128 files changed, 714 insertions, 497 deletions
diff --git a/src/lib/libcrypto/doc/DH_generate_key.pod b/src/lib/libcrypto/doc/DH_generate_key.pod
index 81f09fdf45..148e13762b 100644
--- a/src/lib/libcrypto/doc/DH_generate_key.pod
+++ b/src/lib/libcrypto/doc/DH_generate_key.pod
@@ -40,7 +40,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 SEE ALSO
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DH_size(3)|DH_size(3)>
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/DH_generate_parameters.pod b/src/lib/libcrypto/doc/DH_generate_parameters.pod
index 862aa0c39a..d19e0217ee 100644
--- a/src/lib/libcrypto/doc/DH_generate_parameters.pod
+++ b/src/lib/libcrypto/doc/DH_generate_parameters.pod
@@ -23,11 +23,11 @@ seeded prior to calling DH_generate_parameters().
 B<prime_len> is the length in bits of the safe prime to be generated.
 B<generator> is a small number E<gt> 1, typically 2 or 5.
-A callback function may be used to provide feedback about the progress
+A callback function may be used to provide feedback about the progress of the
-of the key generation. If B<callback> is not B<NULL>, it will be
+key generation. If B<callback> is not B<NULL>, it will be called as described
-called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
+in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime number is
-number is generated, and when a prime has been found, B<callback(3,
+generated, and when a prime has been found, B<callback(3, 0, cb_arg)> is
-0, cb_arg)> is called.
+called.
 DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
 a safe prime, and that B<g> is a suitable generator. In the case of an
diff --git a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
index fa5eab2650..934ec094bb 100644
--- a/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
+++ b/src/lib/libcrypto/doc/DH_get_ex_new_index.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
+DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific
+data to DH structures
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/DH_new.pod b/src/lib/libcrypto/doc/DH_new.pod
index 60c930093e..d6c3ca82b5 100644
--- a/src/lib/libcrypto/doc/DH_new.pod
+++ b/src/lib/libcrypto/doc/DH_new.pod
@@ -21,9 +21,9 @@ erased before the memory is returned to the system.
 =head1 RETURN VALUES
-If the allocation fails, DH_new() returns B<NULL> and sets an error
+If the allocation fails, DH_new() returns B<NULL> and sets an error code that
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a
-a pointer to the newly allocated structure.
+pointer to the newly allocated structure.
 DH_free() returns no value.
diff --git a/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod b/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
index fb6efc1182..e2fcabf370 100644
--- a/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
+++ b/src/lib/libcrypto/doc/DSA_get_ex_new_index.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures
+DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application
+specific data to DSA structures
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/DSA_set_method.pod b/src/lib/libcrypto/doc/DSA_set_method.pod
index 5ad7362f58..707370adf7 100644
--- a/src/lib/libcrypto/doc/DSA_set_method.pod
+++ b/src/lib/libcrypto/doc/DSA_set_method.pod
@@ -103,8 +103,8 @@ B<DSA_METHOD>s.
 DSA_set_default_method() returns no value.
-DSA_set_method() returns non-zero if the provided B<meth> was successfully set as
+DSA_set_method() returns non-zero if the provided B<meth> was successfully set
-the method for B<dsa> (including unloading the ENGINE handle if the previous
+as the method for B<dsa> (including unloading the ENGINE handle if the previous
 method was supplied by an ENGINE).
 DSA_new_method() returns NULL and sets an error code that can be
@@ -117,8 +117,8 @@ As of version 0.9.7, DSA_METHOD implementations are grouped together with other
 algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
 default ENGINE is specified for DSA functionality using an ENGINE API function,
 that will override any DSA defaults set using the DSA API (ie.
-DSA_set_default_method()). For this reason, the ENGINE API is the recommended way
+DSA_set_default_method()). For this reason, the ENGINE API is the recommended
-to control default implementations for use in DSA and other cryptographic
+way to control default implementations for use in DSA and other cryptographic
 algorithms.
 =head1 SEE ALSO
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
index dcc5d73f69..2ff01b9c7c 100644
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -4,12 +4,12 @@
 EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type,
-EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
+EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256,
+EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha,
-EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
+EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1,
-EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
+EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid,
-EVP digest routines
+EVP_get_digestbyobj - EVP digest routines
 =head1 SYNOPSIS
@@ -127,11 +127,11 @@ normally used when setting ASN1 OIDs.
 EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
 B<EVP_MD_CTX>.
-EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
+EVP_MD_pkey_type() returns the NID of the public key signing algorithm
-with this digest. For example EVP_sha1() is associated with RSA so this will
+associated with this digest. For example EVP_sha1() is associated with RSA so
-return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms
+this will return B<NID_sha1WithRSAEncryption>. Since digests and signature
-are no longer linked this function is only retained for compatibility
+algorithms are no longer linked this function is only retained for
-reasons.
+compatibility reasons.
 EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
 EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
diff --git a/src/lib/libcrypto/doc/EVP_DigestSignInit.pod b/src/lib/libcrypto/doc/EVP_DigestSignInit.pod
index 11e8f6f937..7aec6daecc 100644
--- a/src/lib/libcrypto/doc/EVP_DigestSignInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestSignInit.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing functions
+EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing
+functions
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod b/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod
index 819e0d4b9f..60666bfddc 100644
--- a/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestVerifyInit.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP signature verification functions
+EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP
+signature verification functions
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 84875e0fe0..d42445cf10 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -239,11 +239,13 @@ RC5 can be set.
 EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
 return 1 for success and 0 for failure.
-EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
+EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for
-EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
+failure.  EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for
+success.
-EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
+EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for
-EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
+failure.  EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for
+success.
 EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
@@ -285,11 +287,13 @@ Null cipher: does nothing.
 DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void),  EVP_des_ede_cfb(void)
+=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void),
+EVP_des_ede_cfb(void)
 Two key triple DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void),  EVP_des_ede3_cfb(void)
+=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void),
+EVP_des_ede3_cfb(void)
 Three key triple DES in CBC, ECB, CFB and OFB modes respectively.
@@ -299,44 +303,49 @@ DESX algorithm in CBC mode.
 =item EVP_rc4(void)
-RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
+RC4 stream cipher. This is a variable key length cipher with default key length
+128 bits.
 =item EVP_rc4_40(void)
-RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4()
+RC4 stream cipher with 40 bit key length. This is obsolete and new code should
-and the EVP_CIPHER_CTX_set_key_length() function.
+use EVP_rc4() and the EVP_CIPHER_CTX_set_key_length() function.
-=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)
+=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void),
+EVP_idea_ofb(void), EVP_idea_cbc(void)
 IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
 =item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)
-RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
+RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a
-length cipher with an additional parameter called "effective key bits" or "effective key length".
+variable key length cipher with an additional parameter called "effective key
-By default both are set to 128 bits.
+bits" or "effective key length".  By default both are set to 128 bits.
 =item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)
-RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits.
+RC2 algorithm in CBC mode with a default key length and effective key length of
-These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and
+40 and 64 bits.  These are obsolete and new code should use EVP_rc2_cbc(),
-EVP_CIPHER_CTX_ctrl() to set the key length and effective key length.
+EVP_CIPHER_CTX_set_key_length() and EVP_CIPHER_CTX_ctrl() to set the key length
+and effective key length.
 =item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);
-Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
+Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This
-length cipher.
+is a variable key length cipher.
-=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)
+=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void),
+EVP_cast5_ofb(void)
-CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
+CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is
-length cipher.
+a variable key length cipher.
-=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
+=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void),
+EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
-RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length
+RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a
-cipher with an additional "number of rounds" parameter. By default the key length is set to 128
+variable key length cipher with an additional "number of rounds" parameter. By
-bits and 12 rounds.
+default the key length is set to 128 bits and 12 rounds.
 =back
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
index e8d1ddda75..ba6e51100b 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
@@ -65,14 +65,15 @@ RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only),
 RSA_X931_PADDING for X9.31 padding (signature operations only) and
 RSA_PKCS1_PSS_PADDING (sign and verify only).
-Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md()
+Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md() is
-is used. If this macro is called for PKCS#1 padding the plaintext buffer is
+used. If this macro is called for PKCS#1 padding the plaintext buffer is an
-an actual digest value and is encapsulated in a DigestInfo structure according
+actual digest value and is encapsulated in a DigestInfo structure according to
-to PKCS#1 when signing and this structure is expected (and stripped off) when
+PKCS#1 when signing and this structure is expected (and stripped off) when
 verifying. If this control is not used with RSA and PKCS#1 padding then the
 supplied data is used directly and not encapsulated. In the case of X9.31
 padding for RSA the algorithm identifier byte is added or checked and removed
-if this control is called. If it is not called then the first byte of the plaintext buffer is expected to be the algorithm identifier byte.
+if this control is called. If it is not called then the first byte of the
+plaintext buffer is expected to be the algorithm identifier byte.
 The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to
 B<len> as its name implies it is only supported for PSS padding.  Two special
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod b/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod
index a9af867580..9822d6806f 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_CTX_new.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free - public key algorithm context functions.
+EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free -
+public key algorithm context functions.
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod b/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod
index 4145245299..c389216086 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_cmp.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions
+EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters,
+EVP_PKEY_cmp - public key parameter and comparison functions
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
index de877ead1a..2424ce0e54 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive - derive public key algorithm shared secret.
+EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive - derive public
+key algorithm shared secret.
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
index b6102da036..378fb310ff 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
@@ -2,7 +2,10 @@
 =head1 NAME
-EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data - key and parameter generation functions
+EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init,
+EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb,
+EVP_PKEY_CTX_get_keygen_info, EVP_PKEVP_PKEY_CTX_set_app_data,
+EVP_PKEY_CTX_get_app_data - key and parameter generation functions
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod b/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod
index c9b7a89821..eabbaed264 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_print_private.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params - public key algorithm printing routines.
+EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params - public
+key algorithm printing routines.
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod b/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod
index 8afb1b22e1..c2031c3d0b 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_set1_RSA.pod
@@ -4,8 +4,8 @@
 EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
 EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
-EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY,
+EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH,
-EVP_PKEY_type - EVP_PKEY assignment functions.
+EVP_PKEY_assign_EC_KEY, EVP_PKEY_type - EVP_PKEY assignment functions.
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
index f7ae4f9ebe..ba317b4e7b 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_verify_init, EVP_PKEY_verify - signature verification using a public key algorithm
+EVP_PKEY_verify_init, EVP_PKEY_verify - signature verification using a public
+key algorithm
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
index 00d53db783..4debf7bff0 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm
+EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using
+a public key algorithm
 =head1 SYNOPSIS
@@ -45,7 +46,8 @@ context if several operations are performed using the same parameters.
 =head1 RETURN VALUES
-EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success
+EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for
+success
 and 0 or a negative value for failure. In particular a return value of -2
 indicates the operation is not supported by the public key algorithm.
diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
index 0ffb0a8077..c665ee2ebc 100644
--- a/src/lib/libcrypto/doc/EVP_VerifyInit.pod
+++ b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification functions
+EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification
+functions
 =head1 SYNOPSIS
@@ -38,8 +39,8 @@ implementation of digest B<type>.
 EVP_VerifyInit_ex() and EVP_VerifyUpdate() return 1 for success and 0 for
 failure.
-EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
+EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if
-other error occurred.
+some other error occurred.
 The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
diff --git a/src/lib/libcrypto/doc/OBJ_nid2obj.pod b/src/lib/libcrypto/doc/OBJ_nid2obj.pod
index 458ef025f0..b2b8af990c 100644
--- a/src/lib/libcrypto/doc/OBJ_nid2obj.pod
+++ b/src/lib/libcrypto/doc/OBJ_nid2obj.pod
@@ -2,9 +2,9 @@
 =head1 NAME
-OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid,
+OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid,
-OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup - ASN1 object utility
+OBJ_sn2nid, OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup
-functions
+- ASN1 object utility functions
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
index c39ac35e78..2f63a18a71 100644
--- a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
+++ b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
@@ -94,8 +94,8 @@ L<crypto(3)|crypto(3)>
 =head1 HISTORY
-SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
+SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and
-OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
+OpenSSL.  OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
 B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
 =cut
diff --git a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
index e63411b5bb..cc6c07fa24 100644
--- a/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
+++ b/src/lib/libcrypto/doc/OpenSSL_add_all_algorithms.pod
@@ -39,24 +39,24 @@ None of the functions return a value.
