various cleanup;

22 files changed, 131 insertions, 127 deletions

diff --git a/src/lib/libcrypto/man/EC_GROUP_copy.3 b/src/lib/libcrypto/man/EC_GROUP_copy.3
index 37b3d089bc..28b4aee21a 100644
--- a/src/lib/libcrypto/man/EC_GROUP_copy.3
+++ b/src/lib/libcrypto/man/EC_GROUP_copy.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EC_GROUP_copy.3,v 1.3 2016/11/15 09:25:45 jmc Exp $
+.\"     $OpenBSD: EC_GROUP_copy.3,v 1.4 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 15 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EC_GROUP_COPY 3
 .Os
 .Sh NAME
@@ -313,7 +313,7 @@ non-zero.
 The function
 .Fn EC_GROUP_check
 performs a number of checks on a curve to verify that it is valid.
-Checks performed include verifying that the discriminant is non zero;
+Checks performed include verifying that the discriminant is non-zero;
 that a generator has been defined; that the generator is on the curve
 and has the correct order.
 .Pp
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
index 02e2b26f0e..ff24d3bf10 100644
--- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.4 2016/11/05 14:41:31 schwarze Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.5 2016/11/21 22:19:15 jmc Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 5 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -184,7 +184,7 @@ bytes are written as output and, in order to ensure success, this value
 should be the
 .Fa in_len
 plus the result of
-.Xr EVP_AEAD_overhead 3 .
+.Fn EVP_AEAD_max_overhead .
 On successful return,
 .Fa out_len
 is set to the actual number of bytes written.
@@ -237,8 +237,8 @@ interface to AEAD ciphers should be used in preference to the older
 .Sy EVP
 variants or to the low level interfaces.
 This is because the code then becomes transparent to the AEAD cipher
-used and much more flexible,
-it is also safer to use as it prevents common mistakes with the native APIs.
+used and much more flexible.
+It is also safer to use as it prevents common mistakes with the native APIs.
 .Sh RETURN VALUES
 .Fn EVP_AEAD_CTX_init ,
 .Fn EVP_AEAD_CTX_open ,
@@ -262,8 +262,7 @@ This is the largest value that can be passed as a tag length to
 returns the length of the per-message nonce.
 .Sh EXAMPLES
 Encrypt a string using ChaCha20-Poly1305:
-.Bd -literal
-.\" XXX
+.Bd -literal -offset indent
 const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
 static const unsigned char nonce[32] = {0};
 size_t buf_len, nonce_len;
diff --git a/src/lib/libcrypto/man/EVP_BytesToKey.3 b/src/lib/libcrypto/man/EVP_BytesToKey.3
index feb6280cd2..d2950e0894 100644
--- a/src/lib/libcrypto/man/EVP_BytesToKey.3
+++ b/src/lib/libcrypto/man/EVP_BytesToKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_BytesToKey.3,v 1.3 2016/11/21 09:56:35 schwarze Exp $
+.\"     $OpenBSD: EVP_BytesToKey.3,v 1.4 2016/11/21 22:19:15 jmc Exp $
 .\"
 .Dd $Mdocdate: November 21 2016 $
 .Dt EVP_BYTESTOKEY 3
@@ -28,8 +28,8 @@ is the cipher to derive the key and IV for.
 is the message digest to use.
 The
 .Fa salt
-parameter is used as a salt in the derivation: it should point to an 8
-byte buffer or
+parameter is used as a salt in the derivation:
+it should point to an 8-byte buffer or
 .Dv NULL
 if no salt is used.
 .Fa data
@@ -51,18 +51,18 @@ parameter.
 .Pp
 Increasing the
 .Fa count
-parameter slows down the algorithm which makes it harder for an attacker
+parameter slows down the algorithm, which makes it harder for an attacker
 to perform a brute force attack using a large number of candidate
 passwords.
 .Pp
 If the total key and IV length is less than the digest length and MD5
 is used, then the derivation algorithm is compatible with PKCS#5 v1.5.
-Otherwise, a non standard extension is used to derive the extra data.
+Otherwise, a non-standard extension is used to derive the extra data.
 .Pp
 Newer applications should use more standard algorithms such as PBKDF2 as
 defined in PKCS#5v2.1 for key derivation.
