Fix errors found by new find-doc-nits

Also patch find-doc-nits to ignore a Microsoft trademark and not flag it as a spelling error. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10023)
2019-09-27 13:17:09 -04:00 · 2019-09-27 13:17:09 -04:00 · 9c0586d5fc
parent 60a7817cac
commit 9c0586d5fc
68 changed files with 174 additions and 170 deletions
--- a/doc/internal/man3/evp_generic_fetch.pod
+++ b/doc/internal/man3/evp_generic_fetch.pod
@ -39,7 +39,7 @@ I<new_method>, I<up_ref_method>, and I<free_method>.

 evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), 
 but takes a I<name_id> instead of a number.
-I<name_id> must always be non-zero; as a matter of fact, it being zero
+I<name_id> must always be nonzero; as a matter of fact, it being zero
 is considered a programming error.
 This is meant to be used when one method needs to fetch an associated
 other method, and is typically called from inside the given function
--- a/doc/internal/man3/ossl_namemap_new.pod
+++ b/doc/internal/man3/ossl_namemap_new.pod
@ -43,7 +43,7 @@ ossl_namemap_add() adds a new name to the namemap if it's not already
 present.
 If the given I<number> is zero, a new number will be allocated to
 identify this I<name>.
-If the given I<number> is non-zero, the I<name> is added to the set of
+If the given I<number> is nonzero, the I<name> is added to the set of
 names already associated with that number.

 ossl_namemap_name2num() finds the number corresponding to the given
--- a/doc/man1/openssl-ts.pod
+++ b/doc/man1/openssl-ts.pod
@ -127,7 +127,7 @@ requests either by ftp or e-mail.

 =head1 OPTIONS

-=head2 Time Stamp Request generation
+=head2 Timestamp Request generation

 The B<-query> switch can be used for creating and printing a timestamp
 request with the following options:
@ -211,7 +211,7 @@ instead of DER. (Optional)

 =back

-=head2 Time Stamp Response generation
+=head2 Timestamp Response generation

 A timestamp response (TimeStampResp) consists of a response status
 and the timestamp token itself (ContentInfo), if the token generation was
@ -318,11 +318,11 @@ instead of DER. (Optional)
 Specifying an engine (by its unique B<id> string) will cause B<ts>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
-for all available algorithms. Default is builtin. (Optional)
+for all available algorithms. Default is built-in. (Optional)

 =back

-=head2 Time Stamp Response verification
+=head2 Timestamp Response verification

 The B<-verify> command is for verifying if a timestamp response or time
 stamp token is valid and matches a particular timestamp request or
@ -438,7 +438,7 @@ generation a new file is created with serial number 1. (Mandatory)
 =item B<crypto_device>

 Specifies the OpenSSL engine that will be set as the default for
-all available algorithms. The default value is builtin, you can specify
+all available algorithms. The default value is built-in, you can specify
 any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM).
 (Optional)

@ -488,7 +488,7 @@ the components is missing zero is assumed for that field. (Optional)
 =item B<clock_precision_digits>

 Specifies the maximum number of digits, which represent the fraction of
-seconds, that  need to be included in the time field. The trailing zeroes
+seconds, that  need to be included in the time field. The trailing zeros
 must be removed from the time, so there might actually be fewer digits,
 or no fraction of seconds at all. Supported only on UNIX platforms.
 The maximum value is 6, default is 0.
@ -529,7 +529,7 @@ All the examples below presume that B<OPENSSL_CONF> is set to a proper
 configuration file, e.g. the example configuration file
 openssl/apps/openssl.cnf will do.

-=head2 Time Stamp Request
+=head2 Timestamp Request

 To create a timestamp request for design1.txt with SHA-256 digest,
 without nonce and policy, and without requirement for a certificate
@ -556,7 +556,7 @@ OID section of the config file):
  openssl ts -query -data design2.txt -sha512 \
        -tspolicy tsa_policy1 -cert -out design2.tsq

-=head2 Time Stamp Response
+=head2 Timestamp Response

 Before generating a response a signing certificate must be created for
 the TSA that contains the B<timeStamping> critical extended key usage extension
@ -600,7 +600,7 @@ valid response:

  openssl ts -reply -in design1_token.der -token_in -out design1.tsr

-=head2 Time Stamp Verification
+=head2 Timestamp Verification

 To verify a timestamp reply against a request:

--- a/doc/man1/openssl-x509.pod
+++ b/doc/man1/openssl-x509.pod
@ -259,7 +259,7 @@ Prints out the start and expiry dates of a certificate.
 =item B<-checkend> I<arg>

 Checks if the certificate expires within the next B<arg> seconds and exits
-non-zero if yes it will expire or zero if not.
+nonzero if yes it will expire or zero if not.