 A typical application will call OpenSSL_add_all_algorithms() initially and
 EVP_cleanup() before exiting.
-An application does not need to add algorithms to use them explicitly, for example
+An application does not need to add algorithms to use them explicitly, for
-by EVP_sha1(). It just needs to add them if it (or any of the functions it calls)
+example by EVP_sha1(). It just needs to add them if it (or any of the functions
-needs to lookup algorithms.
+it calls) needs to lookup algorithms.
-The cipher and digest lookup functions are used in many parts of the library. If
+The cipher and digest lookup functions are used in many parts of the library.
-the table is not initialized several functions will misbehave and complain they
+If the table is not initialized several functions will misbehave and complain
-cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries.
+they cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME
-This is a common query in the OpenSSL mailing lists.
+libraries.  This is a common query in the OpenSSL mailing lists.
 Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
-statically linked executable can be quite large. If this is important it is possible
+statically linked executable can be quite large. If this is important it is
-to just add the required ciphers and digests.
+possible to just add the required ciphers and digests.
 =head1 BUGS
-Although the functions do not return error codes it is possible for them to fail.
+Although the functions do not return error codes it is possible for them to
-This will only happen as a result of a memory allocation failure so this is not
+fail.  This will only happen as a result of a memory allocation failure so this
-too much of a problem in practice.
+is not too much of a problem in practice.
 =head1 SEE ALSO
diff --git a/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod b/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod
index e196bf1498..7e821f69c3 100644
--- a/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod
+++ b/src/lib/libcrypto/doc/PEM_read_bio_PrivateKey.pod
@@ -2,7 +2,29 @@
 =head1 NAME
-PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
+PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey,
+PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey,
+PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid,
+PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY,
+PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey,
+PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey,
+PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey,
+PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY,
+PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey,
+PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey,
+PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY,
+PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams,
+PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
+PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
+PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
+PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
+PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
+PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
+PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL,
+PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7,
+PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE,
+PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE,
+PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod b/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod
index e070c45c2e..f9946adebf 100644
--- a/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod
+++ b/src/lib/libcrypto/doc/PEM_write_bio_CMS_stream.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format.
+PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format.
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/PKCS12_create.pod b/src/lib/libcrypto/doc/PKCS12_create.pod
index 0a1e460cf1..382193ec95 100644
--- a/src/lib/libcrypto/doc/PKCS12_create.pod
+++ b/src/lib/libcrypto/doc/PKCS12_create.pod
@@ -38,13 +38,13 @@ The default MAC iteration count is 1 in order to retain compatibility with
 old software which did not interpret MAC iteration counts. If such compatibility
 is not required then B<mac_iter> should be set to PKCS12_DEFAULT_ITER.
-B<keytype> adds a flag to the store private key. This is a non standard extension
+B<keytype> adds a flag to the store private key. This is a non standard
-that is only currently interpreted by MSIE. If set to zero the flag is omitted,
+extension that is only currently interpreted by MSIE. If set to zero the flag
-if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX>
+is omitted, if set to B<KEY_SIG> the key can be used for signing only, if set
-it can be used for signing and encryption. This option was useful for old
+to B<KEY_EX> it can be used for signing and encryption. This option was useful
-export grade software which could use signing only keys of arbitrary size but
+for old export grade software which could use signing only keys of arbitrary
-had restrictions on the permissible sizes of keys which could be used for
+size but had restrictions on the permissible sizes of keys which could be used
-encryption.
+for encryption.
 =head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8
diff --git a/src/lib/libcrypto/doc/PKCS7_decrypt.pod b/src/lib/libcrypto/doc/PKCS7_decrypt.pod
index 325699d0b6..78919998ce 100644
--- a/src/lib/libcrypto/doc/PKCS7_decrypt.pod
+++ b/src/lib/libcrypto/doc/PKCS7_decrypt.pod
@@ -22,8 +22,9 @@ B<flags> is an optional set of flags.
 OpenSSL_add_all_algorithms() (or equivalent) should be called before using this
 function or errors about unknown algorithms will occur.
-Although the recipients certificate is not needed to decrypt the data it is needed
+Although the recipients certificate is not needed to decrypt the data it is
-to locate the appropriate (of possible several) recipients in the PKCS#7 structure.
+needed to locate the appropriate (of possible several) recipients in the PKCS#7
+structure.
 The following flags can be passed in the B<flags> parameter.
@@ -38,8 +39,9 @@ The error can be obtained from ERR_get_error(3)
 =head1 BUGS
-PKCS7_decrypt() must be passed the correct recipient key and certificate. It would
+PKCS7_decrypt() must be passed the correct recipient key and certificate. It
-be better if it could look up the correct key and certificate from a database.
+would be better if it could look up the correct key and certificate from a
+database.
 The lack of single pass processing and need to hold all data in memory as
 mentioned in PKCS7_sign() also applies to PKCS7_verify().
diff --git a/src/lib/libcrypto/doc/PKCS7_verify.pod b/src/lib/libcrypto/doc/PKCS7_verify.pod
index 51ada03f2d..f88e66632b 100644
--- a/src/lib/libcrypto/doc/PKCS7_verify.pod
+++ b/src/lib/libcrypto/doc/PKCS7_verify.pod
@@ -37,9 +37,9 @@ be signedData. There must be at least one signature on the data and if
 the content is detached B<indata> cannot be B<NULL>.
 An attempt is made to locate all the signer's certificates, first looking in
-the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates
+the B<certs> parameter (if it is not B<NULL>) and then looking in any
-contained in the B<p7> structure itself. If any signer's certificates cannot be
+certificates contained in the B<p7> structure itself. If any signer's
-located the operation fails.
+certificates cannot be located the operation fails.
 Each signer's certificate is chain verified using the B<smimesign> purpose and
 the supplied trusted certificate store. Any internal certificates in the message
@@ -50,9 +50,9 @@ the signature's checked.
 If all signature's verify correctly then the function is successful.
-Any of the following flags (ored together) can be passed in the B<flags> parameter
+Any of the following flags (ored together) can be passed in the B<flags>
-to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is
+parameter to change the default verify behaviour. Only the flag
-meaningful to PKCS7_get0_signers().
+B<PKCS7_NOINTERN> is meaningful to PKCS7_get0_signers().
 If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
 searched when locating the signer's certificate. This means that all the signers
diff --git a/src/lib/libcrypto/doc/RAND_bytes.pod b/src/lib/libcrypto/doc/RAND_bytes.pod
index 1a9b91e281..34c945b4e5 100644
--- a/src/lib/libcrypto/doc/RAND_bytes.pod
+++ b/src/lib/libcrypto/doc/RAND_bytes.pod
@@ -30,11 +30,10 @@ the new pseudo-random bytes unless disabled at compile time (see FAQ).
 =head1 RETURN VALUES
-RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
+RAND_bytes() returns 1 on success, 0 otherwise. The error code can be obtained
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
+by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
-bytes generated are cryptographically strong, 0 otherwise. Both
+bytes generated are cryptographically strong, 0 otherwise. Both functions
-functions return -1 if they are not supported by the current RAND
+return -1 if they are not supported by the current RAND method.
-method.
 =head1 SEE ALSO
diff --git a/src/lib/libcrypto/doc/RAND_load_file.pod b/src/lib/libcrypto/doc/RAND_load_file.pod
index 3f7e944d86..28118e3c2e 100644
--- a/src/lib/libcrypto/doc/RAND_load_file.pod
+++ b/src/lib/libcrypto/doc/RAND_load_file.pod
@@ -43,7 +43,8 @@ error.
 =head1 SEE ALSO
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
+L<RAND_cleanup(3)|RAND_cleanup(3)>
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/RSA_blinding_on.pod b/src/lib/libcrypto/doc/RSA_blinding_on.pod
index fd2c69abd8..e6af8d4355 100644
--- a/src/lib/libcrypto/doc/RSA_blinding_on.pod
+++ b/src/lib/libcrypto/doc/RSA_blinding_on.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attacks
+RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing
+attacks
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod b/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
index 7d0fd1f91d..b1ac1167dd 100644
--- a/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
+++ b/src/lib/libcrypto/doc/RSA_get_ex_new_index.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specific data to RSA structures
+RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application
+specific data to RSA structures
 =head1 SYNOPSIS
@@ -78,26 +79,27 @@ corresponding parameters when B<RSA_get_ex_new_index()> was called.
 B<dup_func()> is called when a structure is being copied. Pointers to the
 destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
 B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
-the source application data when the function is called, when the function returns
+the source application data when the function is called, when the function
-the value is copied to the destination: the application can thus modify the data
+returns the value is copied to the destination: the application can thus modify
-pointed to by B<from_d> and have different values in the source and destination.
+the data pointed to by B<from_d> and have different values in the source and
-The B<idx>, B<argl> and B<argp> parameters are the same as those in B<new_func()>
+destination.  The B<idx>, B<argl> and B<argp> parameters are the same as those
-and B<free_func()>.
+in B<new_func()> and B<free_func()>.
 =head1 RETURN VALUES
-B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a valid
+B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a
-index value).
+valid index value).
 B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
 B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
-be valid application data but currently it can only fail if given an invalid B<idx>
+be valid application data but currently it can only fail if given an invalid
-parameter.
+B<idx> parameter.
 B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+On failure an error code can be obtained from
+L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 BUGS
diff --git a/src/lib/libcrypto/doc/RSA_new.pod b/src/lib/libcrypto/doc/RSA_new.pod
index 3d15b92824..41e5e60340 100644
--- a/src/lib/libcrypto/doc/RSA_new.pod
+++ b/src/lib/libcrypto/doc/RSA_new.pod
@@ -22,9 +22,9 @@ erased before the memory is returned to the system.
 =head1 RETURN VALUES
-If the allocation fails, RSA_new() returns B<NULL> and sets an error
+If the allocation fails, RSA_new() returns B<NULL> and sets an error code that
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a
-a pointer to the newly allocated structure.
+pointer to the newly allocated structure.
 RSA_free() returns no value.
diff --git a/src/lib/libcrypto/doc/RSA_private_encrypt.pod b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
index 4c4d131172..aa2bc1bd76 100644
--- a/src/lib/libcrypto/doc/RSA_private_encrypt.pod
+++ b/src/lib/libcrypto/doc/RSA_private_encrypt.pod
@@ -29,10 +29,9 @@ B<padding> denotes one of the following modes:
 =item RSA_PKCS1_PADDING
-PKCS #1 v1.5 padding. This function does not handle the
+PKCS #1 v1.5 padding. This function does not handle the B<algorithmIdentifier>
-B<algorithmIdentifier> specified in PKCS #1. When generating or
+specified in PKCS #1. When generating or verifying PKCS #1 signatures,
-verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
+L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be used.
-used.
 =item RSA_NO_PADDING
diff --git a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
index e70380bbfc..315a9af9e8 100644
--- a/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/src/lib/libcrypto/doc/RSA_sign_ASN1_OCTET_STRING.pod
@@ -26,7 +26,8 @@ memory.
 B<dummy> is ignored.
-The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING().
+The random number generator must be seeded prior to calling
+RSA_sign_ASN1_OCTET_STRING().
 RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
 of size B<siglen> is the DER representation of a given octet string
diff --git a/src/lib/libcrypto/doc/SHA1.pod b/src/lib/libcrypto/doc/SHA1.pod
index 232af9227e..9fffdf59e7 100644
--- a/src/lib/libcrypto/doc/SHA1.pod
+++ b/src/lib/libcrypto/doc/SHA1.pod
@@ -60,7 +60,8 @@ ANSI X9.30
 =head1 SEE ALSO
-L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod b/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
index 5b9e81b922..c6442b947f 100644
--- a/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
+++ b/src/lib/libcrypto/doc/X509_NAME_add_entry_by_txt.pod
@@ -2,8 +2,9 @@
 =head1 NAME
-X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID,
+X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ,
-X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions
+X509_NAME_add_entry_by_NID, X509_NAME_add_entry, X509_NAME_delete_entry -
+X509_NAME modification functions
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod b/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
index b2d86d4ddb..ff5d788d88 100644
--- a/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
+++ b/src/lib/libcrypto/doc/X509_NAME_print_ex.pod
@@ -16,16 +16,16 @@ X509_NAME_oneline - X509_NAME printing routines.