 .Sh KEY DERIVATION ALGORITHM
-The key and IV is derived by concatenating D_1, D_2, etc until enough
+The key and IV is derived by concatenating D_1, D_2, etc. until enough
 data is available for the key and IV.
 D_i is defined recursively as:
 .Pp
diff --git a/src/lib/libcrypto/man/EVP_DigestInit.3 b/src/lib/libcrypto/man/EVP_DigestInit.3
index f9be8ef75b..353084435f 100644
--- a/src/lib/libcrypto/man/EVP_DigestInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestInit.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_DigestInit.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_DigestInit.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_DIGESTINIT 3
 .Os
 .Sh NAME
@@ -11,9 +11,11 @@
 .Nm EVP_DigestFinal_ex ,
 .Nm EVP_MD_CTX_cleanup ,
 .Nm EVP_MD_CTX_destroy ,
-.Nm EVP_MAX_MD_SIZE ,
 .Nm EVP_MD_CTX_copy_ex ,
+.Nm EVP_DigestInit ,
+.Nm EVP_DigestFinal ,
 .Nm EVP_MD_CTX_copy ,
+.Nm EVP_MAX_MD_SIZE ,
 .Nm EVP_MD_type ,
 .Nm EVP_MD_pkey_type ,
 .Nm EVP_MD_size ,
@@ -35,9 +37,7 @@
 .Nm EVP_ripemd160 ,
 .Nm EVP_get_digestbyname ,
 .Nm EVP_get_digestbynid ,
-.Nm EVP_get_digestbyobj ,
-.Nm EVP_DigestInit ,
-.Nm EVP_DigestFinal
+.Nm EVP_get_digestbyobj
 .Nd EVP digest routines
 .Sh SYNOPSIS
 .In openssl/evp.h
@@ -127,12 +127,6 @@
 .Ft const EVP_MD *
 .Fn EVP_sha1 void
 .Ft const EVP_MD *
-.Fn EVP_dss void
-.Ft const EVP_MD *
-.Fn EVP_dss1 void
-.Ft const EVP_MD *
-.Fn EVP_ripemd160 void
-.Ft const EVP_MD *
 .Fn EVP_sha224 void
 .Ft const EVP_MD *
 .Fn EVP_sha256 void
@@ -141,6 +135,12 @@
 .Ft const EVP_MD *
 .Fn EVP_sha512 void
 .Ft const EVP_MD *
+.Fn EVP_dss void
+.Ft const EVP_MD *
+.Fn EVP_dss1 void
+.Ft const EVP_MD *
+.Fn EVP_ripemd160 void
+.Ft const EVP_MD *
 .Fo EVP_get_digestbyname
 .Fa "const char *name"
 .Fc
@@ -199,7 +199,7 @@ parameter is not
 .Dv NULL ,
 then the number of bytes of data written (i.e. the length of the
 digest) will be written to the integer at
-.Fa s ,
+.Fa s ;
 at most
 .Dv EVP_MAX_MD_SIZE
 bytes will be written.
@@ -284,7 +284,7 @@ For example
 .Fn EVP_MD_type EVP_sha1()
 returns
 .Dv NID_sha1 .
-This function is normally used when setting ASN1 OIDs.
+This function is normally used when setting ASN.1 OIDs.
 .Pp
 .Fn EVP_MD_CTX_md
 returns the
@@ -324,7 +324,7 @@ return
 structures for SHA1 digest algorithms but using DSS (DSA) for the
 signature algorithm.
 Note: there is no need to use these pseudo-digests in OpenSSL 1.0.0 and
-later, they are however retained for compatibility.
+later; they are however retained for compatibility.
 .Pp
 .Fn EVP_md_null
 is a "null" message digest that does nothing:
@@ -369,7 +369,7 @@ New applications should use
 and
 .Fn EVP_MD_CTX_copy_ex
 because they can efficiently reuse a digest context instead of
-initializing and cleaning it up on each call and allow non default
+initializing and cleaning it up on each call and allow non-default
 implementations of digests to be specified.
 .Pp
 In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after
@@ -440,7 +440,7 @@ if an error occurs.
 .Sh EXAMPLES
 This example digests the data "Test Message\en" and "Hello World\en",
 using the digest name passed on the command line.
