
+                err($id, "OPTIONS entry $found missing from SYNOPSIS")
+                    unless (grep /^\Q$found\E$/, @synopsis)
+                         || $id =~ /(openssl|-options)\.pod:1:$/;
+            }
         }
     }
+    foreach (@synopsis) {
+        my $option = $_;
+        err($id, "SYNOPSIS entry $option missing from OPTIONS")
+            unless (grep /^\Q$option\E$/, @options);
+    }
 }
 
 # Normal symbol form
@@ -712,7 +732,7 @@ sub check {
                   files(TAGS => [ 'manual', 'man1' ]) );
         # TODO: Filter out "foreign manual" links.
         next if $target =~ /ps|apropos|sha1sum|procmail|perl/;
-        err($id, "Bad command link L<$target(1)>");
+        err($id, "Bad command link L<$target(1)>") if grep /man1/, @sections;
     }
     # Check for proper in-man-3 API links.
     while ( $contents =~ /L<([^>]*)\(3\)(?:\/.*)?>/g ) {
@@ -1049,11 +1069,11 @@ sub checkflags {
                 err("$cmd does not implement help for -$expect_helpstr") unless m/^\s*"/;
                 $expect_helpstr = "";
             }
-            if (m/\{\s*"([^"]+)"\s*,\s*OPT_[A-Z0-9_]+\s*,\s*('[-\/:<>cEfFlMnNpsuU]'|0)\s*,(.*)$/
-                       && !($cmd eq "s_client" && $1 eq "wdebug")) {
+            if (m/\{\s*"([^"]+)"\s*,\s*OPT_[A-Z0-9_]+\s*,\s*('[-\/:<>cEfFlMnNpsuU]'|0)(.*)$/
+                    && !($cmd eq "s_client" && $1 eq "wdebug")) {
                 push @cmdopts, $1;
                 $expect_helpstr = $1;
-                $expect_helpstr = "" if $3 =~ m/^\s*"/;
+                $expect_helpstr = "" if $3 =~ m/^\s*,\s*"/;
             } elsif (m/[\s,](OPT_[A-Z]+_OPTIONS?)\s*(,|$)/) {
                 push @cmdopts, @{ $genopts{$1} };
             }
@@ -1085,8 +1105,7 @@ sub checkflags {
     # See what's in the command not the manpage.
     my @undocced = sort grep { !defined $docopts{$_} } @cmdopts;
     foreach ( @undocced ) {
-        next if $cmd eq "openssl" && $_ eq "help";
-        err("$doc: undocumented option -$_");
+        err("$doc: undocumented $cmd option -$_");
     }
 
     # See what's in the command not the manpage.
@@ -1181,7 +1200,7 @@ if ( $opt_l ) {
 
 if ( $opt_n ) {
     # If not given args, check that all man1 commands are named properly.
-    if ( scalar @ARGV == 0 ) {
+    if ( scalar @ARGV == 0 && grep /man1/, @sections ) {
         foreach ( files(TAGS => [ 'public_manual', 'man1' ]) ) {
             next if /openssl\.pod/
                 || /CA\.pl/ || /tsget\.pod/; # these commands are special cases


More information about the openssl-commits mailing list