 =head1 DESCRIPTION
-X509_NAME_print_ex() prints a human readable version of B<nm> to BIO B<out>. Each
+X509_NAME_print_ex() prints a human readable version of B<nm> to BIO B<out>.
-line (for multiline formats) is indented by B<indent> spaces. The output format
+Each line (for multiline formats) is indented by B<indent> spaces. The output
-can be extensively customised by use of the B<flags> parameter.
+format can be extensively customised by use of the B<flags> parameter.
-X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output is
+X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output
-written to FILE pointer B<fp>.
+is written to FILE pointer B<fp>.
 X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>. At most B<size>
-bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically allocated
+bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically
-and returned, otherwise B<buf> is returned.
+allocated and returned, otherwise B<buf> is returned.
 X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
 characters. Multiple lines are used if the output (including indent) exceeds
@@ -33,10 +33,10 @@ characters. Multiple lines are used if the output (including indent) exceeds
 =head1 NOTES
-The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which
+The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions
-produce a non standard output form, they don't handle multi character fields and
+which produce a non standard output form, they don't handle multi character
-have various quirks and inconsistencies. Their use is strongly discouraged in new
+fields and have various quirks and inconsistencies. Their use is strongly
-applications.
+discouraged in new applications.
 Although there are a large number of possible flags for most purposes
 B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
@@ -49,15 +49,16 @@ The complete set of the flags supported by X509_NAME_print_ex() is listed below.
 Several options can be ored together.
 The options B<XN_FLAG_SEP_COMMA_PLUS>, B<XN_FLAG_SEP_CPLUS_SPC>,
-B<XN_FLAG_SEP_SPLUS_SPC> and B<XN_FLAG_SEP_MULTILINE> determine the field separators
+B<XN_FLAG_SEP_SPLUS_SPC> and B<XN_FLAG_SEP_MULTILINE> determine the field
-to use. Two distinct separators are used between distinct RelativeDistinguishedName
+separators to use. Two distinct separators are used between distinct
-components and separate values in the same RDN for a multi-valued RDN. Multi-valued
+RelativeDistinguishedName components and separate values in the same RDN for a
-RDNs are currently very rare so the second separator will hardly ever be used.
+multi-valued RDN. Multi-valued RDNs are currently very rare so the second
+separator will hardly ever be used.
-B<XN_FLAG_SEP_COMMA_PLUS> uses comma and plus as separators. B<XN_FLAG_SEP_CPLUS_SPC>
+B<XN_FLAG_SEP_COMMA_PLUS> uses comma and plus as separators.
-uses comma and plus with spaces: this is more readable that plain comma and plus.
+B<XN_FLAG_SEP_CPLUS_SPC> uses comma and plus with spaces: this is more readable
-B<XN_FLAG_SEP_SPLUS_SPC> uses spaced semicolon and plus. B<XN_FLAG_SEP_MULTILINE> uses
+that plain comma and plus.  B<XN_FLAG_SEP_SPLUS_SPC> uses spaced semicolon and
-spaced newline and plus respectively.
+plus. B<XN_FLAG_SEP_MULTILINE> uses spaced newline and plus respectively.
 If B<XN_FLAG_DN_REV> is set the whole DN is printed in reversed order.
@@ -92,7 +93,8 @@ B<XN_FLAG_ONELINE> is a more readable one line format which is the same as:
 B<XN_FLAG_MULTILINE> is a multiline format which is the same as:
 B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
-B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls X509_NAME_print() internally.
+B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it
+calls X509_NAME_print() internally.
 =head1 SEE ALSO
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
index 60e8332ae9..5760f64fcb 100644
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
+++ b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
@@ -2,7 +2,10 @@
 =head1 NAME
-X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
+X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
+X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
+X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
+certificate verification status information
 =head1 SYNOPSIS
@@ -82,19 +85,22 @@ of an untrusted certificate cannot be found.
 the CRL of a certificate could not be found.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature>
+=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
+certificate's signature>
 the certificate signature could not be decrypted. This means that the actual
 signature value could not be determined rather than it not matching the
 expected value, this is only meaningful for RSA keys.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
+=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
+signature>
 the CRL signature could not be decrypted: this means that the actual signature
 value could not be determined rather than it not matching the expected value.
 Unused.
-=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key>
+=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
+public key>
 the public key in the certificate SubjectPublicKeyInfo could not be read.
@@ -112,7 +118,8 @@ the certificate is not yet valid: the notBefore date is after the current time.
 =item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
-the certificate has expired: that is the notAfter date is before the current time.
+the certificate has expired: that is the notAfter date is before the current
+time.
 =item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
@@ -122,19 +129,23 @@ the CRL is not yet valid.
 the CRL has expired.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field>
+=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
+certificate's notBefore field>
 the certificate notBefore field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field>
+=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
+notAfter field>
 the certificate notAfter field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field>
+=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
+lastUpdate field>
 the CRL lastUpdate field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field>
+=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
+nextUpdate field>
 the CRL nextUpdate field contains an invalid time.
@@ -147,17 +158,20 @@ an error occurred trying to allocate memory. This should never happen.
 the passed certificate is self signed and the same certificate cannot be found
 in the list of trusted certificates.
-=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain>
+=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
+certificate chain>
 the certificate chain could be built up using the untrusted certificates but
 the root could not be found locally.
-=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
+=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
+issuer certificate>
 the issuer certificate of a locally looked up certificate could not be found.
 This normally means the list of trusted certificates is not complete.
-=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
+=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
+certificate>
 no signatures could be verified because the chain contains only one certificate
 and it is not self signed.
@@ -198,34 +212,39 @@ did not match the issuer name of the current certificate. This is only set
 if issuer check debugging is enabled it is used for status notification and
 is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
+=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
+mismatch>
 the current candidate issuer certificate was rejected because its subject key
 identifier was present and did not match the authority key identifier current
 certificate. This is only set if issuer check debugging is enabled it is used
 for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
+=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
+number mismatch>
 the current candidate issuer certificate was rejected because its issuer name
 and serial number was present and did not match the authority key identifier of
 the current certificate. This is only set if issuer check debugging is enabled
 it is used for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
+=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
+signing>
 the current candidate issuer certificate was rejected because its keyUsage
 extension does not permit certificate signing. This is only set if issuer check
 debugging is enabled it is used for status notification and is B<not> in itself
 an error.
-=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
+=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
+extension>
 A certificate extension had an invalid value (for example an incorrect
 encoding) or some value inconsistent with other extensions.
-=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
+=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
+certificate policy extension>
 A certificate policies extension had an invalid value (for example an incorrect
 encoding) or some value inconsistent with other extensions. This error only
@@ -252,17 +271,20 @@ A name constraint violation occured in the permitted subtrees.
 A name constraint violation occured in the excluded subtrees.
-=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
+=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
+supported>
 A certificate name constraints extension included a minimum or maximum field:
 this is not supported.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
+=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
+type>
 An unsupported name constraint type was encountered. OpenSSL currently only
 supports directory name, DNS name, email and URI types.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
+=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
+constraint syntax>
 The format of the name constraint is not recognised: for example an email
 address format of a form not mentioned in RFC3280. This could be caused by
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod
index 1b75967ccd..392b36c3ae 100644
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod
+++ b/src/lib/libcrypto/doc/X509_STORE_CTX_get_ex_new_index.pod
@@ -2,7 +2,9 @@
 =head1 NAME
-X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_ex_data - add application specific data to X509_STORE_CTX structures
+X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data,
+X509_STORE_CTX_get_ex_data - add application specific data to X509_STORE_CTX
+structures
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod
index 1c55236aa2..8f602274ee 100644
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod
+++ b/src/lib/libcrypto/doc/X509_STORE_CTX_new.pod
@@ -2,7 +2,11 @@
 =head1 NAME
-X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX initialisation
+X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
+X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert,
+X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param,
+X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX
+initialisation
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod b/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod
index 012f2d2c75..f9602b3e77 100644
--- a/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod
+++ b/src/lib/libcrypto/doc/X509_STORE_set_verify_cb_func.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb - set verification callback
+X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb - set verification
+callback
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
index e5da5bec08..f213a9c117 100644
--- a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
+++ b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
@@ -2,7 +2,12 @@
 =head1 NAME
-X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification parameters
+X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
+X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
+X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
+X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time,
+X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509
+verification parameters
 =head1 SYNOPSIS
diff --git a/src/lib/libcrypto/doc/bn.pod b/src/lib/libcrypto/doc/bn.pod
index cd2f8e50c6..4a3f24ba30 100644
--- a/src/lib/libcrypto/doc/bn.pod
+++ b/src/lib/libcrypto/doc/bn.pod
@@ -166,10 +166,10 @@ of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
 =head1 SEE ALSO
-L<bn_internal(3)|bn_internal(3)>,
+L<bn_internal(3)|bn_internal(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>,
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<BN_new(3)|BN_new(3)>,
-L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_CTX_new(3)|BN_CTX_new(3)>, L<BN_copy(3)|BN_copy(3)>,
-L<BN_copy(3)|BN_copy(3)>, L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
+L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
 L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
 L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
 L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
diff --git a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
index 1711dc038f..68e7f27de5 100644
--- a/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
+++ b/src/lib/libcrypto/doc/d2i_RSAPublicKey.pod
@@ -29,14 +29,14 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
 =head1 DESCRIPTION
-d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey
+d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1
-structure.
+RSAPublicKey structure.
 d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using
 a SubjectPublicKeyInfo (certificate public key) structure.
-d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey
+d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1
-structure.
+RSAPrivateKey structure.
 d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in
 NET format.
diff --git a/src/lib/libcrypto/doc/dh.pod b/src/lib/libcrypto/doc/dh.pod
index 97aaa75731..5fb9890a77 100644
--- a/src/lib/libcrypto/doc/dh.pod
+++ b/src/lib/libcrypto/doc/dh.pod
@@ -40,10 +40,11 @@ dh - Diffie-Hellman key agreement
 =head1 DESCRIPTION
-These functions implement the Diffie-Hellman key agreement protocol.
+These functions implement the Diffie-Hellman key agreement protocol.  The
-The generation of shared DH parameters is described in
+generation of shared DH parameters is described in
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>; L<DH_generate_key(3)|DH_generate_key(3)> describes how
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>;
-to perform a key agreement.
+L<DH_generate_key(3)|DH_generate_key(3)> describes how to perform a key
+agreement.
 The B<DH> structure consists of several BIGNUM components.
diff --git a/src/lib/libssl/src/doc/crypto/ASN1_OBJECT_new.pod b/src/lib/libssl/src/doc/crypto/ASN1_OBJECT_new.pod
index 9bae40fccf..b88eb62556 100644
--- a/src/lib/libssl/src/doc/crypto/ASN1_OBJECT_new.pod
+++ b/src/lib/libssl/src/doc/crypto/ASN1_OBJECT_new.pod
@@ -40,6 +40,7 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_ASN1_OBJECT(3)|d2i_ASN1_OBJECT(3)>
 =head1 HISTORY
-ASN1_OBJECT_new() and ASN1_OBJECT_free() are available in all versions of SSLeay and OpenSSL.
+ASN1_OBJECT_new() and ASN1_OBJECT_free() are available in all versions of
+SSLeay and OpenSSL.
 =cut
diff --git a/src/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod b/src/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod
index 70ac9b8488..3b6ab8b710 100644
--- a/src/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod
+++ b/src/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod
@@ -28,25 +28,27 @@ with '.'.
 =head1 NOTES
-ASN1_STRING_print() is a legacy function which should be avoided in new applications.