-.Bd -literal
+.Bd -literal -offset indent
 #include <stdio.h>
 #include <openssl/evp.h>
 
@@ -514,7 +514,7 @@ pointers in OpenSSL 0.9.7.
 The link between digests and signing algorithms was fixed in OpenSSL 1.0
 and later, so now
 .Fn EVP_sha1
-can be used with RSA and DSA, there is no need to use
+can be used with RSA and DSA; there is no need to use
 .Fn EVP_dss1
 any more.
 .Pp
diff --git a/src/lib/libcrypto/man/EVP_EncryptInit.3 b/src/lib/libcrypto/man/EVP_EncryptInit.3
index e786468550..3757bfc815 100644
--- a/src/lib/libcrypto/man/EVP_EncryptInit.3
+++ b/src/lib/libcrypto/man/EVP_EncryptInit.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_EncryptInit.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_EncryptInit.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_ENCRYPTINIT 3
 .Os
 .Sh NAME
@@ -14,15 +14,16 @@
 .Nm EVP_CipherInit_ex ,
 .Nm EVP_CipherUpdate ,
 .Nm EVP_CipherFinal_ex ,
-.Nm EVP_CIPHER_CTX_set_key_length ,
-.Nm EVP_CIPHER_CTX_ctrl ,
-.Nm EVP_CIPHER_CTX_cleanup ,
 .Nm EVP_EncryptInit ,
 .Nm EVP_EncryptFinal ,
 .Nm EVP_DecryptInit ,
 .Nm EVP_DecryptFinal ,
 .Nm EVP_CipherInit ,
 .Nm EVP_CipherFinal ,
+.Nm EVP_CIPHER_CTX_set_padding ,
+.Nm EVP_CIPHER_CTX_set_key_length ,
+.Nm EVP_CIPHER_CTX_ctrl ,
+.Nm EVP_CIPHER_CTX_cleanup ,
 .Nm EVP_get_cipherbyname ,
 .Nm EVP_get_cipherbynid ,
 .Nm EVP_get_cipherbyobj ,
@@ -45,7 +46,6 @@
 .Nm EVP_CIPHER_CTX_mode ,
 .Nm EVP_CIPHER_param_to_asn1 ,
 .Nm EVP_CIPHER_asn1_to_param ,
-.Nm EVP_CIPHER_CTX_set_padding ,
 .Nm EVP_enc_null ,
 .Nm EVP_des_cbc ,
 .Nm EVP_des_ecb ,
@@ -291,7 +291,8 @@ then the default implementation is used.
 .Fa key
 is the symmetric key to use and
 .Fa iv
-is the IV to use (if necessary), the actual number of bytes used for the
+is the IV to use (if necessary).
+The actual number of bytes used for the
 key and IV depends on the cipher.
 It is possible to set all parameters to
 .Dv NULL
@@ -375,7 +376,7 @@ being supplied in a previous call).
 .Pp
 .Fn EVP_CIPHER_CTX_cleanup
 clears all information from a cipher context and free up any allocated
-memory associate with it.
+memory associated with it.
 It should be called after all operations using a cipher are complete so
 sensitive information does not remain in memory.
 .Pp
@@ -490,10 +491,10 @@ and
 .Fn EVP_CIPHER_CTX_type
 return the type of the passed cipher or context.
 This "type" is the actual NID of the cipher OBJECT IDENTIFIER as such it
-ignores the cipher parameters and 40 bit RC2 and 128 bit RC2 have the
+ignores the cipher parameters and 40-bit RC2 and 128-bit RC2 have the
 same NID.
 If the cipher does not have an object identifier or does not
-have ASN1 support this function will return
+have ASN.1 support this function will return
 .Dv NID_undef .
 .Pp
 .Fn EVP_CIPHER_CTX_cipher
@@ -521,13 +522,14 @@ sets the AlgorithmIdentifier "parameter" based on the passed cipher.
 This will typically include any parameters and an IV.
 The cipher IV (if any) must be set when this call is made.
 This call should be made before the cipher is actually "used" (before any
-.Fn EVP_EncryptUpdate ,
+.Fn EVP_EncryptUpdate
+or
 .Fn EVP_DecryptUpdate
-calls for example).