 =item B<-fingerprint>

--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@ -32,7 +32,7 @@ It can be used for
 o  Encryption and Decryption with Ciphers
 o  SSL/TLS Client and Server Tests
 o  Handling of S/MIME signed or encrypted mail
- o  Time Stamp requests, generation and verification
+ o  Timestamp requests, generation and verification

 =head1 COMMAND SUMMARY

--- a/doc/man3/ASN1_TIME_set.pod
+++ b/doc/man3/ASN1_TIME_set.pod
@ -117,7 +117,7 @@ one or both (depending on the time difference) of I<*pday> and I<*psec>
 will be positive. If I<to> represents a time earlier than I<from> then
 one or both of I<*pday> and I<*psec> will be negative. If I<to> and I<from>
 represent the same time then I<*pday> and I<*psec> will both be zero.
-If both I<*pday> and I<*psec> are non-zero they will always have the same
+If both I<*pday> and I<*psec> are nonzero they will always have the same
 sign. The value of I<*psec> will always be less than the number of seconds
 in a day. If I<from> or I<to> is NULL the current time is used.

--- a/doc/man3/ASN1_TYPE_get.pod
+++ b/doc/man3/ASN1_TYPE_get.pod
@ -33,7 +33,7 @@ up after the call.
 ASN1_TYPE_set1() sets the value of I<a> to I<type> a copy of I<value>.

 ASN1_TYPE_cmp() compares ASN.1 types I<a> and I<b> and returns 0 if
-they are identical and non-zero otherwise.
+they are identical and nonzero otherwise.

 ASN1_TYPE_unpack_sequence() attempts to parse the SEQUENCE present in
 I<t> using the ASN.1 structure I<it>. If successful it returns a pointer
@ -63,11 +63,11 @@ length octets).

 ASN1_TYPE_cmp() may not return zero if two types are equivalent but have
 different encodings. For example the single content octet of the boolean TRUE
-value under BER can have any non-zero encoding but ASN1_TYPE_cmp() will
+value under BER can have any nonzero encoding but ASN1_TYPE_cmp() will
 only return zero if the values are the same.

 If either or both of the parameters passed to ASN1_TYPE_cmp() is NULL the
-return value is non-zero. Technically if both parameters are NULL the two
+return value is nonzero. Technically if both parameters are NULL the two
 types could be absent OPTIONAL fields and so should match, however passing
 NULL values could also indicate a programming error (for example an
 unparseable type which returns NULL) for types which do B<not> match. So
@ -81,7 +81,7 @@ ASN1_TYPE_set() does not return a value.

 ASN1_TYPE_set1() returns 1 for success and 0 for failure.

-ASN1_TYPE_cmp() returns 0 if the types are identical and non-zero otherwise.
+ASN1_TYPE_cmp() returns 0 if the types are identical and nonzero otherwise.

 ASN1_TYPE_unpack_sequence() returns a pointer to an ASN.1 structure or
 NULL on failure.
--- a/doc/man3/BIO_get_data.pod
+++ b/doc/man3/BIO_get_data.pod
@ -25,7 +25,7 @@ the BIO. This data can subsequently be retrieved via a call to BIO_get_data().
 This can be used by custom BIOs for storing implementation specific information.

 The BIO_set_init() function sets the value of the BIO's "init" flag to indicate
-whether initialisation has been completed for this BIO or not. A non-zero value
+whether initialisation has been completed for this BIO or not. A nonzero value
 indicates that initialisation is complete, whilst zero indicates that it is not.
 Often initialisation will complete during initial construction of the BIO. For
 some BIOs however, initialisation may not complete until after additional steps
--- a/doc/man3/BN_bn2bin.pod
+++ b/doc/man3/BN_bn2bin.pod
@ -40,7 +40,7 @@ memory.

 BN_bn2binpad() also converts the absolute value of B<a> into big-endian form
 and stores it at B<to>. B<tolen> indicates the length of the output buffer
-B<to>. The result is padded with zeroes if necessary. If B<tolen> is less than
+B<to>. The result is padded with zeros if necessary. If B<tolen> is less than
 BN_num_bytes(B<a>) an error is returned.

