12 files changed, 42 insertions, 41 deletions

diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
index 5261c190a6..c9b26716d6 100644
--- a/src/lib/libcrypto/man/CMS_sign.3
+++ b/src/lib/libcrypto/man/CMS_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_sign.3,v 1.11 2024/04/18 16:50:22 tb Exp $
+.\" $OpenBSD: CMS_sign.3,v 1.12 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt CMS_SIGN 3
 .Os
 .Sh NAME
@@ -176,7 +176,7 @@ added before finalization.
 .Pp
 If a signer is specified, it will use the default digest for the signing
 algorithm.
-This is SHA1 for both RSA and DSA keys.
+This is SHA-1 for both RSA and DSA keys.
 .Pp
 If
 .Fa signcert
diff --git a/src/lib/libcrypto/man/EVP_DigestInit.3 b/src/lib/libcrypto/man/EVP_DigestInit.3
index 668c189bc1..2a634540c7 100644
--- a/src/lib/libcrypto/man/EVP_DigestInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestInit.3,v 1.37 2024/12/06 15:01:01 schwarze Exp $
+.\" $OpenBSD: EVP_DigestInit.3,v 1.38 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -70,7 +70,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt EVP_DIGESTINIT 3
 .Os
 .Sh NAME
@@ -361,15 +361,16 @@ and
 .Fn EVP_ripemd160
 return
 .Vt EVP_MD
-structures for the SHA224, SHA256, SHA384, SHA512 and
-RIPEMD160 digest algorithms respectively.
+structures for the SHA-224, SHA-256, SHA-384, SHA-512 and
+RIPEMD-160 digest algorithms respectively.
 .Pp
 .Fn EVP_sha512_224
 and
 .Fn EVP_sha512_256
 return an
 .Vt EVP_MD
-structure that provides the truncated SHA512 variants SHA512/224 and SHA512/256,
+structure that provides the truncated SHA-512 variants
+SHA-512/224 and SHA-512/256,
 respectively.
 .Pp
 .Fn EVP_md_null
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index 137e576c46..41c5a9ab9a 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.28 2024/12/10 14:54:20 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.29 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\" Parts were split out into RSA_pkey_ctx_ctrl(3).
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt EVP_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -371,7 +371,7 @@ The
 macro sets the key derivation function message digest to
 .Fa md
 for ECDH key derivation.
-Note that X9.63 specifies that this digest should be SHA1,
+Note that X9.63 specifies that this digest should be SHA-1,
 but OpenSSL tolerates other digests.
 .Pp
 The
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
index 1b95bbaa98..bdb1a208a2 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.2 2024/07/10 10:22:03 tb Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.3 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file was written by Dr Stephen Henson <steve@openssl.org>,
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 10 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt EVP_PKEY_CTX_SET_TLS1_PRF_MD 3
 .Os
 .Sh NAME
@@ -87,7 +87,7 @@ It has no associated private key and only implements key derivation using
 sets the message digest associated with the TLS PRF.
 .Xr EVP_md5_sha1 3
 is treated as a special case which uses the PRF algorithm using both
-MD5 and SHA1 as used in TLS 1.0 and 1.1.
+MD5 and SHA-1 as used in TLS 1.0 and 1.1.
 .Pp
 .Fn EVP_PKEY_CTX_set_tls1_prf_secret
 sets the secret value of the TLS PRF to
diff --git a/src/lib/libcrypto/man/EVP_PKEY_sign.3 b/src/lib/libcrypto/man/EVP_PKEY_sign.3
index d73b0abb7b..afd9177596 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_sign.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.9 2024/12/06 14:27:49 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.10 2025/04/17 14:58:09 tb Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt EVP_PKEY_SIGN 3
 .Os
 .Sh NAME
@@ -134,7 +134,7 @@ return 1 for success and 0 or a negative value for failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Sign data using RSA with PKCS#1 padding and SHA256 digest:
+Sign data using RSA with PKCS#1 padding and SHA-256 digest:
 .Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify.3 b/src/lib/libcrypto/man/EVP_PKEY_verify.3
index d096a3a7be..c297e9669a 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_verify.3,v 1.8 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_verify.3,v 1.9 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt EVP_PKEY_VERIFY 3
 .Os
 .Sh NAME
@@ -120,7 +120,7 @@ failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Verify signature using PKCS#1 and SHA256 digest:
+Verify signature using PKCS#1 and SHA-256 digest:
 .Bd -literal -offset 3n
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
index 30c034cdb5..2e863f35b4 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.11 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt EVP_PKEY_VERIFY_RECOVER 3
 .Os
 .Sh NAME
@@ -135,7 +135,7 @@ return 1 for success and 0 or a negative value for failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Recover digest originally signed using PKCS#1 and SHA256 digest:
+Recover digest originally signed using PKCS#1 and SHA-256 digest:
 .Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3
index e014a1d262..032e87515e 100644
--- a/src/lib/libcrypto/man/OCSP_cert_to_id.3
+++ b/src/lib/libcrypto/man/OCSP_cert_to_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.13 2024/08/24 19:31:09 tb Exp $
+.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.14 2025/04/17 14:58:09 tb Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 24 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt OCSP_CERT_TO_ID 3
 .Os
 .Sh NAME
@@ -148,7 +148,7 @@ If
 .Fa dgst
 is
 .Dv NULL
-then SHA1 is used.