-This function may fail if the cipher does not have any ASN1 support.
+calls, for example).
+This function may fail if the cipher does not have any ASN.1 support.
 .Pp
 .Fn EVP_CIPHER_asn1_to_param
-sets the cipher parameters based on an ASN1 AlgorithmIdentifier
+sets the cipher parameters based on an ASN.1 AlgorithmIdentifier
 "parameter".
 The precise effect depends on the cipher.
 In the case of RC2, for example, it will set the IV and effective
@@ -544,7 +546,7 @@ will be called and finally
 again with all parameters except the key set to
 .Dv NULL .
 It is possible for this function to fail if the cipher does not
-have any ASN1 support or the parameters cannot be set (for example
+have any ASN.1 support or the parameters cannot be set (for example
 the RC2 effective key length is not supported).
 .Pp
 .Fn EVP_CIPHER_CTX_ctrl
@@ -720,7 +722,7 @@ DESX algorithm in CBC mode.
 RC4 stream cipher.
 This is a variable key length cipher with default key length 128 bits.
 .It Fn EVP_rc4_40 void
-RC4 stream cipher with 40 bit key length.
+RC4 stream cipher with 40-bit key length.
 This is obsolete and new code should use
 .Fn EVP_rc4
 and the
@@ -785,31 +787,31 @@ By default the key length is set to 128 bits and 12 rounds.
 .El
 .Sh EXAMPLES
 Get the number of rounds used in RC5:
-.Bd -literal
+.Bd -literal -offset indent
 int nrounds;
 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
 .Ed
 .Pp
 Get the RC2 effective key length:
-.Bd -literal
+.Bd -literal -offset indent
 int key_bits;
 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
 .Ed
 .Pp
 Set the number of rounds used in RC5:
-.Bd -literal
+.Bd -literal -offset indent
 int nrounds;
 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
 .Ed
 .Pp
 Set the effective key length used in RC2:
-.Bd -literal
+.Bd -literal -offset indent
 int key_bits;
 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
 .Ed
 .Pp
 Encrypt a string using blowfish:
-.Bd -literal
+.Bd -literal -offset 3n
 int
 do_crypt(char *outfile)
 {
@@ -858,13 +860,13 @@ do_crypt(char *outfile)
 The ciphertext from the above example can be decrypted using the
 .Xr openssl 1
 utility with the command line:
-.Bd -literal
+.Bd -literal -offset indent
 openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F \e
            -iv 0102030405060708 -d
 .Ed
 .Pp
 General encryption, decryption function example using FILE I/O and RC2
-with an 80 bit key:
+with an 80-bit key:
 .Bd -literal
 int
 do_crypt(FILE *in, FILE *out, int do_encrypt)
@@ -937,6 +939,6 @@ as a fixed unsigned char array containing
 .Dv EVP_MAX_KEY_LENGTH
 bytes.
 .Pp
-The ASN1 code is incomplete (and sometimes inaccurate) it has only been
-tested for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC
-mode.
+The ASN.1 code is incomplete (and sometimes inaccurate).
+It has only been tested for certain common S/MIME ciphers
+(RC2, DES, triple DES) in CBC mode.
diff --git a/src/lib/libcrypto/man/EVP_OpenInit.3 b/src/lib/libcrypto/man/EVP_OpenInit.3
index 02e79742ab..92f68d3cc0 100644
--- a/src/lib/libcrypto/man/EVP_OpenInit.3
+++ b/src/lib/libcrypto/man/EVP_OpenInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_OpenInit.3,v 1.3 2016/11/21 09:56:35 schwarze Exp $
+.\"     $OpenBSD: EVP_OpenInit.3,v 1.4 2016/11/21 22:19:15 jmc Exp $
 .\"
 .Dd $Mdocdate: November 21 2016 $
 .Dt EVP_OPENINIT 3
@@ -85,7 +85,7 @@ If the cipher is a fixed length cipher then the recovered key length
 must match the fixed cipher length.
 .Sh RETURN VALUES
 .Fn EVP_OpenInit
-returns 0 on error or a non zero integer (actually the recovered secret
+returns 0 on error or a non-zero integer (actually the recovered secret
 key size) if successful.