 BN_bin2bn() converts the positive integer in big-endian form of length
--- a/doc/man3/CONF_modules_free.pod
+++ b/doc/man3/CONF_modules_free.pod
@ -30,7 +30,7 @@ to free up any configuration that module may have performed.

 CONF_modules_unload() finishes and unloads configuration modules. If
 B<all> is set to B<0> only modules loaded from DSOs will be unloads. If
-B<all> is B<1> all modules, including builtin modules will be unloaded.
+B<all> is B<1> all modules, including built-in modules will be unloaded.

 =head1 RETURN VALUES

--- a/doc/man3/CRYPTO_memcmp.pod
+++ b/doc/man3/CRYPTO_memcmp.pod
@ -19,13 +19,13 @@ contents of the memory regions pointed to by B<a> and B<b>.

 =head1 RETURN VALUES

-CRYPTO_memcmp() returns 0 if the memory regions are equal and non-zero
+CRYPTO_memcmp() returns 0 if the memory regions are equal and nonzero
 otherwise.

 =head1 NOTES

 Unlike memcmp(2), this function cannot be used to order the two memory regions
-as the return value when they differ is undefined, other than being non-zero.
+as the return value when they differ is undefined, other than being nonzero.

 =head1 COPYRIGHT

--- a/doc/man3/CT_POLICY_EVAL_CTX_new.pod
+++ b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
@ -88,7 +88,7 @@ issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose
 timestamp is in the future". By default, this will be set to 5 minutes in the
 future (e.g. (time() + 300) * 1000), to allow for clock drift.

-The time should be in milliseconds since the Unix epoch.
+The time should be in milliseconds since the Unix Epoch.

 =back

--- a/doc/man3/DES_random_key.pod
+++ b/doc/man3/DES_random_key.pod
@ -134,7 +134,7 @@ DES_ecb_encrypt() is the basic DES encryption routine that encrypts or
 decrypts a single 8-byte I<DES_cblock> in I<electronic code book>
 (ECB) mode.  It always transforms the input data, pointed to by
 I<input>, into the output data, pointed to by the I<output> argument.
-If the I<encrypt> argument is non-zero (DES_ENCRYPT), the I<input>
+If the I<encrypt> argument is nonzero (DES_ENCRYPT), the I<input>
 (cleartext) is encrypted in to the I<output> (ciphertext) using the
 key_schedule specified by the I<schedule> argument, previously set via
 I<DES_set_key>. If I<encrypt> is zero (DES_DECRYPT), the I<input> (now
@ -153,7 +153,7 @@ The macro DES_ecb2_encrypt() is provided to perform two-key Triple-DES
 encryption by using I<ks1> for the final encryption.

 DES_ncbc_encrypt() encrypts/decrypts using the I<cipher-block-chaining>
-(CBC) mode of DES.  If the I<encrypt> argument is non-zero, the
+(CBC) mode of DES.  If the I<encrypt> argument is nonzero, the
 routine cipher-block-chain encrypts the cleartext data pointed to by
 the I<input> argument into the ciphertext pointed to by the I<output>
 argument, using the key schedule provided by the I<schedule> argument,
--- a/doc/man3/DH_get0_pqg.pod
+++ b/doc/man3/DH_get0_pqg.pod
@ -81,7 +81,7 @@ DH_get0_engine() returns a handle to the ENGINE that has been set for this DH
 object, or NULL if no such ENGINE has been set.

 The DH_get_length() and DH_set_length() functions get and set the optional
-length parameter associated with this DH object. If the length is non-zero then
+length parameter associated with this DH object. If the length is nonzero then
 it is used, otherwise it is ignored. The B<length> parameter indicates the
 length of the secret exponent (private key) in bits.

--- a/doc/man3/DH_set_method.pod
+++ b/doc/man3/DH_set_method.pod
@ -64,7 +64,7 @@ B<DH_METHOD>s.

 DH_set_default_method() returns no value.

-DH_set_method() returns non-zero if the provided B<meth> was successfully set as
+DH_set_method() returns nonzero if the provided B<meth> was successfully set as
 the method for B<dh> (including unloading the ENGINE handle if the previous
 method was supplied by an ENGINE).

--- a/doc/man3/DSA_set_method.pod
+++ b/doc/man3/DSA_set_method.pod
@ -64,7 +64,7 @@ B<DSA_METHOD>s.

 DSA_set_default_method() returns no value.

-DSA_set_method() returns non-zero if the provided B<meth> was successfully set as
+DSA_set_method() returns nonzero if the provided B<meth> was successfully set as
 the method for B<dsa> (including unloading the ENGINE handle if the previous
 method was supplied by an ENGINE).