+ASN1_STRING_print() is a legacy function which should be avoided in new
+applications.
-Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is
+Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253>
-suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB>.
+is suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 &
+~ASN1_STRFLGS_ESC_MSB>.
 The complete set of supported options for B<flags> is listed below.
-Various characters can be escaped. If B<ASN1_STRFLGS_ESC_2253> is set the characters
+Various characters can be escaped. If B<ASN1_STRFLGS_ESC_2253> is set the
-determined by RFC2253 are escaped. If B<ASN1_STRFLGS_ESC_CTRL> is set control
+characters determined by RFC2253 are escaped. If B<ASN1_STRFLGS_ESC_CTRL> is
-characters are escaped. If B<ASN1_STRFLGS_ESC_MSB> is set characters with the
+set control characters are escaped. If B<ASN1_STRFLGS_ESC_MSB> is set
-MSB set are escaped: this option should B<not> be used if the terminal correctly
+characters with the MSB set are escaped: this option should B<not> be used if
-interprets UTF8 sequences.
+the terminal correctly interprets UTF8 sequences.
 Escaping takes several forms.
-If the character being escaped is a 16 bit character then the form "\UXXXX" is used
+If the character being escaped is a 16 bit character then the form "\UXXXX" is
-using exactly four characters for the hex representation. If it is 32 bits then
+used using exactly four characters for the hex representation. If it is 32 bits
-"\WXXXXXXXX" is used using eight characters of its hex representation. These forms
+then "\WXXXXXXXX" is used using eight characters of its hex representation.
-will only be used if UTF8 conversion is not set (see below).
+These forms will only be used if UTF8 conversion is not set (see below).
 Printable characters are normally escaped using the backslash '\' character. If
 B<ASN1_STRFLGS_ESC_QUOTE> is set then the whole string is instead surrounded by
@@ -58,9 +60,10 @@ If B<ASN1_STRFLGS_UTF8_CONVERT> is set then characters are converted to UTF8
 format first. If the terminal supports the display of UTF8 sequences then this
 option will correctly display multi byte characters.
-If B<ASN1_STRFLGS_IGNORE_TYPE> is set then the string type is not interpreted at
+If B<ASN1_STRFLGS_IGNORE_TYPE> is set then the string type is not interpreted
-all: everything is assumed to be one byte per character. This is primarily for
+at all: everything is assumed to be one byte per character. This is primarily
-debugging purposes and can result in confusing output in multi character strings.
+for debugging purposes and can result in confusing output in multi character
+strings.
 If B<ASN1_STRFLGS_SHOW_TYPE> is set then the string type itself is printed out
 before its value (for example "BMPSTRING"), this actually uses ASN1_tag2str().
diff --git a/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod b/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod
index cf203eeb96..e2d3b0aa54 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_ctrl.pod
@@ -12,7 +12,8 @@ BIO_get_info_callback, BIO_set_info_callback - BIO control operations
 #include <openssl/bio.h>
 long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
- long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long));
+ long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int,
+   const char *, int, long, long));
 char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg);
 long BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg);
@@ -31,7 +32,8 @@ BIO_get_info_callback, BIO_set_info_callback - BIO control operations
 int BIO_get_info_callback(BIO *b,bio_info_cb **cbp);
 int BIO_set_info_callback(BIO *b,bio_info_cb *cb);
- typedef void bio_info_cb(BIO *b, int oper, const char *ptr, int arg1, long arg2, long arg3);
+ typedef void bio_info_cb(BIO *b, int oper, const char *ptr, int arg1,
+   long arg2, long arg3);
 =head1 DESCRIPTION
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod b/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod
index c0dccf1abe..f44d24be3f 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_buffer.pod
@@ -29,11 +29,11 @@ Calling BIO_reset() on a buffering BIO clears any buffered data.
 BIO_get_buffer_num_lines() returns the number of lines currently buffered.
-BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
+BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and
-set the read, write or both read and write buffer sizes to B<size>. The initial
+BIO_set_buffer_size() set the read, write or both read and write buffer sizes
-buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any attempt to reduce the
+to B<size>. The initial buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any
-buffer size below DEFAULT_BUFFER_SIZE is ignored. Any buffered data is cleared
+attempt to reduce the buffer size below DEFAULT_BUFFER_SIZE is ignored. Any
-when the buffer is resized.
+buffered data is cleared when the buffer is resized.
 BIO_set_buffer_read_data() clears the read buffer and fills it with B<num>
 bytes of B<buf>. If B<num> is larger than the current buffer size the buffer
@@ -58,8 +58,9 @@ BIO_f_buffer() returns the buffering BIO method.
 BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0).
-BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size()
+BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and
-return 1 if the buffer was successfully resized or 0 for failure.
+BIO_set_buffer_size() return 1 if the buffer was successfully resized or 0 for
+failure.
 BIO_set_buffer_read_data() returns 1 if the data was set correctly or 0 if
 there was an error.
diff --git a/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod b/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
index c0b23c680c..38453c101d 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_f_cipher.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher BIO filter
+BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx -
+cipher BIO filter
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/BIO_find_type.pod b/src/lib/libssl/src/doc/crypto/BIO_find_type.pod
index bd3b256196..99b1626f56 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_find_type.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_find_type.pod
@@ -47,7 +47,8 @@ B<BIO_TYPE_SOURCE_SINK>) then the next matching BIO of the given general type is
 searched for. BIO_find_type() returns the next matching BIO or NULL if none is
 found.
-Note: not all the B<BIO_TYPE_*> types above have corresponding BIO implementations.
+Note: not all the B<BIO_TYPE_*> types above have corresponding BIO
+implementations.
 BIO_next() returns the next BIO in a chain. It can be used to traverse all BIOs
 in a chain or used in conjunction with BIO_find_type() to find all BIOs of a
diff --git a/src/lib/libssl/src/doc/crypto/BIO_new.pod b/src/lib/libssl/src/doc/crypto/BIO_new.pod
index 2a245fc8de..8c7aeac6de 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_new.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_new.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all - BIO allocation and freeing functions
+BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all - BIO allocation and
+freeing functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod b/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
index 39ae79fd30..61ded32a02 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_bio.pod
@@ -33,18 +33,19 @@ BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request - BIO pair BIO
 =head1 DESCRIPTION
-BIO_s_bio() returns the method for a BIO pair. A BIO pair is a pair of source/sink
+BIO_s_bio() returns the method for a BIO pair. A BIO pair is a pair of
-BIOs where data written to either half of the pair is buffered and can be read from
+source/sink BIOs where data written to either half of the pair is buffered and
-the other half. Both halves must usually by handled by the same application thread
+can be read from the other half. Both halves must usually by handled by the
-since no locking is done on the internal data structures.
+same application thread since no locking is done on the internal data
+structures.
 Since BIO chains typically end in a source/sink BIO it is possible to make this
-one half of a BIO pair and have all the data processed by the chain under application
+one half of a BIO pair and have all the data processed by the chain under
-control.
+application control.
-One typical use of BIO pairs is to place TLS/SSL I/O under application control, this
+One typical use of BIO pairs is to place TLS/SSL I/O under application control,
-can be used when the application wishes to use a non standard transport for
+this can be used when the application wishes to use a non standard transport
-TLS/SSL or the normal socket routines are inappropriate.
+for TLS/SSL or the normal socket routines are inappropriate.
 Calls to BIO_read() will read data from the buffer or request a retry if no
 data is available.
@@ -81,10 +82,10 @@ B<bio1> or B<bio2> do point to some other BIO, the values are overwritten,
 BIO_free() is not called.
 BIO_get_write_guarantee() and BIO_ctrl_get_write_guarantee() return the maximum
-length of data that can be currently written to the BIO. Writes larger than this
+length of data that can be currently written to the BIO. Writes larger than
-value will return a value from BIO_write() less than the amount requested or if the
+this value will return a value from BIO_write() less than the amount requested
-buffer is full request a retry. BIO_ctrl_get_write_guarantee() is a function
+or if the buffer is full request a retry. BIO_ctrl_get_write_guarantee() is a
-whereas BIO_get_write_guarantee() is a macro.
+function whereas BIO_get_write_guarantee() is a macro.
 BIO_get_read_request() and BIO_ctrl_get_read_request() return the
 amount of data requested, or the buffer size if it is less, if the
@@ -104,21 +105,23 @@ BIO_get_read_request() to zero.
 =head1 NOTES
 Both halves of a BIO pair should be freed. That is even if one half is implicit
-freed due to a BIO_free_all() or SSL_free() call the other half needs to be freed.
+freed due to a BIO_free_all() or SSL_free() call the other half needs to be
+freed.
-When used in bidirectional applications (such as TLS/SSL) care should be taken to
+When used in bidirectional applications (such as TLS/SSL) care should be taken
-flush any data in the write buffer. This can be done by calling BIO_pending()
+to flush any data in the write buffer. This can be done by calling
-on the other half of the pair and, if any data is pending, reading it and sending
+BIO_pending() on the other half of the pair and, if any data is pending,
-it to the underlying transport. This must be done before any normal processing
+reading it and sending it to the underlying transport. This must be done before
-(such as calling select() ) due to a request and BIO_should_read() being true.
+any normal processing (such as calling select() ) due to a request and
+BIO_should_read() being true.
 To see why this is important consider a case where a request is sent using
 BIO_write() and a response read with BIO_read(), this can occur during an
-TLS/SSL handshake for example. BIO_write() will succeed and place data in the write
+TLS/SSL handshake for example. BIO_write() will succeed and place data in the
-buffer. BIO_read() will initially fail and BIO_should_read() will be true. If
+write buffer. BIO_read() will initially fail and BIO_should_read() will be
-the application then waits for data to be available on the underlying transport
+true. If the application then waits for data to be available on the underlying
-before flushing the write buffer it will never succeed because the request was
+transport before flushing the write buffer it will never succeed because the
-never sent!
+request was never sent!
 =head1 RETURN VALUES
diff --git a/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod b/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod
index 9bbac29f10..98749c9b67 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_s_fd.pod
@@ -46,10 +46,10 @@ BIO_new_fd() returns a file descriptor BIO using B<fd> and B<close_flag>.
 =head1 NOTES
 The behaviour of BIO_read() and BIO_write() depends on the behavior of the
-platforms read() and write() calls on the descriptor. If the underlying
+platforms read() and write() calls on the descriptor. If the underlying file
-file descriptor is in a non blocking mode then the BIO will behave in the
+descriptor is in a non blocking mode then the BIO will behave in the manner
-manner described in the L<BIO_read(3)|BIO_read(3)> and L<BIO_should_retry(3)|BIO_should_retry(3)>
+described in the L<BIO_read(3)|BIO_read(3)> and
-manual pages.
+L<BIO_should_retry(3)|BIO_should_retry(3)> manual pages.
 File descriptor BIOs should not be used for socket I/O. Use socket BIOs
 instead.
diff --git a/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod b/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod
index 4759556245..ab35303590 100644
--- a/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod
+++ b/src/lib/libssl/src/doc/crypto/BIO_set_callback.pod
@@ -81,9 +81,8 @@ after.
 =item B<BIO_gets(b, out, outl)>
-callback(b, BIO_CB_GETS, out, outl, 0L, 1L) is called before
+callback(b, BIO_CB_GETS, out, outl, 0L, 1L) is called before the operation and
-the operation and callback(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0L, retvalue)
+callback(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0L, retvalue) after.
-after.
 =item B<BIO_puts(b, in)>
diff --git a/src/lib/libssl/src/doc/crypto/BN_add.pod b/src/lib/libssl/src/doc/crypto/BN_add.pod
index 88c7a799ee..15b28d8334 100644
--- a/src/lib/libssl/src/doc/crypto/BN_add.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_add.pod
@@ -111,8 +111,9 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 SEE ALSO
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
+L<BN_CTX_new(3)|BN_CTX_new(3)>, L<BN_add_word(3)|BN_add_word(3)>,
+L<BN_set_bit(3)|BN_set_bit(3)>
 =head1 HISTORY
diff --git a/src/lib/libssl/src/doc/crypto/BN_add_word.pod b/src/lib/libssl/src/doc/crypto/BN_add_word.pod
index 70667d2893..ba1026417d 100644
--- a/src/lib/libssl/src/doc/crypto/BN_add_word.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_add_word.pod
@@ -39,8 +39,8 @@ For BN_div_word() and BN_mod_word(), B<w> must not be 0.