 .Pp
 .Fn EVP_OpenUpdate
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index 6715e11f41..149caa7316 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.3 2016/11/06 16:58:08 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.4 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -169,8 +169,8 @@ expected to be the algorithm identifier byte.
 The
 .Fn EVP_PKEY_CTX_set_rsa_pss_saltlen
 macro sets the RSA PSS salt length to
-.Fa len
-as its name implies it is only supported for PSS padding.
+.Fa len .
+As its name implies, it is only supported for PSS padding.
 Two special values are supported: -1 sets the salt length to the digest
 length.
 When signing -2 sets the salt length to the maximum permissible value.
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
index 03439d6658..63fefed9a3 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_CTX_new.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_CTX_new.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_CTX_NEW 3
 .Os
 .Sh NAME
@@ -62,10 +62,11 @@ frees up the context
 .Sh RETURN VALUES
 .Fn EVP_PKEY_CTX_new ,
 .Fn EVP_PKEY_CTX_new_id ,
+and
 .Fn EVP_PKEY_CTX_dup
-returns either the newly allocated
+return either the newly allocated
 .Vt EVP_PKEY_CTX
-structure of
+structure or
 .Dv NULL
 if an error occurred.
 .Pp
diff --git a/src/lib/libcrypto/man/EVP_PKEY_cmp.3 b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
index 2e366402ca..d06d0e8a35 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_cmp.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
@@ -1,11 +1,11 @@
-.\"     $OpenBSD: EVP_PKEY_cmp.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_cmp.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_CMP 3
 .Os
 .Sh NAME
-.Nm EVP_PKEY_copy_parameters ,
 .Nm EVP_PKEY_missing_parameters ,
+.Nm EVP_PKEY_copy_parameters ,
 .Nm EVP_PKEY_cmp_parameters ,
 .Nm EVP_PKEY_cmp
 .Nd public key parameter and comparison functions
@@ -83,7 +83,7 @@ The function
 .Fn EVP_PKEY_copy_parameters
 returns 1 for success and 0 for failure.
 .Pp
-The function
+The functions
 .Fn EVP_PKEY_cmp_parameters
 and
 .Fn EVP_PKEY_cmp
diff --git a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
index f8d29fbef2..15e44a6510 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_decrypt.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_decrypt.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_DECRYPT 3
 .Os
 .Sh NAME
@@ -52,7 +52,8 @@ then before the call the
 .Fa outlen
 parameter should contain the length of the
 .Fa out
-buffer, if the call is successful the decrypted data is written to
+buffer.
+If the call is successful the decrypted data is written to
 .Fa out
 and the amount of data written to
 .Fa outlen .
@@ -75,7 +76,7 @@ In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
 Decrypt data using OAEP (for RSA keys):
-.Bd -literal
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
diff --git a/src/lib/libcrypto/man/EVP_PKEY_derive.3 b/src/lib/libcrypto/man/EVP_PKEY_derive.3
index e29587be7e..e449a91439 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_derive.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_derive.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_derive.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_derive.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_DERIVE 3
 .Os
 .Sh NAME
@@ -38,7 +38,7 @@ function sets the peer key: this will normally be a public key.
 .Pp
 The
 .Fn EVP_PKEY_derive
-derives a shared secret using
+function derives a shared secret using
 .Fa ctx .
 If
 .Fa key
@@ -79,7 +79,7 @@ In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
 Derive shared secret (for example DH or EC keys):
-.Bd -literal
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
diff --git a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
index 8edd53745d..0e1c72e270 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_ENCRYPT 3
 .Os
 .Sh NAME
@@ -52,7 +52,8 @@ then before the call the
 .Fa outlen
 parameter should contain the length of the
 .Fa out
-buffer, if the call is successful the encrypted data is written to
+buffer.
+If the call is successful the encrypted data is written to
 .Fa out
 and the amount of data written to
 .Fa outlen .
@@ -75,7 +76,7 @@ In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
 Encrypt data using OAEP (for RSA keys):
-.Bd -literal
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
diff --git a/src/lib/libcrypto/man/EVP_PKEY_keygen.3 b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
index c464924384..fd64e1eb66 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_keygen.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_keygen.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_keygen.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_KEYGEN 3
 .Os
 .Sh NAME
@@ -70,8 +70,8 @@ for a key generation operation.
