Removed duplicates in some man pages

Fixes openssl/openssl#11748 find-doc-nits: Check for duplicate options Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27088)
2025-03-05 14:44:58 -05:00 · 2025-03-05 14:44:58 -05:00 · 2c8103e468
parent 3edb1f09c6
commit 2c8103e468
11 changed files with 36 additions and 187 deletions
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@ -6,6 +6,8 @@ CA.pl - friendlier interface for OpenSSL certificate programs
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<CA.pl>
 B<-?> |
 B<-h> |
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@ -17,7 +17,6 @@ B<openssl> B<ciphers>
 [B<-tls1_1>]
 [B<-tls1_2>]
 [B<-tls1_3>]
 [B<-s>]
 [B<-psk>]
 [B<-srp>]
 [B<-stdname>]
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@ -7,6 +7,8 @@ openssl-cms - CMS command
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<openssl> B<cms>
 [B<-help>]
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@ -7,6 +7,8 @@ openssl-pkcs12 - PKCS#12 file command
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<openssl> B<pkcs12>
 [B<-help>]
 [B<-passin> I<arg>]
--- a/doc/man1/openssl-rehash.pod.in
+++ b/doc/man1/openssl-rehash.pod.in
@ -10,6 +10,7 @@ openssl-rehash, c_rehash - Create symbolic links to files named by the hash
 values
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<openssl>
 B<rehash>
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@ -59,7 +59,6 @@ B<openssl> B<s_client>
 [B<-msg>]
 [B<-timeout>]
 [B<-mtu> I<size>]
 [B<-no_etm>]
 [B<-no_ems>]
 [B<-keymatexport> I<label>]
 [B<-keymatexportlen> I<len>]
@ -84,29 +83,14 @@ B<openssl> B<s_client>
 [B<-max_pipelines>]
 [B<-read_buf>]
 [B<-ignore_unexpected_eof>]
 [B<-bugs>]
 [B<-no_tx_cert_comp>]
 [B<-no_rx_cert_comp>]
 [B<-comp>]
 [B<-no_comp>]
 [B<-brief>]
 [B<-legacy_server_connect>]
 [B<-no_legacy_server_connect>]
 [B<-allow_no_dhe_kex>]
 [B<-prefer_no_dhe_kex>]
 [B<-sigalgs> I<sigalglist>]
 [B<-curves> I<curvelist>]
 [B<-cipher> I<cipherlist>]
 [B<-ciphersuites> I<val>]
 [B<-serverpref>]
 [B<-starttls> I<protocol>]
 [B<-name> I<hostname>]
 [B<-xmpphost> I<hostname>]
 [B<-name> I<hostname>]
 [B<-tlsextdebug>]
 [B<-no_ticket>]
 [B<-sess_out> I<filename>]
 [B<-serverinfo> I<types>]
 [B<-sess_in> I<filename>]
 [B<-serverinfo> I<types>]
 [B<-status>]
@ -485,10 +469,6 @@ Enable send/receive timeout on DTLS connections.
 Set MTU of the link layer to the specified size.
 =item B<-no_etm>
 Disable Encrypt-then-MAC negotiation.
 =item B<-no_ems>
 Disable Extended master secret negotiation.
@ -623,11 +603,6 @@ option is enabled the peer does not need to send the close_notify alert and a
 closed connection will be treated as if the close_notify alert was received.
 For more information on shutting down a connection, see L<SSL_shutdown(3)>.
 =item B<-bugs>
 There are several known bugs in SSL and TLS implementations. Adding this
 option enables various workarounds.
 =item B<-no_tx_cert_comp>
 Disables support for sending TLSv1.3 compressed certificates.
@ -636,65 +611,11 @@ Disables support for sending TLSv1.3 compressed certificates.
 Disables support for receiving TLSv1.3 compressed certificate.
 =item B<-comp>
 Enables support for SSL/TLS compression.
 This option was introduced in OpenSSL 1.1.0.
 TLS compression is not recommended and is off by default as of
 OpenSSL 1.1.0. TLS compression can only be used in security level 1 or
 lower. From OpenSSL 3.2.0 and above the default security level is 2, so this
 option will have no effect without also changing the security level. Use the
 B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for
 more information.
 =item B<-no_comp>
 Disables support for SSL/TLS compression.
 TLS compression is not recommended and is off by default as of
 OpenSSL 1.1.0.
 =item B<-brief>
 Only provide a brief summary of connection parameters instead of the
 normal verbose output.
 =item B<-sigalgs> I<sigalglist>
 Specifies the list of signature algorithms that are sent by the client.
 The server selects one entry in the list based on its preferences.