--- a/doc/man3/EC_GROUP_new.pod
+++ b/doc/man3/EC_GROUP_new.pod
@ -105,8 +105,8 @@ EC_GROUP_set_curve function. An appropriate default implementation method will b

 Whilst the library can be used to create any curve using the functions described above, there are also a number of
 predefined curves that are available. In order to obtain a list of all of the predefined curves, call the function
-EC_get_builtin_curves. The parameter B<r> should be an array of EC_builtin_curve structures of size B<nitems>. The function
-will populate the B<r> array with information about the builtin curves. If B<nitems> is less than the total number of
+EC_get_builtin_curves(). The parameter B<r> should be an array of EC_builtin_curve structures of size B<nitems>. The function
+will populate the B<r> array with information about the built-in curves. If B<nitems> is less than the total number of
 curves available, then the first B<nitems> curves will be returned. Otherwise the total number of curves will be
 provided. The return value is the total number of curves available (whether that number has been populated in B<r> or
 not). Passing a NULL B<r>, or setting B<nitems> to 0 will do nothing other than return the total number of curves available.
@ -119,7 +119,7 @@ The EC_builtin_curve structure is defined as follows:

 Each EC_builtin_curve item has a unique integer id (B<nid>), and a human readable comment string describing the curve.

-In order to construct a builtin curve use the function EC_GROUP_new_by_curve_name_ex and provide the B<nid> of the curve to
+In order to construct a built-in curve use the function EC_GROUP_new_by_curve_name_ex and provide the B<nid> of the curve to
 be constructed and the associated library context to be used in B<ctx> (see L<OPENSSL_CTX(3)>).
 The B<ctx> value may be NULL in which case the default library context is used.

@ -136,7 +136,7 @@ If B<group> is NULL nothing is done.

 All EC_GROUP_new* functions return a pointer to the newly constructed group, or NULL on error.

-EC_get_builtin_curves returns the number of builtin curves that are available.
+EC_get_builtin_curves returns the number of built-in curves that are available.

 EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m return 1 on success or 0 on error.

--- a/doc/man3/ENGINE_add.pod
+++ b/doc/man3/ENGINE_add.pod
@ -254,7 +254,7 @@ To obtain a functional reference from an existing structural reference,
 call the ENGINE_init() function. This returns zero if the ENGINE was not
 already operational and couldn't be successfully initialised (eg. lack of
 system drivers, no special hardware attached, etc), otherwise it will
-return non-zero to indicate that the ENGINE is now operational and will
+return nonzero to indicate that the ENGINE is now operational and will
 have allocated a new B<functional> reference to the ENGINE. All functional
 references are released by calling ENGINE_finish() (which removes the
 implicit structural reference as well).
@ -333,7 +333,7 @@ acceleration hardware attached to the machine or some such thing. There are
 probably numerous other ways in which applications may prefer to handle
 things, so we will simply illustrate the consequences as they apply to a
 couple of simple cases and leave developers to consider these and the
-source code to openssl's builtin utilities as guides.
+source code to openssl's built-in utilities as guides.

 If no ENGINE API functions are called within an application, then OpenSSL
 will not allocate any internal resources.  Prior to OpenSSL 1.1.0, however,
@ -346,7 +346,7 @@ Here we'll assume an application has been configured by its user or admin
 to want to use the "ACME" ENGINE if it is available in the version of
 OpenSSL the application was compiled with. If it is available, it should be
 used by default for all RSA, DSA, and symmetric cipher operations, otherwise
-OpenSSL should use its builtin software as per usual. The following code
+OpenSSL should use its built-in software as per usual. The following code
 illustrates how to approach this;

 ENGINE *e;
@ -374,7 +374,7 @@ illustrates how to approach this;
 /* Release the structural reference from ENGINE_by_id() */
 ENGINE_free(e);

-I<Automatically using builtin ENGINE implementations>
+I<Automatically using built-in ENGINE implementations>

 Here we'll assume we want to load and register all ENGINE implementations
 bundled with OpenSSL, such that for any cryptographic algorithm required by
@ -422,7 +422,7 @@ calling ENGINE_init(). The other class of commands consist of settings or
 operations that tweak certain behaviour or cause certain operations to take
 place, and these commands may work either before or after ENGINE_init(), or
 in some cases both. ENGINE implementations should provide indications of
-this in the descriptions attached to builtin control commands and/or in
+this in the descriptions attached to built-in control commands and/or in
 external product documentation.