 .Pp
 The
 .Fn EVP_PKEY_keygen
-function performs a key generation operation, the generated key is
-written to
+function performs a key generation operation.
+The generated key is written to
 .Fa ppkey .
 .Pp
 The functions
@@ -94,7 +94,7 @@ returns parameters associated with the generation operation.
 If
 .Fa idx
 is -1, the total number of parameters available is returned.
-Any non negative value returns the value of that parameter.
+Any non-negative value returns the value of that parameter.
 .Fn EVP_PKEY_CTX_get_keygen_info
 with a non-negative value for
 .Fa idx
@@ -159,8 +159,8 @@ return 1 for success and 0 or a negative value for failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Generate a 2048 bit RSA key:
-.Bd -literal
+Generate a 2048-bit RSA key:
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
@@ -180,7 +180,7 @@ if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
 .Ed
 .Pp
 Generate a key from a set of parameters:
-.Bd -literal
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
@@ -199,7 +199,7 @@ if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
 .Ed
 .Pp
 Example of generation callback for OpenSSL public key implementations:
-.Bd -literal
+.Bd -literal -offset indent
 /* Application data is a BIO to output status to */
 
 EVP_PKEY_CTX_set_app_data(ctx, status_bio);
diff --git a/src/lib/libcrypto/man/EVP_PKEY_print_private.3 b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
index a271835f9c..0f8a74cb9c 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_print_private.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_PRINT_PRIVATE 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@ indicates how far the printout should be indented.
 .Pp
 The
 .Fa pctx
-parameter allows the print output to be finely tuned by using ASN1
+parameter allows the print output to be finely tuned by using ASN.1
 printing options.
 If
 .Fa pctx
diff --git a/src/lib/libcrypto/man/EVP_PKEY_sign.3 b/src/lib/libcrypto/man/EVP_PKEY_sign.3
index 8ed1432618..82f4c1b8ad 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_sign.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_sign.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_SIGN 3
 .Os
 .Sh NAME
@@ -76,7 +76,7 @@ In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
 Sign data using RSA with PKCS#1 padding and SHA256 digest:
-.Bd -literal
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify.3 b/src/lib/libcrypto/man/EVP_PKEY_verify.3
index faf2dca1f6..70f9c31d51 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_verify.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_verify.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_VERIFY 3
 .Os
 .Sh NAME
@@ -72,7 +72,7 @@ In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
 Verify signature using PKCS#1 and SHA256 digest:
-.Bd -literal
+.Bd -literal -offset 3n
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
index d1cedadef4..12db9259ae 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: EVP_PKEY_verify_recover.3,v 1.3 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_PKEY_verify_recover.3,v 1.4 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_PKEY_VERIFY_RECOVER 3
 .Os
 .Sh NAME
@@ -87,7 +87,7 @@ In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
 Recover digest originally signed using PKCS#1 and SHA256 digest:
-.Bd -literal
+.Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
diff --git a/src/lib/libcrypto/man/EVP_SealInit.3 b/src/lib/libcrypto/man/EVP_SealInit.3
index 75113fcbe8..983b648297 100644
--- a/src/lib/libcrypto/man/EVP_SealInit.3
+++ b/src/lib/libcrypto/man/EVP_SealInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_SealInit.3,v 1.3 2016/11/21 09:56:35 schwarze Exp $
+.\"     $OpenBSD: EVP_SealInit.3,v 1.4 2016/11/21 22:19:15 jmc Exp $
 .\"
 .Dd $Mdocdate: November 21 2016 $
 .Dt EVP_SEALINIT 3
@@ -49,7 +49,7 @@ for encryption with cipher
 using a random secret key and IV.