 For example strings, see L<SSL_CTX_set1_sigalgs(3)>
 =item B<-curves> I<curvelist>
 Specifies the list of supported curves to be sent by the client. The curve is
 ultimately selected by the server.
 The list of available groups includes various built-in named EC curves, as well
 as X25519 and X448, FFDHE groups, and any additional groups implemented in the
 default or 3rd-party providers.
 The commands below list the available groups for TLS 1.2 and TLS 1.3,
 respectively:
    $ openssl list -tls1_2 -tls-groups
    $ openssl list -tls1_3 -tls-groups
 =item B<-cipher> I<cipherlist>
 This allows the TLSv1.2 and below cipher list sent by the client to be modified.
 This list will be combined with any TLSv1.3 ciphersuites that have been
 configured. Although the server determines which ciphersuite is used it should
 take the first supported cipher in the list sent by the client. See
 L<openssl-ciphers(1)> for more information.
 =item B<-ciphersuites> I<val>
 This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
 list will be combined with any TLSv1.2 and below ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
 take the first supported cipher in the list sent by the client. See
 L<openssl-ciphers(1)> for more information. The format for this list is a simple
 colon (":") separated list of TLSv1.3 ciphersuite names.
 =item B<-starttls> I<protocol>
 Send the protocol-specific message(s) to switch to TLS for communication.
@ -729,10 +650,6 @@ this option is not specified, then "mail.example.com" will be used.
 Print out a hex dump of any TLS extensions received from the server.
 =item B<-no_ticket>
 Disable RFC4507bis session ticket support.
 =item B<-sess_out> I<filename>
 Output SSL session to I<filename>.
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@ -7,6 +7,8 @@ openssl-s_server - SSL/TLS server program
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<openssl> B<s_server>
 [B<-help>]
 [B<-port> I<+int>]
@ -70,7 +72,6 @@ B<openssl> B<s_server>
 [B<-verify_quiet>]
 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-no_etm>]
 [B<-no_ems>]
 [B<-status>]
 [B<-status_verbose>]
@ -91,30 +92,9 @@ B<openssl> B<s_server>
 [B<-max_pipelines> I<+int>]
 [B<-naccept> I<+int>]
 [B<-read_buf> I<+int>]
 [B<-bugs>]
 [B<-no_tx_cert_comp>]
 [B<-no_rx_cert_comp>]
 [B<-no_comp>]
 [B<-comp>]
 [B<-no_ticket>]
 [B<-serverpref>]
 [B<-legacy_renegotiation>]
 [B<-no_renegotiation>]
 [B<-no_resumption_on_reneg>]
 [B<-allow_no_dhe_kex>]
 [B<-prefer_no_dhe_kex>]
 [B<-prioritize_chacha>]
 [B<-strict>]
 [B<-sigalgs> I<val>]
 [B<-client_sigalgs> I<val>]
 [B<-groups> I<val>]
 [B<-curves> I<val>]
 [B<-named_curve> I<val>]
 [B<-cipher> I<val>]
 [B<-ciphersuites> I<val>]
 [B<-dhparam> I<infile>]
 [B<-record_padding> I<val>]
 [B<-debug_broken_protocol>]
 [B<-nbio>]
 [B<-psk_identity> I<val>]
 [B<-psk_hint> I<val>]
@ -501,10 +481,6 @@ Ignore input EOF (default: when B<-quiet>).
 Do not ignore input EOF.
 =item B<-no_etm>
 Disable Encrypt-then-MAC negotiation.
 =item B<-no_ems>
 Disable Extended master secret negotiation.
@ -613,11 +589,6 @@ effect if the buffer size is larger than the size that would otherwise be used
 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
 further information).
 =item B<-bugs>
 There are several known bugs in SSL and TLS implementations. Adding this
 option enables various workarounds.
 =item B<-no_tx_cert_comp>
 Disables support for sending TLSv1.3 compressed certificates.
@ -632,77 +603,12 @@ Disable negotiation of TLS compression.
 TLS compression is not recommended and is off by default as of
 OpenSSL 1.1.0.
 =item B<-comp>
 Enables support for SSL/TLS compression.
 This option was introduced in OpenSSL 1.1.0.
 TLS compression is not recommended and is off by default as of
 OpenSSL 1.1.0. TLS compression can only be used in security level 1 or
 lower. From OpenSSL 3.2.0 and above the default security level is 2, so this
 option will have no effect without also changing the security level. Use the
 B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for
 more information.
 =item B<-no_ticket>
 Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
 is negotiated. See B<-num_tickets>.
 =item B<-num_tickets>
 Control the number of tickets that will be sent to the client after a full
 handshake in TLSv1.3. The default number of tickets is 2. This option does not
 affect the number of tickets sent after a resumption handshake.