 I<Issuing control commands to an ENGINE>
@ -477,7 +477,7 @@ boolean success or failure.
 }

 Note that ENGINE_ctrl_cmd_string() accepts a boolean argument that can
-relax the semantics of the function - if set non-zero it will only return
+relax the semantics of the function - if set nonzero it will only return
 failure if the ENGINE supported the given command name but failed while
 executing it, if the ENGINE doesn't support the command name it will simply
 return success without doing anything. In this case we assume the user is
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@ -166,7 +166,7 @@ The parameters currently supported by the default provider are:
 =item "pad" (B<OSSL_EXCHANGE_PARAM_PAD>) <unsigned integer>

 Sets the DH padding mode.
-If B<OSSL_EXCHANGE_PARAM_PAD> is 1 then the  shared secret is padded with zeroes
+If B<OSSL_EXCHANGE_PARAM_PAD> is 1 then the  shared secret is padded with zeros
 up to the size of the DH prime B<p>.
 If B<OSSL_EXCHANGE_PARAM_PAD> is zero (the default) then no padding is
 performed.
@ -345,7 +345,7 @@ parameter generation. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
 The default is 0.

 The EVP_PKEY_CTX_set_dh_pad() function sets the DH padding mode.
-If B<pad> is 1 the shared secret is padded with zeroes up to the size of the DH
+If B<pad> is 1 the shared secret is padded with zeros up to the size of the DH
 prime B<p>.
 If B<pad> is zero (the default) then no padding is performed.

--- a/doc/man3/HMAC.pod
+++ b/doc/man3/HMAC.pod
@ -69,7 +69,7 @@ EVP_shake256().

 HMAC_CTX_new() creates a new HMAC_CTX in heap memory.

-HMAC_CTX_reset() zeroes an existing B<HMAC_CTX> and associated
+HMAC_CTX_reset() clears an existing B<HMAC_CTX> and associated
 resources, making it suitable for new computations as if it was newly
 created with HMAC_CTX_new().

--- a/doc/man3/OCSP_cert_to_id.pod
+++ b/doc/man3/OCSP_cert_to_id.pod
@ -52,7 +52,7 @@ corresponding parameter can be set to B<NULL>.
 OCSP_cert_to_id() and OCSP_cert_id_new() return either a pointer to a valid
 B<OCSP_CERTID> structure or B<NULL> if an error occurred.

-OCSP_id_cmp() and OCSP_id_issuer_cmp() returns zero for a match and non-zero
+OCSP_id_cmp() and OCSP_id_issuer_cmp() returns zero for a match and nonzero
 otherwise.

 OCSP_CERTID_free() does not return a value.
--- a/doc/man3/OCSP_request_add1_nonce.pod
+++ b/doc/man3/OCSP_request_add1_nonce.pod
@ -57,7 +57,7 @@ performance reasons. As a result they do not support nonces.

 The return values of OCSP_check_nonce() can be checked to cover each case.  A
 positive return value effectively indicates success: nonces are both present
-and match, both absent or present in the response only. A non-zero return
+and match, both absent or present in the response only. A nonzero return
 additionally covers the case where the nonce is present in the request only:
 this will happen if the responder doesn't support nonces. A zero return value
 indicates present and mismatched nonces: this should be treated as an error
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@ -112,7 +112,7 @@ no freeing of the results is necessary.

 OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
 which will be typically obtained from OCSP_resp_find_status() or
-OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
+OCSP_single_get0_status(). If B<sec> is nonzero it indicates how many seconds
 leeway should be allowed in the check. If B<maxsec> is positive it indicates
 the maximum age of B<thisupd> in seconds.

@ -167,7 +167,7 @@ can then take appropriate action based on the status of the certificate.

 An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
 fields. Normally the current time should be between these two values. To
-account for clock skew the B<maxsec> field can be set to non-zero in
+account for clock skew the B<maxsec> field can be set to nonzero in
 OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
 would otherwise mean an ancient response would be considered valid: the
 B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
--- a/doc/man3/OPENSSL_LH_COMPFUNC.pod
+++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod
@ -52,7 +52,7 @@ an unsigned long hash value for its key field.  The hash value is
 normally truncated to a power of 2, so make sure that your hash
 function returns well mixed low order bits.  The I<compare> callback
 takes two arguments (pointers to two hash table entries), and returns
-0 if their keys are equal, non-zero otherwise.
+0 if their keys are equal, nonzero otherwise.