 .Fa type
 is normally supplied by a function such as
-.Fn EVP_aes_256_cbc 3 ;
+.Fn EVP_aes_256_cbc ;
 see
 .Xr EVP_EncryptInit 3
 for details.
diff --git a/src/lib/libcrypto/man/EVP_SignInit.3 b/src/lib/libcrypto/man/EVP_SignInit.3
index c18b074b6d..0a76dd7eaf 100644
--- a/src/lib/libcrypto/man/EVP_SignInit.3
+++ b/src/lib/libcrypto/man/EVP_SignInit.3
@@ -1,12 +1,13 @@
-.\"     $OpenBSD: EVP_SignInit.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_SignInit.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_SIGNINIT 3
 .Os
 .Sh NAME
-.Nm EVP_SignInit ,
+.Nm EVP_SignInit_ex ,
 .Nm EVP_SignUpdate ,
 .Nm EVP_SignFinal ,
+.Nm EVP_SignInit ,
 .Nm EVP_PKEY_size
 .Nd EVP signing functions
 .Sh SYNOPSIS
@@ -80,7 +81,7 @@ must be at least
 bytes in size.
 .Fa s
 is an OUT parameter, and not used as an IN parameter.
-The number of bytes of data written (i.e.
+The number of bytes of data written (i.e.\&
 the length of the signature) will be written to the integer at
 .Fa s .
 At most
@@ -164,6 +165,4 @@ amounts of data have been passed through
 It is not possible to change the signing parameters using these
 function.
 .Pp
-The previous two bugs are fixed in the newer
-.Xr EVP_SignDigest* 3
-function.
+The previous two bugs are fixed in the newer EVP_SignDigest* function.
diff --git a/src/lib/libcrypto/man/EVP_VerifyInit.3 b/src/lib/libcrypto/man/EVP_VerifyInit.3
index cec803136e..ab43e4faf2 100644
--- a/src/lib/libcrypto/man/EVP_VerifyInit.3
+++ b/src/lib/libcrypto/man/EVP_VerifyInit.3
@@ -1,12 +1,13 @@
-.\"     $OpenBSD: EVP_VerifyInit.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: EVP_VerifyInit.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP_VERIFYINIT 3
 .Os
 .Sh NAME
-.Nm EVP_VerifyInit ,
+.Nm EVP_VerifyInit_ex ,
 .Nm EVP_VerifyUpdate ,
-.Nm EVP_VerifyFinal
+.Nm EVP_VerifyFinal ,
+.Nm EVP_VerifyInit
 .Nd EVP signature verification functions
 .Sh SYNOPSIS
 .In openssl/evp.h
diff --git a/src/lib/libcrypto/man/bn_dump.3 b/src/lib/libcrypto/man/bn_dump.3
index 73f0cfe23f..9c4b06e9b3 100644
--- a/src/lib/libcrypto/man/bn_dump.3
+++ b/src/lib/libcrypto/man/bn_dump.3
@@ -1,6 +1,6 @@
-.\"     $OpenBSD: bn_dump.3,v 1.2 2015/11/12 09:51:55 jmc Exp $
+.\"     $OpenBSD: bn_dump.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 12 2015 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt BN_DUMP 3
 .Os
 .Sh NAME
@@ -327,7 +327,7 @@ This structure contains BN_CTX_NUM
 .Vt BIGNUM Ns s,
 see
 .Xr BN_CTX_start 3 .
-.Ss Low-level arithmetic operations
+.Ss Low level arithmetic operations
 These functions are implemented in C and for several platforms in
 assembly language:
 .Pp
diff --git a/src/lib/libcrypto/man/evp.3 b/src/lib/libcrypto/man/evp.3
index 832009f3a0..6666d47939 100644
--- a/src/lib/libcrypto/man/evp.3
+++ b/src/lib/libcrypto/man/evp.3
@@ -1,15 +1,15 @@
-.\"     $OpenBSD: evp.3,v 1.2 2016/11/06 15:52:50 jmc Exp $
+.\"     $OpenBSD: evp.3,v 1.3 2016/11/21 22:19:15 jmc Exp $
 .\"
-.Dd $Mdocdate: November 6 2016 $
+.Dd $Mdocdate: November 21 2016 $
 .Dt EVP 3
 .Os
 .Sh NAME
 .Nm evp
-.Nd high-level cryptographic functions
+.Nd high level cryptographic functions
 .Sh SYNOPSIS
 .In openssl/evp.h
 .Sh DESCRIPTION
-The EVP library provides a high-level interface to cryptographic
+The EVP library provides a high level interface to cryptographic
 functions.
 .Pp
 .Xr EVP_SealInit 3