 =item B<-serverpref>
 Use the server's cipher preferences, rather than the client's preferences.
 =item B<-prioritize_chacha>
 Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
 =item B<-no_resumption_on_reneg>
 Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
 =item B<-client_sigalgs> I<val>
 Signature algorithms to support for client certificate authentication
 (colon-separated list).
 =item B<-named_curve> I<val>
 Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
 The list of available groups includes various built-in named EC curves, as well
 as X25519 and X448, FFDHE groups, and any additional groups implemented in the
 default or 3rd-party providers.
 The commands below list the available groups for TLS 1.2 and TLS 1.3,
 respectively.
    $ openssl list -tls1_2 -tls-groups
    $ openssl list -tls1_3 -tls-groups
 =item B<-cipher> I<val>
 This allows the list of TLSv1.2 and below ciphersuites used by the server to be
 modified. This list is combined with any TLSv1.3 ciphersuites that have been
 configured. When the client sends a list of supported ciphers the first client
 cipher also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist is irrelevant. See
 L<openssl-ciphers(1)> for more information.
 =item B<-ciphersuites> I<val>
 This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
 This list is combined with any TLSv1.2 and below ciphersuites that have been
 configured. When the client sends a list of supported ciphers the first client
 cipher also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist is irrelevant. See
 L<openssl-ciphers(1)> command for more information. The format for this list is
 a simple colon (":") separated list of TLSv1.3 ciphersuite names.
 =item B<-dhparam> I<infile>
 The DH parameter file to use. The ephemeral DH cipher suites generate keys
--- a/doc/man1/openssl-smime.pod.in
+++ b/doc/man1/openssl-smime.pod.in
@ -130,7 +130,7 @@ See L<openssl-format-options(1)> for details.
 The key format; unspecified by default.
 See L<openssl-format-options(1)> for details.
-=item B<-stream>, B<-indef>, B<-noindef>
+=item B<-stream>, B<-indef>
 The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@ -7,6 +7,8 @@ openssl-ts - Time Stamping Authority command
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<openssl> B<ts>
 B<-help>
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@ -6,6 +6,8 @@ openssl - OpenSSL command line program
 =head1 SYNOPSIS
 =for openssl duplicate options
 B<openssl>
 I<command>
 [ I<options> ... ]
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@ -276,7 +276,9 @@ sub files {
 # Print error message, set $status.
 sub err {
-    print join(" ", @_), "\n";
+    my $t = join(" ", @_);
    $t =~ s/\n//g;
    print $t, "\n";
    $status = 1
 }
@ -560,8 +562,10 @@ sub option_check {
    my $id = shift;
    my $filename = shift;
    my $contents = shift;
    my $nodups = 1;
    my $synopsis = ($contents =~ /=head1\s+SYNOPSIS(.*?)=head1/s, $1);
    $nodups = 0 if $synopsis =~ /=for\s+openssl\s+duplicate\s+options/s;
    # Some pages have more than one OPTIONS section, let's make sure
    # to get them all
@ -577,19 +581,26 @@ sub option_check {
    }
    my @synopsis;
    my %listed;
    while ( $synopsis =~ /$markup_re/msg ) {
        my $found = $&;
        push @synopsis, $found if $found =~ /^B<-/;
        print STDERR "$id:DEBUG[option_check] SYNOPSIS: found $found\n"
            if $debug;
        my $option_uw = normalise_option($id, $filename, $found);
        if ( defined $option_uw ) {
            err($id, "Malformed option [2] in SYNOPSIS: $found")
-            if defined $option_uw && $option_uw eq '';
+                if $option_uw eq '';
            err($id, "Duplicate option in SYNOPSIS $option_uw\n")
                if $nodups && defined $listed{$option_uw};
            $listed{$option_uw} = 1;
        }
    }
    # In OPTIONS, we look for =item paragraphs.
    # (?=^\s*$) detects an empty line.
    my @options;
    my %described;
    while ( $options =~ /=item\s+(.*?)(?=^\s*$)/msg ) {
        my $item = $&;
@ -601,8 +612,13 @@ sub option_check {
                if ($1 // '') ne '' && $found =~ /^B<\s*-/;
            my $option_uw = normalise_option($id, $filename, $found);
            if ( defined $option_uw ) {
                err($id, "Malformed option in OPTIONS: $found")
-                if defined $option_uw && $option_uw eq '';
+                    if $option_uw eq '';
                err($id, "Duplicate option in OPTIONS $option_uw\n")
                    if $nodups && defined $described{$option_uw};
                $described{$option_uw} = 1;
            }
            if ($found =~ /^B<-/) {
                push @options, $found;
                err($id, "OPTIONS entry $found missing from SYNOPSIS")