 If your hash table
 will contain items of some particular type and the I<hash> and
--- a/doc/man3/RAND_add.pod
+++ b/doc/man3/RAND_add.pod
@ -67,7 +67,7 @@ usage by the random seed sources. Some seed sources maintain open file
 descriptors by default, which allows such sources to operate in a
 chroot(2) jail without the associated device nodes being available. When
 the B<keep> argument is zero, this call disables the retention of file
-descriptors. Conversely, a non-zero argument enables the retention of
+descriptors. Conversely, a nonzero argument enables the retention of
 file descriptors. This function is usually called during initialization
 and it takes effect immediately.

--- a/doc/man3/RSA_set_method.pod
+++ b/doc/man3/RSA_set_method.pod
@ -129,7 +129,7 @@ the default method is used.
                       const unsigned char *m, unsigned int m_length,
                       const unsigned char *sigbuf, unsigned int siglen,
                       const RSA *rsa);
-     /* keygen. If NULL builtin RSA key generation will be used */
+     /* keygen. If NULL built-in RSA key generation will be used */
     int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);

 } RSA_METHOD;
--- a/doc/man3/SCT_new.pod
+++ b/doc/man3/SCT_new.pod
@ -108,7 +108,8 @@ See RFC 6962, Section 3.2 for the definition of LogID.

 =item *

-SCT_set_timestamp() to set the time the SCT was issued (epoch time in milliseconds).
+SCT_set_timestamp() to set the time the SCT was issued (time in milliseconds
+since the Unix Epoch).

 =item *

@ -149,7 +150,7 @@ B<CT_LOG_ENTRY_TYPE_PRECERT> for a pre-certificate.

 =item *

-The time that the SCT was issued (epoch time in milliseconds).
+The time that the SCT was issued (time in milliseconds since the Unix Epoch).

 =item *

--- a/doc/man3/SSL_CTX_dane_enable.pod
+++ b/doc/man3/SSL_CTX_dane_enable.pod
@ -136,7 +136,7 @@ SSL_CTX_dane_set_flags() and SSL_dane_set_flags() can be used to enable
 optional DANE verification features.
 SSL_CTX_dane_clear_flags() and SSL_dane_clear_flags() can be used to disable
 the same features.
-The B<flags> argument is a bitmask of the features to enable or disable.
+The B<flags> argument is a bit-mask of the features to enable or disable.
 The B<flags> set for an B<SSL_CTX> context are copied to each B<SSL> handle
 associated with that context at the time the handle is created.
 Subsequent changes in the context's B<flags> have no effect on the B<flags> set
--- a/doc/man3/SSL_CTX_set_info_callback.pod
+++ b/doc/man3/SSL_CTX_set_info_callback.pod
@ -50,7 +50,7 @@ the callback function was called. If B<ret> is 0, an error condition occurred.
 If an alert is handled, SSL_CB_ALERT is set and B<ret> specifies the alert
 information.

-B<where> is a bitmask made up of the following bits:
+B<where> is a bit-mask made up of the following bits:

 =over 4

--- a/doc/man3/SSL_CTX_set_mode.pod
+++ b/doc/man3/SSL_CTX_set_mode.pod
@ -18,13 +18,13 @@ SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_

 =head1 DESCRIPTION

-SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.
+SSL_CTX_set_mode() adds the mode set via bit-mask in B<mode> to B<ctx>.
 Options already set before are not cleared.
-SSL_CTX_clear_mode() removes the mode set via bitmask in B<mode> from B<ctx>.
+SSL_CTX_clear_mode() removes the mode set via bit-mask in B<mode> from B<ctx>.

-SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.
+SSL_set_mode() adds the mode set via bit-mask in B<mode> to B<ssl>.
 Options already set before are not cleared.
-SSL_clear_mode() removes the mode set via bitmask in B<mode> from B<ssl>.
+SSL_clear_mode() removes the mode set via bit-mask in B<mode> from B<ssl>.

 SSL_CTX_get_mode() returns the mode set for B<ctx>.

@ -137,10 +137,10 @@ default since 1.1.1.

 =head1 RETURN VALUES

-SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask
+SSL_CTX_set_mode() and SSL_set_mode() return the new mode bit-mask
 after adding B<mode>.

-SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.
+SSL_CTX_get_mode() and SSL_get_mode() return the current bit-mask.

 =head1 SEE ALSO

--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@ -23,16 +23,16 @@ SSL_get_secure_renegotiation_support - manipulate SSL options

 =head1 DESCRIPTION

-SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
+SSL_CTX_set_options() adds the options set via bit-mask in B<options> to B<ctx>.
 Options already set before are not cleared!

-SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
+SSL_set_options() adds the options set via bit-mask in B<options> to B<ssl>.
 Options already set before are not cleared!

-SSL_CTX_clear_options() clears the options set via bitmask in B<options>
+SSL_CTX_clear_options() clears the options set via bit-mask in B<options>
 to B<ctx>.

-SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
+SSL_clear_options() clears the options set via bit-mask in B<options> to B<ssl>.

 SSL_CTX_get_options() returns the options set for B<ctx>.

@ -45,7 +45,7 @@ Note, this is implemented via a macro.
 =head1 NOTES

 The behaviour of the SSL library can be changed by setting several options.
-The options are coded as bitmasks and can be combined by a bitwise B<or>
+The options are coded as bit-masks and can be combined by a bitwise B<or>
 operation (|).

 SSL_CTX_set_options() and SSL_set_options() affect the (external)
@ -348,13 +348,13 @@ and renegotiation between OpenSSL and unpatched clients or servers.

 =head1 RETURN VALUES

-SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
+SSL_CTX_set_options() and SSL_set_options() return the new options bit-mask
 after adding B<options>.

-SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
+SSL_CTX_clear_options() and SSL_clear_options() return the new options bit-mask
 after clearing B<options>.

-SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
+SSL_CTX_get_options() and SSL_get_options() return the current bit-mask.

 SSL_get_secure_renegotiation_support() returns 1 is the peer supports
 secure renegotiation and 0 if it does not.
--- a/doc/man3/SSL_read_early_data.pod
+++ b/doc/man3/SSL_read_early_data.pod
@ -202,7 +202,7 @@ early data settings for the SSL_CTX and SSL objects respectively. Generally a
 server application will either use both of SSL_read_early_data() and
 SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither of them,
 since there is no practical benefit from using only one of them. If the maximum
-early data setting for a server is non-zero then replay protection is
+early data setting for a server is nonzero then replay protection is
 automatically enabled (see L</REPLAY PROTECTION> below).

 If the server rejects the early data sent by a client then it will skip over
@ -285,7 +285,7 @@ retry with a lower maximum protocol version.
 When early data is in use the TLS protocol provides no security guarantees that
 the same early data was not replayed across multiple connections. As a
 mitigation for this issue OpenSSL automatically enables replay protection if the
-server is configured with a non-zero max early data value. With replay
+server is configured with a nonzero max early data value. With replay
 protection enabled sessions are forced to be single use only. If a client
 attempts to reuse a session ticket more than once, then the second and
 subsequent attempts will fall back to a full handshake (and any early data that
--- a/doc/man3/SSL_set1_host.pod
+++ b/doc/man3/SSL_set1_host.pod
@ -19,7 +19,7 @@ SSL server verification parameters
 These functions configure server hostname checks in the SSL client.

 SSL_set1_host() sets the expected DNS hostname to B<name> clearing
-any previously specified host name or names.  If B<name> is NULL,
+any previously specified hostname.  If B<name> is NULL,
 or the empty string the list of hostnames is cleared, and name
 checks are not performed on the peer certificate.  When a non-empty
 B<name> is specified, certificate verification automatically checks
--- a/doc/man3/SSL_set_shutdown.pod
+++ b/doc/man3/SSL_set_shutdown.pod
@ -20,7 +20,7 @@ SSL_get_shutdown() returns the shutdown mode of B<ssl>.

 =head1 NOTES

-The shutdown state of an ssl connection is a bitmask of:
+The shutdown state of an ssl connection is a bit-mask of:

 =over 4

--- a/doc/man3/UI_UTIL_read_pw.pod
+++ b/doc/man3/UI_UTIL_read_pw.pod
@ -21,7 +21,7 @@ UI_UTIL_read_pw_string() asks for a passphrase, using B<prompt> as a
 prompt, and stores it in B<buf>.
 The maximum allowed size is given with B<length>, including the
 terminating NUL byte.
-If B<verify> is non-zero, the password will be verified as well.
+If B<verify> is nonzero, the password will be verified as well.

 UI_UTIL_read_pw() does the same as UI_UTIL_read_pw_string(), the
 difference is that you can give it an external buffer B<buff> for the
--- a/doc/man3/UI_new.pod
+++ b/doc/man3/UI_new.pod
@ -132,7 +132,7 @@ the possible answers (given through the I<action_desc> argument).