 =head1 RETURN VALUES
-BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
+BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0 on
-on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 BN_mod_word() and BN_div_word() return B<a>%B<w> on success and
 B<(BN_ULONG)-1> if an error occurred.
diff --git a/src/lib/libssl/src/doc/crypto/BN_cmp.pod b/src/lib/libssl/src/doc/crypto/BN_cmp.pod
index 23e9ed0b4f..29df69631e 100644
--- a/src/lib/libssl/src/doc/crypto/BN_cmp.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_cmp.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM comparison and test functions
+BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_is_odd - BIGNUM
+comparison and test functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod b/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
index 6f28a63517..04fc80df9c 100644
--- a/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_generate_prime.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-BN_generate_prime, BN_is_prime, BN_is_prime_fasttest - generate primes and test for primality
+BN_generate_prime, BN_is_prime, BN_is_prime_fasttest - generate primes and test
+for primality
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod b/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod
index 3ea3975c74..aefb1d27dd 100644
--- a/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod
+++ b/src/lib/libssl/src/doc/crypto/BN_mod_inverse.pod
@@ -22,8 +22,8 @@ variables. B<r> may be the same B<BIGNUM> as B<a> or B<n>.
 =head1 RETURN VALUES
-BN_mod_inverse() returns the B<BIGNUM> containing the inverse, and
+BN_mod_inverse() returns the B<BIGNUM> containing the inverse, and NULL on
-NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/crypto/BUF_MEM_new.pod b/src/lib/libssl/src/doc/crypto/BUF_MEM_new.pod
index 781f5b11ee..52f47caa40 100644
--- a/src/lib/libssl/src/doc/crypto/BUF_MEM_new.pod
+++ b/src/lib/libssl/src/doc/crypto/BUF_MEM_new.pod
@@ -44,14 +44,14 @@ BUF_MEM_grow() changes the size of an already existing buffer to
 B<len>. Any data already in the buffer is preserved if it increases in
 size.
-BUF_strdup() copies a null terminated string into a block of allocated
+BUF_strdup() copies a null terminated string into a block of allocated memory
-memory and returns a pointer to the allocated block.
+and returns a pointer to the allocated block.  Unlike the standard C library
-Unlike the standard C library strdup() this function uses OPENSSL_malloc() and so
+strdup() this function uses OPENSSL_malloc() and so should be used in
-should be used in preference to the standard library strdup() because it can
+preference to the standard library strdup() because it can be used for memory
-be used for memory leak checking or replacing the malloc() function.
+leak checking or replacing the malloc() function.
-The memory allocated from BUF_strdup() should be freed up using the OPENSSL_free()
+The memory allocated from BUF_strdup() should be freed up using the
-function.
+OPENSSL_free() function.
 =head1 RETURN VALUES
diff --git a/src/lib/libssl/src/doc/crypto/CMS_add0_cert.pod b/src/lib/libssl/src/doc/crypto/CMS_add0_cert.pod
index 78095948b9..3f042dc302 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_add0_cert.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_add0_cert.pod
@@ -2,7 +2,8 @@
 =head1 NAME
- CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_get1_crls, - CMS certificate and CRL utility functions
+CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_get1_crls, -
+CMS certificate and CRL utility functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_add1_recipient_cert.pod b/src/lib/libssl/src/doc/crypto/CMS_add1_recipient_cert.pod
index d7d8e2532c..8a39391aa4 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_add1_recipient_cert.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_add1_recipient_cert.pod
@@ -2,7 +2,8 @@
 =head1 NAME
- CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipients to a CMS enveloped data structure
+CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipients to a CMS
+enveloped data structure
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_decrypt.pod b/src/lib/libssl/src/doc/crypto/CMS_decrypt.pod
index d857e4f93f..403aa98d04 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_decrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_decrypt.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_decrypt - decrypt content from a CMS envelopedData structure
+CMS_decrypt - decrypt content from a CMS envelopedData structure
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod b/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod
index 01100a6df6..4f26e24bf6 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_encrypt.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_encrypt - create a CMS envelopedData structure
+CMS_encrypt - create a CMS envelopedData structure
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_final.pod b/src/lib/libssl/src/doc/crypto/CMS_final.pod
index beacc531ee..c5f1722aaf 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_final.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_final.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_final - finalise a CMS_ContentInfo structure
+CMS_final - finalise a CMS_ContentInfo structure
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod b/src/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod
index ba16e97b55..d9c4cb774b 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod
@@ -2,7 +2,11 @@
 =head1 NAME
- CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_signer_id,CMS_RecipientInfo_ktri_cert_cmp, CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id, CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key, CMS_RecipientInfo_decrypt - CMS envelopedData RecipientInfo routines
+CMS_get0_RecipientInfos, CMS_RecipientInfo_type,
+CMS_RecipientInfo_ktri_get0_signer_id,CMS_RecipientInfo_ktri_cert_cmp,
+CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id,
+CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key,
+CMS_RecipientInfo_decrypt - CMS envelopedData RecipientInfo routines
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_get0_SignerInfos.pod b/src/lib/libssl/src/doc/crypto/CMS_get0_SignerInfos.pod
index 47f6d2a047..557cda6c3e 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_get0_SignerInfos.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_get0_SignerInfos.pod
@@ -2,7 +2,8 @@
 =head1 NAME
- CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_cert_cmp, CMS_set1_signer_certs - CMS signedData signer functions.
+CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_cert_cmp,
+CMS_set1_signer_certs - CMS signedData signer functions.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_get0_type.pod b/src/lib/libssl/src/doc/crypto/CMS_get0_type.pod
index 8ff1c3115c..bc2690ee1a 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_get0_type.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_get0_type.pod
@@ -2,7 +2,8 @@
 =head1 NAME
- CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType - get and set CMS content types
+CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType - get and set CMS
+content types
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod b/src/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod
index 50c2b9b9ab..a7babb1a6e 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod
@@ -2,7 +2,8 @@
 =head1 NAME
- CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values - CMS signed receipt request functions.
+CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest,
+CMS_ReceiptRequest_get0_values - CMS signed receipt request functions.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_sign.pod b/src/lib/libssl/src/doc/crypto/CMS_sign.pod
index 6b58ba3bdd..cc6d17faf6 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_sign.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_sign.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_sign - create a CMS SignedData structure
+CMS_sign - create a CMS SignedData structure
 =head1 SYNOPSIS
@@ -56,8 +56,9 @@ omitted.
 If present the SMIMECapabilities attribute indicates support for the following
 algorithms in preference order: 256 bit AES, Gost R3411-94, Gost 28147-89, 192
 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
-If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
+If any of these algorithms is not available then it will not be included: for
-not loaded.
+example the GOST algorithms will not be included if the GOST ENGINE is not
+loaded.
 OpenSSL will by default identify signing certificates using issuer name
 and serial number. If B<CMS_USE_KEYID> is set it will use the subject key
diff --git a/src/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod b/src/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod
index 215e994b54..ed4d9a9234 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod
@@ -2,7 +2,8 @@
 =head1 NAME
- CMS_sign_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo signed data structure.
+CMS_sign_add1_signer, CMS_SignerInfo_sign - add a signer to a CMS_ContentInfo
+signed data structure.
 =head1 SYNOPSIS
@@ -77,8 +78,9 @@ have a subject key identifier extension.
 If present the SMIMECapabilities attribute indicates support for the following
 algorithms in preference order: 256 bit AES, Gost R3411-94, Gost 28147-89, 192
 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
-If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
+If any of these algorithms is not available then it will not be included: for
-not loaded.
+example the GOST algorithms will not be included if the GOST ENGINE is not
+loaded.
 CMS_sign_add1_signer() returns an internal pointer to the CMS_SignerInfo
 structure just added, this can be used to set additional attributes
diff --git a/src/lib/libssl/src/doc/crypto/CMS_sign_receipt.pod b/src/lib/libssl/src/doc/crypto/CMS_sign_receipt.pod
index cae1f83384..f603ab66f0 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_sign_receipt.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_sign_receipt.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_sign_receipt - create a CMS signed receipt
+CMS_sign_receipt - create a CMS signed receipt
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_uncompress.pod b/src/lib/libssl/src/doc/crypto/CMS_uncompress.pod
index c6056b027d..fcbfec128a 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_uncompress.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_uncompress.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_uncompress - uncompress a CMS CompressedData structure
+CMS_uncompress - uncompress a CMS CompressedData structure
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_verify.pod b/src/lib/libssl/src/doc/crypto/CMS_verify.pod
index 4a6b3bfc97..22b4c07513 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_verify.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_verify.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_verify - verify a CMS SignedData structure
+CMS_verify - verify a CMS SignedData structure
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod b/src/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod
index 573e725ec1..2beadda129 100644
--- a/src/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod
+++ b/src/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CMS_verify_receipt - verify a CMS signed receipt
+CMS_verify_receipt - verify a CMS signed receipt
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod b/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod
index 87bc7b783c..7c61b72c13 100644
--- a/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod
+++ b/src/lib/libssl/src/doc/crypto/CONF_modules_free.pod
@@ -2,8 +2,8 @@
 =head1 NAME
- CONF_modules_free, CONF_modules_finish, CONF_modules_unload -
+CONF_modules_free, CONF_modules_finish, CONF_modules_unload - OpenSSL
- OpenSSL configuration cleanup functions
+configuration cleanup functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod b/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
index 64e8127280..8cde6edb2d 100644
--- a/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
+++ b/src/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
+CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod b/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod
index 7409c02aac..0c8b378854 100644
--- a/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod
+++ b/src/lib/libssl/src/doc/crypto/CRYPTO_set_ex_data.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-CRYPTO_set_ex_data, CRYPTO_get_ex_data - internal application specific data functions
+CRYPTO_set_ex_data, CRYPTO_get_ex_data - internal application specific data
+functions
 =head1 SYNOPSIS
@@ -34,11 +35,12 @@ a previous B<CRYPTO_set_ex_data()> call.
 B<CRYPTO_set_ex_data()> returns 1 on success or 0 on failure.
-B<CRYPTO_get_ex_data()> returns the application data or 0 on failure. 0 may also
+B<CRYPTO_get_ex_data()> returns the application data or 0 on failure. 0 may
-be valid application data but currently it can only fail if given an invalid B<idx>
+also be valid application data but currently it can only fail if given an
-parameter.
+invalid B<idx> parameter.
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+On failure an error code can be obtained from
+L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 SEE ALSO
@@ -48,6 +50,7 @@ L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>
 =head1 HISTORY
-CRYPTO_set_ex_data() and CRYPTO_get_ex_data() have been available since SSLeay 0.9.0.
+CRYPTO_set_ex_data() and CRYPTO_get_ex_data() have been available since SSLeay
+0.9.0.
 =cut
diff --git a/src/lib/libssl/src/doc/crypto/DH_generate_key.pod b/src/lib/libssl/src/doc/crypto/DH_generate_key.pod
index 81f09fdf45..148e13762b 100644
--- a/src/lib/libssl/src/doc/crypto/DH_generate_key.pod
+++ b/src/lib/libssl/src/doc/crypto/DH_generate_key.pod
@@ -40,7 +40,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 SEE ALSO
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
+L<DH_size(3)|DH_size(3)>
 =head1 HISTORY
diff --git a/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod b/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
index 862aa0c39a..d19e0217ee 100644
--- a/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
+++ b/src/lib/libssl/src/doc/crypto/DH_generate_parameters.pod
@@ -23,11 +23,11 @@ seeded prior to calling DH_generate_parameters().
 B<prime_len> is the length in bits of the safe prime to be generated.
 B<generator> is a small number E<gt> 1, typically 2 or 5.
-A callback function may be used to provide feedback about the progress
+A callback function may be used to provide feedback about the progress of the
-of the key generation. If B<callback> is not B<NULL>, it will be
+key generation. If B<callback> is not B<NULL>, it will be called as described
-called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
+in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime number is
-number is generated, and when a prime has been found, B<callback(3,
+generated, and when a prime has been found, B<callback(3, 0, cb_arg)> is
-0, cb_arg)> is called.