+then SHA-1 is used.
 .Pp
 .Fn OCSP_cert_id_new
 creates and returns a new
diff --git a/src/lib/libcrypto/man/RSA_sign.3 b/src/lib/libcrypto/man/RSA_sign.3
index 65e9dc99b8..888e36a680 100644
--- a/src/lib/libcrypto/man/RSA_sign.3
+++ b/src/lib/libcrypto/man/RSA_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_sign.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_sign.3,v 1.9 2025/04/17 14:58:09 tb Exp $
 .\"     OpenSSL aa90ca11 Aug 20 15:48:56 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt RSA_SIGN 3
 .Os
 .Sh NAME
@@ -106,7 +106,7 @@ If
 .Fa type
 is
 .Sy NID_md5_sha1 ,
-an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding and
+an SSL signature (MD5 and SHA-1 message digests with PKCS #1 padding and
 no algorithm identifier) is created.
 .Pp
 .Fn RSA_verify
diff --git a/src/lib/libcrypto/man/X509_NAME_hash.3 b/src/lib/libcrypto/man/X509_NAME_hash.3
index 8766109525..55de9bbe2e 100644
--- a/src/lib/libcrypto/man/X509_NAME_hash.3
+++ b/src/lib/libcrypto/man/X509_NAME_hash.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_hash.3,v 1.3 2021/07/31 14:54:33 schwarze Exp $
+.\" $OpenBSD: X509_NAME_hash.3,v 1.4 2025/04/17 14:58:09 tb Exp $
 .\"
 .\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 31 2021 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt X509_NAME_HASH 3
 .Os
 .Sh NAME
@@ -86,7 +86,7 @@ rather than an ASCII rendering in SSLeay 0.9.0 and have all been
 available since
 .Ox 2.4 .
 .Pp
-They were switched to using SHA1 instead of MD5 in OpenSSL 1.0.0 and in
+They were switched to using SHA-1 instead of MD5 in OpenSSL 1.0.0 and in
 .Ox 4.9 .
 .Pp
 .Fn X509_NAME_hash_old ,
diff --git a/src/lib/libcrypto/man/X509_get0_signature.3 b/src/lib/libcrypto/man/X509_get0_signature.3
index dc3be2c70a..2428f411b1 100644
--- a/src/lib/libcrypto/man/X509_get0_signature.3
+++ b/src/lib/libcrypto/man/X509_get0_signature.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_signature.3,v 1.9 2024/08/28 07:18:55 tb Exp $
+.\" $OpenBSD: X509_get0_signature.3,v 1.10 2025/04/17 14:58:09 tb Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 28 2024 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt X509_GET0_SIGNATURE 3
 .Os
 .Sh NAME
@@ -212,11 +212,11 @@ For a supported EdDSA algorithm (in LibreSSL this is Ed25519)
 this flag is always set.
 For an RSASSA-PSS PSS algorithm this flag is set if
 the parameters are DER encoded,
-the digest algorithm is one of SHA256, SHA384, or SHA512,
+the digest algorithm is one of SHA-256, SHA-384, or SHA-512,
 the same digest algorithm is used in the mask generation function,
 and the salt length is equal to the digest algorithm's output length.
 For all other signature algorithms this flag is set if the digest
-algorithm is one of SHA1, SHA256, SHA384, or SHA512.
+algorithm is one of SHA-1, SHA-256, SHA-384, or SHA-512.
 .El
 .Pp
 .Fn X509_get_signature_info
@@ -276,5 +276,5 @@ refer to the information available from the certificate signature
 (such as the signing digest).
 In some cases the actual security of the signature is smaller
 because the signing key is less secure.
-For example in a certificate signed using SHA512
+For example in a certificate signed using SHA-512
 and a 1024-bit RSA key.
diff --git a/src/lib/libcrypto/man/X509_get_extension_flags.3 b/src/lib/libcrypto/man/X509_get_extension_flags.3
index 1d7f29c687..e5e773f2e8 100644
--- a/src/lib/libcrypto/man/X509_get_extension_flags.3
+++ b/src/lib/libcrypto/man/X509_get_extension_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.5 2025/04/17 14:58:09 tb Exp $
 .\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
 .\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: April 17 2025 $
 .Dt X509_GET_EXTENSION_FLAGS 3
 .Os
 .Sh NAME
@@ -106,8 +106,8 @@ ASN1 object itself.
 .\" EXFLAG_NO_FINGERPRINT is not available in LibreSSL. Do we need
 .\" https://github.com/openssl/openssl/issues/13698 and the fix it fixes?
 .\".It Dv EXFLAG_NO_FINGERPRINT
-.\" Failed to compute the internal SHA1 hash value of the certificate.
-.\" This may be due to malloc failure or because no SHA1 implementation was
+.\" Failed to compute the internal SHA-1 hash value of the certificate.
+.\" This may be due to malloc failure or because no SHA-1 implementation was
 .\" found.
 .It Dv EXFLAG_INVALID_POLICY
 The