 UI_add_info_string() and UI_add_error_string() add strings that are shown at
 the same time as the prompt for extra information or to show an error string.
-The difference between the two is only conceptual.  With the builtin method,
+The difference between the two is only conceptual.  With the built-in method,
 there's no technical difference between them.  Other methods may make a
 difference between them, however.

@ -158,7 +158,7 @@ string and may include encodings that will be processed by the other
 method functions.

 UI_add_user_data() adds a user data pointer for the method to use at any
-time.  The builtin UI method doesn't care about this info.  Note that several
+time.  The built-in UI method doesn't care about this info.  Note that several
 calls to this function doesn't add data, it replaces the previous blob
 with the one given as argument.

--- a/doc/man3/X509_ALGOR_dup.pod
+++ b/doc/man3/X509_ALGOR_dup.pod
@ -34,7 +34,7 @@ X509_ALGOR_set_md() sets the B<AlgorithmIdentifier> B<alg> to appropriate
 values for the message digest B<md>.

 X509_ALGOR_cmp() compares B<a> and B<b> and returns 0 if they have identical
-encodings and non-zero otherwise.
+encodings and nonzero otherwise.

 =head1 RETURN VALUES

@ -46,7 +46,7 @@ X509_ALGOR_set0() returns 1 on success or 0 on error.
 X509_ALGOR_get0() and X509_ALGOR_set_md() return no values.

 X509_ALGOR_cmp() returns 0 if the two parameters have identical encodings and
-non-zero otherwise.
+nonzero otherwise.

 =head1 COPYRIGHT

--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@ -129,7 +129,7 @@ interoperable, though it will, for example, reject MD5 signatures or RSA keys
 shorter than 1024 bits.

 X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to
-B<name> clearing any previously specified host name or names.  If
+B<name> clearing any previously specified hostname.  If
 B<name> is NULL, or empty the list of hostnames is cleared, and
 name checks are not performed on the peer certificate.  If B<name>
 is NUL-terminated, B<namelen> may be zero, otherwise B<namelen>
--- a/doc/man3/X509_check_ca.pod
+++ b/doc/man3/X509_check_ca.pod
@ -24,7 +24,7 @@ B<keyUsage> extension with bit B<keyCertSign> set, but without
 B<basicConstraints>, and 5 if it has outdated Netscape Certificate Type
 extension telling that it is CA certificate.

-Actually, any non-zero value means that this certificate could have been
+Actually, any nonzero value means that this certificate could have been
 used to sign other certificates.

 =head1 SEE ALSO
--- a/doc/man3/X509v3_get_ext_by_NID.pod
+++ b/doc/man3/X509v3_get_ext_by_NID.pod
@ -71,7 +71,7 @@ the extension is found its index is returned otherwise B<-1> is returned.

 X509v3_get_ext_by_critical() is similar to X509v3_get_ext_by_NID() except it
 looks for an extension of criticality B<crit>. A zero value for B<crit>
-looks for a non-critical extension a non-zero value looks for a critical
+looks for a non-critical extension a nonzero value looks for a critical
 extension.

 X509v3_delete_ext() deletes the extension with index B<loc> from B<x>. The
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@ -463,7 +463,7 @@ The actual TYPE structure passed to B<i2d_I<TYPE>>() must be a valid
 populated B<I<TYPE>> structure -- it B<cannot> simply be fed with an
 empty structure such as that returned by TYPE_new().

-The encoded data is in binary form and may contain embedded zeroes.
+The encoded data is in binary form and may contain embedded zeros.
 Therefore any FILE pointers or BIOs should be opened in binary mode.
 Functions such as strlen() will B<not> return the correct length
 of the encoded structure.
--- a/doc/man7/provider.pod
+++ b/doc/man7/provider.pod
@ -84,7 +84,7 @@ the initialization function.
 I<operation_id> is an operation identity (see L</Operations> below).

 I<no_store> is a flag back to the OpenSSL libraries which, when
-non-zero, signifies that the OpenSSL libraries will not store a
+nonzero, signifies that the OpenSSL libraries will not store a
 reference to the returned data in their internal store of
 implementations.

--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@ -395,6 +395,9 @@ sub wording {
    my $contents = shift;

    foreach my $k ( keys %preferred_words ) {
+        # Sigh, trademark
+        next if $k eq 'file system'
+            and $contents =~ /Microsoft Encrypted File System/;
        err($id, "found '$k' should use '$preferred_words{$k}'")
            if $contents =~ /\b\Q$k\E\b/i;
    }