+called.
 DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
 a safe prime, and that B<g> is a suitable generator. In the case of an
diff --git a/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod
index fa5eab2650..934ec094bb 100644
--- a/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/crypto/DH_get_ex_new_index.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific data to DH structures
+DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data - add application specific
+data to DH structures
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/DH_new.pod b/src/lib/libssl/src/doc/crypto/DH_new.pod
index 60c930093e..d6c3ca82b5 100644
--- a/src/lib/libssl/src/doc/crypto/DH_new.pod
+++ b/src/lib/libssl/src/doc/crypto/DH_new.pod
@@ -21,9 +21,9 @@ erased before the memory is returned to the system.
 =head1 RETURN VALUES
-If the allocation fails, DH_new() returns B<NULL> and sets an error
+If the allocation fails, DH_new() returns B<NULL> and sets an error code that
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a
-a pointer to the newly allocated structure.
+pointer to the newly allocated structure.
 DH_free() returns no value.
diff --git a/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod
index fb6efc1182..e2fcabf370 100644
--- a/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/crypto/DSA_get_ex_new_index.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application specific data to DSA structures
+DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data - add application
+specific data to DSA structures
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/DSA_set_method.pod b/src/lib/libssl/src/doc/crypto/DSA_set_method.pod
index 5ad7362f58..707370adf7 100644
--- a/src/lib/libssl/src/doc/crypto/DSA_set_method.pod
+++ b/src/lib/libssl/src/doc/crypto/DSA_set_method.pod
@@ -103,8 +103,8 @@ B<DSA_METHOD>s.
 DSA_set_default_method() returns no value.
-DSA_set_method() returns non-zero if the provided B<meth> was successfully set as
+DSA_set_method() returns non-zero if the provided B<meth> was successfully set
-the method for B<dsa> (including unloading the ENGINE handle if the previous
+as the method for B<dsa> (including unloading the ENGINE handle if the previous
 method was supplied by an ENGINE).
 DSA_new_method() returns NULL and sets an error code that can be
@@ -117,8 +117,8 @@ As of version 0.9.7, DSA_METHOD implementations are grouped together with other
 algorithmic APIs (eg. RSA_METHOD, EVP_CIPHER, etc) in B<ENGINE> modules. If a
 default ENGINE is specified for DSA functionality using an ENGINE API function,
 that will override any DSA defaults set using the DSA API (ie.
-DSA_set_default_method()). For this reason, the ENGINE API is the recommended way
+DSA_set_default_method()). For this reason, the ENGINE API is the recommended
-to control default implementations for use in DSA and other cryptographic
+way to control default implementations for use in DSA and other cryptographic
 algorithms.
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod b/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
index dcc5d73f69..2ff01b9c7c 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_DigestInit.pod
@@ -4,12 +4,12 @@
 EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type,
-EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
+EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256,
+EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha,
-EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
+EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1,
-EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
+EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid,
-EVP digest routines
+EVP_get_digestbyobj - EVP digest routines
 =head1 SYNOPSIS
@@ -127,11 +127,11 @@ normally used when setting ASN1 OIDs.
 EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed
 B<EVP_MD_CTX>.
-EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
+EVP_MD_pkey_type() returns the NID of the public key signing algorithm
-with this digest. For example EVP_sha1() is associated with RSA so this will
+associated with this digest. For example EVP_sha1() is associated with RSA so
-return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms
+this will return B<NID_sha1WithRSAEncryption>. Since digests and signature
-are no longer linked this function is only retained for compatibility
+algorithms are no longer linked this function is only retained for
-reasons.
+compatibility reasons.
 EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
 EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
diff --git a/src/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod b/src/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod
index 11e8f6f937..7aec6daecc 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing functions
+EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal - EVP signing
+functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod b/src/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod
index 819e0d4b9f..60666bfddc 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP signature verification functions
+EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal - EVP
+signature verification functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
index 84875e0fe0..d42445cf10 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod
@@ -239,11 +239,13 @@ RC5 can be set.
 EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
 return 1 for success and 0 for failure.
-EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
+EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for
-EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
+failure.  EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for
+success.
-EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
+EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for
-EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
+failure.  EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for
+success.
 EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
@@ -285,11 +287,13 @@ Null cipher: does nothing.
 DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void),  EVP_des_ede_cfb(void)
+=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void),
+EVP_des_ede_cfb(void)
 Two key triple DES in CBC, ECB, CFB and OFB modes respectively.
-=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void),  EVP_des_ede3_cfb(void)
+=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void),
+EVP_des_ede3_cfb(void)
 Three key triple DES in CBC, ECB, CFB and OFB modes respectively.
@@ -299,44 +303,49 @@ DESX algorithm in CBC mode.
 =item EVP_rc4(void)
-RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
+RC4 stream cipher. This is a variable key length cipher with default key length
+128 bits.
 =item EVP_rc4_40(void)
-RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4()
+RC4 stream cipher with 40 bit key length. This is obsolete and new code should
-and the EVP_CIPHER_CTX_set_key_length() function.
+use EVP_rc4() and the EVP_CIPHER_CTX_set_key_length() function.
-=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)
+=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void),
+EVP_idea_ofb(void), EVP_idea_cbc(void)
 IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
 =item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)
-RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
+RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a
-length cipher with an additional parameter called "effective key bits" or "effective key length".
+variable key length cipher with an additional parameter called "effective key
-By default both are set to 128 bits.
+bits" or "effective key length".  By default both are set to 128 bits.
 =item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)
-RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits.
+RC2 algorithm in CBC mode with a default key length and effective key length of
-These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and
+40 and 64 bits.  These are obsolete and new code should use EVP_rc2_cbc(),
-EVP_CIPHER_CTX_ctrl() to set the key length and effective key length.
+EVP_CIPHER_CTX_set_key_length() and EVP_CIPHER_CTX_ctrl() to set the key length
+and effective key length.
 =item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);
-Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
+Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This
-length cipher.
+is a variable key length cipher.
-=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)
+=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void),
+EVP_cast5_ofb(void)
-CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
+CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is
-length cipher.
+a variable key length cipher.
-=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
+=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void),
+EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
-RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length
+RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a
-cipher with an additional "number of rounds" parameter. By default the key length is set to 128
+variable key length cipher with an additional "number of rounds" parameter. By
-bits and 12 rounds.
+default the key length is set to 128 bits and 12 rounds.
 =back
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod
index e8d1ddda75..ba6e51100b 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod
@@ -65,14 +65,15 @@ RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only),
 RSA_X931_PADDING for X9.31 padding (signature operations only) and
 RSA_PKCS1_PSS_PADDING (sign and verify only).
-Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md()
+Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md() is
-is used. If this macro is called for PKCS#1 padding the plaintext buffer is
+used. If this macro is called for PKCS#1 padding the plaintext buffer is an
-an actual digest value and is encapsulated in a DigestInfo structure according
+actual digest value and is encapsulated in a DigestInfo structure according to
-to PKCS#1 when signing and this structure is expected (and stripped off) when
+PKCS#1 when signing and this structure is expected (and stripped off) when
 verifying. If this control is not used with RSA and PKCS#1 padding then the
 supplied data is used directly and not encapsulated. In the case of X9.31
 padding for RSA the algorithm identifier byte is added or checked and removed
-if this control is called. If it is not called then the first byte of the plaintext buffer is expected to be the algorithm identifier byte.
+if this control is called. If it is not called then the first byte of the
+plaintext buffer is expected to be the algorithm identifier byte.
 The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to
 B<len> as its name implies it is only supported for PSS padding.  Two special
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_new.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_new.pod
index a9af867580..9822d6806f 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_new.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_new.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free - public key algorithm context functions.
+EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free -
+public key algorithm context functions.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod
index 4145245299..c389216086 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions
+EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters,
+EVP_PKEY_cmp - public key parameter and comparison functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod
index de877ead1a..2424ce0e54 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive - derive public key algorithm shared secret.
+EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive - derive public
+key algorithm shared secret.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod
index b6102da036..378fb310ff 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod
@@ -2,7 +2,10 @@
 =head1 NAME
-EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data - key and parameter generation functions
+EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init,
+EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb,
+EVP_PKEY_CTX_get_keygen_info, EVP_PKEVP_PKEY_CTX_set_app_data,
+EVP_PKEY_CTX_get_app_data - key and parameter generation functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod
index c9b7a89821..eabbaed264 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params - public key algorithm printing routines.
+EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params - public
+key algorithm printing routines.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod
index 8afb1b22e1..c2031c3d0b 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod
@@ -4,8 +4,8 @@
 EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
 EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
-EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY,
+EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH,
-EVP_PKEY_type - EVP_PKEY assignment functions.
+EVP_PKEY_assign_EC_KEY, EVP_PKEY_type - EVP_PKEY assignment functions.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod
index f7ae4f9ebe..ba317b4e7b 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_verify_init, EVP_PKEY_verify - signature verification using a public key algorithm
+EVP_PKEY_verify_init, EVP_PKEY_verify - signature verification using a public
+key algorithm
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod b/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod
index 00d53db783..4debf7bff0 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm
+EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using
+a public key algorithm
 =head1 SYNOPSIS
@@ -45,7 +46,8 @@ context if several operations are performed using the same parameters.
 =head1 RETURN VALUES
-EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success
+EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for
+success
 and 0 or a negative value for failure. In particular a return value of -2
 indicates the operation is not supported by the public key algorithm.
diff --git a/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod b/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod
index 0ffb0a8077..c665ee2ebc 100644
--- a/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod
+++ b/src/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification functions
+EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification
+functions
 =head1 SYNOPSIS
@@ -38,8 +39,8 @@ implementation of digest B<type>.
 EVP_VerifyInit_ex() and EVP_VerifyUpdate() return 1 for success and 0 for
 failure.
-EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
+EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if
-other error occurred.
+some other error occurred.
 The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
diff --git a/src/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod b/src/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod
index 458ef025f0..b2b8af990c 100644
--- a/src/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod
+++ b/src/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod
@@ -2,9 +2,9 @@
 =head1 NAME
-OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid,
+OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid,
-OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup - ASN1 object utility
+OBJ_sn2nid, OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup
-functions
+- ASN1 object utility functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod
index c39ac35e78..2f63a18a71 100644
--- a/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod
+++ b/src/lib/libssl/src/doc/crypto/OPENSSL_VERSION_NUMBER.pod
@@ -94,8 +94,8 @@ L<crypto(3)|crypto(3)>
 =head1 HISTORY
-SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
+SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and
-OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
+OpenSSL.  OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
 B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
 =cut
diff --git a/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod b/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
index e63411b5bb..cc6c07fa24 100644
--- a/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
+++ b/src/lib/libssl/src/doc/crypto/OpenSSL_add_all_algorithms.pod
@@ -39,24 +39,24 @@ None of the functions return a value.
 A typical application will call OpenSSL_add_all_algorithms() initially and
 EVP_cleanup() before exiting.
-An application does not need to add algorithms to use them explicitly, for example
+An application does not need to add algorithms to use them explicitly, for
-by EVP_sha1(). It just needs to add them if it (or any of the functions it calls)
+example by EVP_sha1(). It just needs to add them if it (or any of the functions
-needs to lookup algorithms.
+it calls) needs to lookup algorithms.
-The cipher and digest lookup functions are used in many parts of the library. If
+The cipher and digest lookup functions are used in many parts of the library.
-the table is not initialized several functions will misbehave and complain they
+If the table is not initialized several functions will misbehave and complain
-cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries.
+they cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME
-This is a common query in the OpenSSL mailing lists.
+libraries.  This is a common query in the OpenSSL mailing lists.
 Calling OpenSSL_add_all_algorithms() links in all algorithms: as a result a
-statically linked executable can be quite large. If this is important it is possible
+statically linked executable can be quite large. If this is important it is
-to just add the required ciphers and digests.
+possible to just add the required ciphers and digests.
 =head1 BUGS
-Although the functions do not return error codes it is possible for them to fail.
+Although the functions do not return error codes it is possible for them to
-This will only happen as a result of a memory allocation failure so this is not
+fail.  This will only happen as a result of a memory allocation failure so this
-too much of a problem in practice.
+is not too much of a problem in practice.
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod b/src/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod
index e196bf1498..7e821f69c3 100644
--- a/src/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod
+++ b/src/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod
@@ -2,7 +2,29 @@
 =head1 NAME
-PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
+PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey,
+PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey,
+PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid,
+PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY,
+PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey,
+PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey,
+PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey,
+PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY,
+PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey,
+PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey,
+PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY,
+PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams,
+PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
+PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
+PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
+PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
+PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
+PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
+PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL,
+PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7,
+PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE,
+PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE,
+PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/PEM_write_bio_CMS_stream.pod b/src/lib/libssl/src/doc/crypto/PEM_write_bio_CMS_stream.pod
index e070c45c2e..f9946adebf 100644
--- a/src/lib/libssl/src/doc/crypto/PEM_write_bio_CMS_stream.pod
+++ b/src/lib/libssl/src/doc/crypto/PEM_write_bio_CMS_stream.pod
@@ -2,7 +2,7 @@
 =head1 NAME
- PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format.
+PEM_write_bio_CMS_stream - output CMS_ContentInfo structure in PEM format.
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/PKCS12_create.pod b/src/lib/libssl/src/doc/crypto/PKCS12_create.pod
index 0a1e460cf1..382193ec95 100644
--- a/src/lib/libssl/src/doc/crypto/PKCS12_create.pod
+++ b/src/lib/libssl/src/doc/crypto/PKCS12_create.pod
@@ -38,13 +38,13 @@ The default MAC iteration count is 1 in order to retain compatibility with
 old software which did not interpret MAC iteration counts. If such compatibility
 is not required then B<mac_iter> should be set to PKCS12_DEFAULT_ITER.
-B<keytype> adds a flag to the store private key. This is a non standard extension
+B<keytype> adds a flag to the store private key. This is a non standard
-that is only currently interpreted by MSIE. If set to zero the flag is omitted,
+extension that is only currently interpreted by MSIE. If set to zero the flag
-if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX>
+is omitted, if set to B<KEY_SIG> the key can be used for signing only, if set
-it can be used for signing and encryption. This option was useful for old
+to B<KEY_EX> it can be used for signing and encryption. This option was useful
-export grade software which could use signing only keys of arbitrary size but
+for old export grade software which could use signing only keys of arbitrary
-had restrictions on the permissible sizes of keys which could be used for
+size but had restrictions on the permissible sizes of keys which could be used
-encryption.
+for encryption.
 =head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8
diff --git a/src/lib/libssl/src/doc/crypto/PKCS7_decrypt.pod b/src/lib/libssl/src/doc/crypto/PKCS7_decrypt.pod
index 325699d0b6..78919998ce 100644
--- a/src/lib/libssl/src/doc/crypto/PKCS7_decrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/PKCS7_decrypt.pod
@@ -22,8 +22,9 @@ B<flags> is an optional set of flags.
 OpenSSL_add_all_algorithms() (or equivalent) should be called before using this
 function or errors about unknown algorithms will occur.
-Although the recipients certificate is not needed to decrypt the data it is needed
+Although the recipients certificate is not needed to decrypt the data it is
-to locate the appropriate (of possible several) recipients in the PKCS#7 structure.
+needed to locate the appropriate (of possible several) recipients in the PKCS#7
+structure.
 The following flags can be passed in the B<flags> parameter.
@@ -38,8 +39,9 @@ The error can be obtained from ERR_get_error(3)
 =head1 BUGS
-PKCS7_decrypt() must be passed the correct recipient key and certificate. It would
+PKCS7_decrypt() must be passed the correct recipient key and certificate. It
-be better if it could look up the correct key and certificate from a database.
+would be better if it could look up the correct key and certificate from a
+database.
 The lack of single pass processing and need to hold all data in memory as
 mentioned in PKCS7_sign() also applies to PKCS7_verify().
diff --git a/src/lib/libssl/src/doc/crypto/PKCS7_verify.pod b/src/lib/libssl/src/doc/crypto/PKCS7_verify.pod
index 51ada03f2d..f88e66632b 100644
--- a/src/lib/libssl/src/doc/crypto/PKCS7_verify.pod
+++ b/src/lib/libssl/src/doc/crypto/PKCS7_verify.pod
@@ -37,9 +37,9 @@ be signedData. There must be at least one signature on the data and if
 the content is detached B<indata> cannot be B<NULL>.
 An attempt is made to locate all the signer's certificates, first looking in
-the B<certs> parameter (if it is not B<NULL>) and then looking in any certificates
+the B<certs> parameter (if it is not B<NULL>) and then looking in any
-contained in the B<p7> structure itself. If any signer's certificates cannot be
+certificates contained in the B<p7> structure itself. If any signer's
-located the operation fails.
+certificates cannot be located the operation fails.
 Each signer's certificate is chain verified using the B<smimesign> purpose and
 the supplied trusted certificate store. Any internal certificates in the message
@@ -50,9 +50,9 @@ the signature's checked.
 If all signature's verify correctly then the function is successful.
-Any of the following flags (ored together) can be passed in the B<flags> parameter
+Any of the following flags (ored together) can be passed in the B<flags>
-to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is
+parameter to change the default verify behaviour. Only the flag
-meaningful to PKCS7_get0_signers().
+B<PKCS7_NOINTERN> is meaningful to PKCS7_get0_signers().
 If B<PKCS7_NOINTERN> is set the certificates in the message itself are not
 searched when locating the signer's certificate. This means that all the signers
diff --git a/src/lib/libssl/src/doc/crypto/RAND_bytes.pod b/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
index 1a9b91e281..34c945b4e5 100644
--- a/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
+++ b/src/lib/libssl/src/doc/crypto/RAND_bytes.pod
@@ -30,11 +30,10 @@ the new pseudo-random bytes unless disabled at compile time (see FAQ).
 =head1 RETURN VALUES
-RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
+RAND_bytes() returns 1 on success, 0 otherwise. The error code can be obtained
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
+by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
-bytes generated are cryptographically strong, 0 otherwise. Both
+bytes generated are cryptographically strong, 0 otherwise. Both functions
-functions return -1 if they are not supported by the current RAND
+return -1 if they are not supported by the current RAND method.
-method.
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/crypto/RAND_load_file.pod b/src/lib/libssl/src/doc/crypto/RAND_load_file.pod
index 3f7e944d86..28118e3c2e 100644
--- a/src/lib/libssl/src/doc/crypto/RAND_load_file.pod
+++ b/src/lib/libssl/src/doc/crypto/RAND_load_file.pod
@@ -43,7 +43,8 @@ error.
 =head1 SEE ALSO
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
+L<RAND_cleanup(3)|RAND_cleanup(3)>
 =head1 HISTORY
diff --git a/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod b/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod
index fd2c69abd8..e6af8d4355 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_blinding_on.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attacks
+RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing
+attacks
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod
index 7d0fd1f91d..b1ac1167dd 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_get_ex_new_index.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specific data to RSA structures
+RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application
+specific data to RSA structures
 =head1 SYNOPSIS
@@ -78,26 +79,27 @@ corresponding parameters when B<RSA_get_ex_new_index()> was called.
 B<dup_func()> is called when a structure is being copied. Pointers to the
 destination and source B<CRYPTO_EX_DATA> structures are passed in the B<to> and
 B<from> parameters respectively. The B<from_d> parameter is passed a pointer to
-the source application data when the function is called, when the function returns
+the source application data when the function is called, when the function
-the value is copied to the destination: the application can thus modify the data
+returns the value is copied to the destination: the application can thus modify
-pointed to by B<from_d> and have different values in the source and destination.
+the data pointed to by B<from_d> and have different values in the source and
-The B<idx>, B<argl> and B<argp> parameters are the same as those in B<new_func()>
+destination.  The B<idx>, B<argl> and B<argp> parameters are the same as those
-and B<free_func()>.
+in B<new_func()> and B<free_func()>.
 =head1 RETURN VALUES
-B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a valid
+B<RSA_get_ex_new_index()> returns a new index or -1 on failure (note 0 is a
-index value).
+valid index value).
 B<RSA_set_ex_data()> returns 1 on success or 0 on failure.
 B<RSA_get_ex_data()> returns the application data or 0 on failure. 0 may also
-be valid application data but currently it can only fail if given an invalid B<idx>
+be valid application data but currently it can only fail if given an invalid
-parameter.
+B<idx> parameter.
 B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+On failure an error code can be obtained from
+L<ERR_get_error(3)|ERR_get_error(3)>.
 =head1 BUGS
diff --git a/src/lib/libssl/src/doc/crypto/RSA_new.pod b/src/lib/libssl/src/doc/crypto/RSA_new.pod
index 3d15b92824..41e5e60340 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_new.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_new.pod
@@ -22,9 +22,9 @@ erased before the memory is returned to the system.
 =head1 RETURN VALUES
-If the allocation fails, RSA_new() returns B<NULL> and sets an error
+If the allocation fails, RSA_new() returns B<NULL> and sets an error code that
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a
-a pointer to the newly allocated structure.
+pointer to the newly allocated structure.
 RSA_free() returns no value.
diff --git a/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod b/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
index 4c4d131172..aa2bc1bd76 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod
@@ -29,10 +29,9 @@ B<padding> denotes one of the following modes:
 =item RSA_PKCS1_PADDING
-PKCS #1 v1.5 padding. This function does not handle the
+PKCS #1 v1.5 padding. This function does not handle the B<algorithmIdentifier>
-B<algorithmIdentifier> specified in PKCS #1. When generating or
+specified in PKCS #1. When generating or verifying PKCS #1 signatures,
-verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
+L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be used.
-used.
 =item RSA_NO_PADDING
diff --git a/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
index e70380bbfc..315a9af9e8 100644
--- a/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/src/lib/libssl/src/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -26,7 +26,8 @@ memory.
 B<dummy> is ignored.
-The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING().
+The random number generator must be seeded prior to calling
+RSA_sign_ASN1_OCTET_STRING().
 RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf>
 of size B<siglen> is the DER representation of a given octet string
diff --git a/src/lib/libssl/src/doc/crypto/SHA1.pod b/src/lib/libssl/src/doc/crypto/SHA1.pod
index 232af9227e..9fffdf59e7 100644
--- a/src/lib/libssl/src/doc/crypto/SHA1.pod
+++ b/src/lib/libssl/src/doc/crypto/SHA1.pod
@@ -60,7 +60,8 @@ ANSI X9.30
 =head1 SEE ALSO
-L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<ripemd(3)|ripemd(3)>, L<hmac(3)|hmac(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>
 =head1 HISTORY
diff --git a/src/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod b/src/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod
index 5b9e81b922..c6442b947f 100644
--- a/src/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod
@@ -2,8 +2,9 @@
 =head1 NAME
-X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID,
+X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ,
-X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions
+X509_NAME_add_entry_by_NID, X509_NAME_add_entry, X509_NAME_delete_entry -
+X509_NAME modification functions
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod b/src/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod
index b2d86d4ddb..ff5d788d88 100644
--- a/src/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod
@@ -16,16 +16,16 @@ X509_NAME_oneline - X509_NAME printing routines.
 =head1 DESCRIPTION
-X509_NAME_print_ex() prints a human readable version of B<nm> to BIO B<out>. Each
+X509_NAME_print_ex() prints a human readable version of B<nm> to BIO B<out>.
-line (for multiline formats) is indented by B<indent> spaces. The output format
+Each line (for multiline formats) is indented by B<indent> spaces. The output
-can be extensively customised by use of the B<flags> parameter.
+format can be extensively customised by use of the B<flags> parameter.
-X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output is
+X509_NAME_print_ex_fp() is identical to X509_NAME_print_ex() except the output
-written to FILE pointer B<fp>.
+is written to FILE pointer B<fp>.
 X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>. At most B<size>
-bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically allocated
+bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically
-and returned, otherwise B<buf> is returned.
+allocated and returned, otherwise B<buf> is returned.
 X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
 characters. Multiple lines are used if the output (including indent) exceeds
@@ -33,10 +33,10 @@ characters. Multiple lines are used if the output (including indent) exceeds
 =head1 NOTES
-The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which
+The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions
-produce a non standard output form, they don't handle multi character fields and
+which produce a non standard output form, they don't handle multi character
-have various quirks and inconsistencies. Their use is strongly discouraged in new
+fields and have various quirks and inconsistencies. Their use is strongly
-applications.
+discouraged in new applications.
 Although there are a large number of possible flags for most purposes
 B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
@@ -49,15 +49,16 @@ The complete set of the flags supported by X509_NAME_print_ex() is listed below.
 Several options can be ored together.
 The options B<XN_FLAG_SEP_COMMA_PLUS>, B<XN_FLAG_SEP_CPLUS_SPC>,
-B<XN_FLAG_SEP_SPLUS_SPC> and B<XN_FLAG_SEP_MULTILINE> determine the field separators
+B<XN_FLAG_SEP_SPLUS_SPC> and B<XN_FLAG_SEP_MULTILINE> determine the field
-to use. Two distinct separators are used between distinct RelativeDistinguishedName
+separators to use. Two distinct separators are used between distinct
-components and separate values in the same RDN for a multi-valued RDN. Multi-valued
+RelativeDistinguishedName components and separate values in the same RDN for a
-RDNs are currently very rare so the second separator will hardly ever be used.
+multi-valued RDN. Multi-valued RDNs are currently very rare so the second
+separator will hardly ever be used.
-B<XN_FLAG_SEP_COMMA_PLUS> uses comma and plus as separators. B<XN_FLAG_SEP_CPLUS_SPC>
+B<XN_FLAG_SEP_COMMA_PLUS> uses comma and plus as separators.
-uses comma and plus with spaces: this is more readable that plain comma and plus.
+B<XN_FLAG_SEP_CPLUS_SPC> uses comma and plus with spaces: this is more readable
-B<XN_FLAG_SEP_SPLUS_SPC> uses spaced semicolon and plus. B<XN_FLAG_SEP_MULTILINE> uses
+that plain comma and plus.  B<XN_FLAG_SEP_SPLUS_SPC> uses spaced semicolon and
-spaced newline and plus respectively.
+plus. B<XN_FLAG_SEP_MULTILINE> uses spaced newline and plus respectively.
 If B<XN_FLAG_DN_REV> is set the whole DN is printed in reversed order.
@@ -92,7 +93,8 @@ B<XN_FLAG_ONELINE> is a more readable one line format which is the same as:
 B<XN_FLAG_MULTILINE> is a multiline format which is the same as:
 B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
-B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls X509_NAME_print() internally.
+B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it
+calls X509_NAME_print() internally.
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_error.pod b/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_error.pod
index 60e8332ae9..5760f64fcb 100644
--- a/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_error.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_error.pod
@@ -2,7 +2,10 @@
 =head1 NAME
-X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
+X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
+X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert,
+X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set
+certificate verification status information
 =head1 SYNOPSIS
@@ -82,19 +85,22 @@ of an untrusted certificate cannot be found.
 the CRL of a certificate could not be found.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature>
+=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
+certificate's signature>
 the certificate signature could not be decrypted. This means that the actual
 signature value could not be determined rather than it not matching the
 expected value, this is only meaningful for RSA keys.
-=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
+=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
+signature>
 the CRL signature could not be decrypted: this means that the actual signature
 value could not be determined rather than it not matching the expected value.
 Unused.
-=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key>
+=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
+public key>
 the public key in the certificate SubjectPublicKeyInfo could not be read.
@@ -112,7 +118,8 @@ the certificate is not yet valid: the notBefore date is after the current time.
 =item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
-the certificate has expired: that is the notAfter date is before the current time.
+the certificate has expired: that is the notAfter date is before the current
+time.
 =item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
@@ -122,19 +129,23 @@ the CRL is not yet valid.
 the CRL has expired.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field>
+=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
+certificate's notBefore field>
 the certificate notBefore field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field>
+=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
+notAfter field>
 the certificate notAfter field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field>
+=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's
+lastUpdate field>
 the CRL lastUpdate field contains an invalid time.
-=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field>
+=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's
+nextUpdate field>
 the CRL nextUpdate field contains an invalid time.
@@ -147,17 +158,20 @@ an error occurred trying to allocate memory. This should never happen.
 the passed certificate is self signed and the same certificate cannot be found
 in the list of trusted certificates.
-=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain>
+=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
+certificate chain>
 the certificate chain could be built up using the untrusted certificates but
 the root could not be found locally.
-=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
+=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
+issuer certificate>
 the issuer certificate of a locally looked up certificate could not be found.
 This normally means the list of trusted certificates is not complete.
-=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
+=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first
+certificate>
 no signatures could be verified because the chain contains only one certificate
 and it is not self signed.
@@ -198,34 +212,39 @@ did not match the issuer name of the current certificate. This is only set
 if issuer check debugging is enabled it is used for status notification and
 is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
+=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
+mismatch>
 the current candidate issuer certificate was rejected because its subject key
 identifier was present and did not match the authority key identifier current
 certificate. This is only set if issuer check debugging is enabled it is used
 for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
+=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
+number mismatch>
 the current candidate issuer certificate was rejected because its issuer name
 and serial number was present and did not match the authority key identifier of
 the current certificate. This is only set if issuer check debugging is enabled
 it is used for status notification and is B<not> in itself an error.
-=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
+=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
+signing>
 the current candidate issuer certificate was rejected because its keyUsage
 extension does not permit certificate signing. This is only set if issuer check
 debugging is enabled it is used for status notification and is B<not> in itself
 an error.
-=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
+=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate
+extension>
 A certificate extension had an invalid value (for example an incorrect
 encoding) or some value inconsistent with other extensions.
-=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
+=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent
+certificate policy extension>
 A certificate policies extension had an invalid value (for example an incorrect
 encoding) or some value inconsistent with other extensions. This error only
@@ -252,17 +271,20 @@ A name constraint violation occured in the permitted subtrees.
 A name constraint violation occured in the excluded subtrees.
-=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
+=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not
+supported>
 A certificate name constraints extension included a minimum or maximum field:
 this is not supported.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
+=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint
+type>
 An unsupported name constraint type was encountered. OpenSSL currently only
 supports directory name, DNS name, email and URI types.
-=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
+=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name
+constraint syntax>
 The format of the name constraint is not recognised: for example an email
 address format of a form not mentioned in RFC3280. This could be caused by
diff --git a/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod b/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
index 1b75967ccd..392b36c3ae 100644
--- a/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
@@ -2,7 +2,9 @@
 =head1 NAME
-X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_ex_data - add application specific data to X509_STORE_CTX structures
+X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data,
+X509_STORE_CTX_get_ex_data - add application specific data to X509_STORE_CTX
+structures
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod b/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod
index 1c55236aa2..8f602274ee 100644
--- a/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod
@@ -2,7 +2,11 @@
 =head1 NAME
-X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX initialisation
+X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
+X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert,
+X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param,
+X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default - X509_STORE_CTX
+initialisation
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod b/src/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod
index 012f2d2c75..f9602b3e77 100644
--- a/src/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb - set verification callback
+X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb - set verification
+callback
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/src/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index e5da5bec08..f213a9c117 100644
--- a/src/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/src/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -2,7 +2,12 @@
 =head1 NAME
-X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification parameters
+X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
+X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
+X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
+X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time,
+X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509
+verification parameters
 =head1 SYNOPSIS
diff --git a/src/lib/libssl/src/doc/crypto/bn.pod b/src/lib/libssl/src/doc/crypto/bn.pod
index cd2f8e50c6..4a3f24ba30 100644
--- a/src/lib/libssl/src/doc/crypto/bn.pod
+++ b/src/lib/libssl/src/doc/crypto/bn.pod
@@ -166,10 +166,10 @@ of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
 =head1 SEE ALSO
-L<bn_internal(3)|bn_internal(3)>,
+L<bn_internal(3)|bn_internal(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>,
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
+L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<BN_new(3)|BN_new(3)>,
-L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
+L<BN_CTX_new(3)|BN_CTX_new(3)>, L<BN_copy(3)|BN_copy(3)>,
-L<BN_copy(3)|BN_copy(3)>, L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
+L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
 L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
 L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
 L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
diff --git a/src/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod b/src/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod
index 466f99ab42..fc7335c7a1 100644
--- a/src/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod
+++ b/src/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod
@@ -2,9 +2,9 @@
 =head1 NAME
-d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp,
+d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp, i2d_PKCS8PrivateKey_bio,
-i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp,
+i2d_PKCS8PrivateKey_fp, i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp
-i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private key functions
+- PKCS#8 format private key functions
 =head1 SYNOPSIS
@@ -39,15 +39,17 @@ corresponding B<PEM> function as described in the L<pem(3)|pem(3)> manual page.
 =head1 NOTES
-Before using these functions L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>
+Before using these functions
-should be called to initialize the internal algorithm lookup tables otherwise errors about
+L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)> should be called
+to initialize the internal algorithm lookup tables otherwise errors about
 unknown algorithms will occur if an attempt is made to decrypt a private key.
-These functions are currently the only way to store encrypted private keys using DER format.
+These functions are currently the only way to store encrypted private keys
+using DER format.
-Currently all the functions use BIOs or FILE pointers, there are no functions which
+Currently all the functions use BIOs or FILE pointers, there are no functions
-work directly on memory: this can be readily worked around by converting the buffers
+which work directly on memory: this can be readily worked around by converting
-to memory BIOs, see L<BIO_s_mem(3)|BIO_s_mem(3)> for details.
+the buffers to memory BIOs, see L<BIO_s_mem(3)|BIO_s_mem(3)> for details.
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
index 1711dc038f..68e7f27de5 100644
--- a/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
+++ b/src/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod
@@ -29,14 +29,14 @@ d2i_Netscape_RSA - RSA public and private key encoding functions.
 =head1 DESCRIPTION
-d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey
+d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1
-structure.
+RSAPublicKey structure.
 d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY() decode and encode an RSA public key using
 a SubjectPublicKeyInfo (certificate public key) structure.
-d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey
+d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1
-structure.
+RSAPrivateKey structure.
 d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in
 NET format.
diff --git a/src/lib/libssl/src/doc/crypto/dh.pod b/src/lib/libssl/src/doc/crypto/dh.pod
index 97aaa75731..5fb9890a77 100644
--- a/src/lib/libssl/src/doc/crypto/dh.pod
+++ b/src/lib/libssl/src/doc/crypto/dh.pod
@@ -40,10 +40,11 @@ dh - Diffie-Hellman key agreement
 =head1 DESCRIPTION
-These functions implement the Diffie-Hellman key agreement protocol.
+These functions implement the Diffie-Hellman key agreement protocol.  The
-The generation of shared DH parameters is described in
+generation of shared DH parameters is described in
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>; L<DH_generate_key(3)|DH_generate_key(3)> describes how
+L<DH_generate_parameters(3)|DH_generate_parameters(3)>;
-to perform a key agreement.
+L<DH_generate_key(3)|DH_generate_key(3)> describes how to perform a key
+agreement.
 The B<DH> structure consists of several BIGNUM components.
diff --git a/src/lib/libssl/src/doc/crypto/lhash.pod b/src/lib/libssl/src/doc/crypto/lhash.pod
index b5c8a10282..a9c44dd9ef 100644
--- a/src/lib/libssl/src/doc/crypto/lhash.pod
+++ b/src/lib/libssl/src/doc/crypto/lhash.pod
@@ -2,7 +2,8 @@
 =head1 NAME
-lh_new, lh_free, lh_insert, lh_delete, lh_retrieve, lh_doall, lh_doall_arg, lh_error - dynamic hash table
+lh_new, lh_free, lh_insert, lh_delete, lh_retrieve, lh_doall, lh_doall_arg,
+lh_error - dynamic hash table
 =head1 SYNOPSIS