If B<-multi-rdn> is not used then the UID value is C<123456+CN=John Doe>.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-sm2-id> I<string>
For the B<-cmsout> operation print out all fields of the CMS structure. This
is mainly useful for testing purposes.
-=item B<-CAfile> I<file>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-A file containing trusted CA certificates, only used with B<-verify>.
-
-=item B<-CApath> I<dir>
-
-A directory containing trusted CA certificates, only used with
-B<-verify>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using C<x509 -hash>) should be linked
-to each certificate.
-
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-md> I<digest>
The private key password source. For more information about the format of B<arg>
see L<openssl(1)/Pass Phrase Options>.
-=item B<-rand> I<files>
-
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
+=item B<-rand> I<files>, B<-writerand> I<file>
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item I<cert.pem> ...
[B<-nextupdate>]
[B<-CAfile> I<file>]
[B<-CApath> I<dir>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
=for openssl ifdef hash_old
Output the nextUpdate field.
-=item B<-CAfile> I<file>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-Verify the signature on a CRL by looking up the issuing certificate in
-I<file>.
-
-=item B<-CApath> I<dir>
-
-Verify the signature on a CRL by looking up the issuing certificate in
-I<dir>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using the L<openssl-x509(1)> B<-hash> option)
-should be linked to each certificate.
+See L<openssl(1)/Trusted Certificate Options> for more information.
=back
[B<-hmac> I<key>]
[B<-fips-fingerprint>]
[B<-rand> I<files>]
+[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-engine_impl>]
[I<file> ...]
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-fips-fingerprint>
present but I<numbits> is present, parameters are generated with the
default generator 2.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item I<numbits>
This option will generate a DSA either using the specified or generated
parameters.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-engine> I<id>
This option will generate an EC private key using the specified parameters.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-engine> I<id>
Use NULL cipher (no encryption or decryption of input).
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=back
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-engine> I<id>
The public exponent to use, either 65537 or 3. The default is 65537.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-engine> I<id>
This option is available on POSIX systems (that support the fork() and other
required unix system-calls).
-=item B<-CAfile> I<file>, B<-CApath> I<pathname>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-File or pathname containing trusted CA certificates. These are used to verify
-the signature on the OCSP response.
-
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
In the output list, prepend the cleartext password and a TAB character
to each password hash.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=back
Don't attempt to provide the MAC integrity.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
+See L<openssl(1)/Random State Options> for more information.
-=item B<-writerand> I<file>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
-
-=item B<-CAfile> I<file>
-
-CA storage as a file.
-
-=item B<-CApath> I<dir>
-
-CA storage as a directory. This directory must be a standard certificate
-directory: that is a hash of each subject name (using C<openssl x509 -hash>)
-should be linked to each certificate.
-
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location.
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location.
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-CSP> I<name>
when absolutely necessary. Certain software such as some versions of Java
code signing software used unencrypted private keys.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-v2> I<alg>
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-engine> I<id>
=head1 DESCRIPTION
This command outputs I<num> pseudo-random bytes after seeding
-the random number generator once. As in other B<openssl> command
-line tools, PRNG seeding uses the file F<$HOME/.rnd> or F<.rnd>
-in addition to the files given in the B<-rand> option. A new
-F<$HOME/.rnd> or F<.rnd> file will be written back if enough
-seeding was obtained from these sources.
+the random number generator once.
=head1 OPTIONS
Write to I<file> instead of standard output.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-base64>
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-newkey> I<arg>
Decrypt the input data using an RSA private key.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-pkcs>, B<-oaep>, B<-ssl>, B<-raw>
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<openssl-x509(1)> manual page for details.
-=item B<-CApath> I<directory>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-The directory to use for server certificate verification. This directory
-must be in "hash format", see L<openssl-verify(1)> for more information.
-These are also used when building the client certificate chain.
-
-=item B<-CAfile> I<file>
-
-A file containing trusted certificates to use during server authentication
-and to use when attempting to build the client certificate chain.
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-chainCApath> I<directory>
A file containing trusted certificates to use when attempting to build the
client certificate chain.
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location
-
=item B<-requestCAfile> I<file>
A file containing a list of certificates whose subject names will be sent
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-rand> I<files>
-
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
+=item B<-rand> I<files>, B<-writerand> I<file>
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-serverinfo> I<types>
Prints the SSL session states.
-=item B<-CAfile> I<infile>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-A file containing trusted certificates to use during client authentication
-and to use when attempting to build the server certificate chain. The list
-is also used in the list of acceptable client CAs passed to the client when
-a certificate is requested.
-
-=item B<-CApath> I<dir>
-
-The directory to use for client certificate verification. This directory
-must be in "hash format", see L<openssl-verify(1)> for more information.
-These are also used when building the server certificate chain.
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-chainCApath> I<dir>
A file containing trusted certificates to use when attempting to build the
server certificate chain.
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location.
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location.
-
=item B<-nocert>
If this option is set then no certificate is used. This restricts the
servers, when each of which might be generating a unique range of session
IDs (eg. with a certain prefix).
-=item B<-rand> I<files>
-
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
+=item B<-rand> I<files>, B<-writerand> I<file>
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-verify_return_error>
must be in "hash format", see L<openssl-verify(1)> for more information.
These are also used when building the client certificate chain.
-=item B<-CAfile> I<file>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-A file containing trusted certificates to use during server authentication
-and to use when attempting to build the client certificate chain.
-
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-new>
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
-=item B<-CAfile> I<file>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-A file containing trusted CA certificates, only used with B<-verify>.
-
-=item B<-CApath> I<dir>
-
-A directory containing trusted CA certificates, only used with
-B<-verify>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using C<openssl x509 -hash>) should be linked
-to each certificate.
-
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location.
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location.
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-md> I<digest>
The private key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass Phrase Options>.
-=item B<-rand> I<files>
-
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
+=item B<-rand> I<files>, B<-writerand> I<file>
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-to>, B<-from>, B<-subject>
Time the decryption instead of encryption. Affects only the EVP testing.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-primes> I<num>
[B<-userinfo> I<text>]
[B<-passin> I<arg>]
[B<-passout> I<arg>]
+[B<-rand> I<files>]
+[B<-writerand> I<file>]
[I<user> ...]
=for openssl ifdef engine
For more information about the format of B<arg>
see L<openssl(1)/Pass Phrase Options>.
+=item B<-rand> I<files>, B<-writerand> I<file>
+
+See L<openssl(1)/Random State Options> for more information.
+
=back
=head1 COPYRIGHT
=over 4
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-config> I<configfile>
that the input is a DER encoded timestamp token (ContentInfo) instead
of a timestamp response (TimeStampResp). (Optional)
-=item B<-CApath> I<trusted_cert_path>
-
-The name of the directory containing the trusted CA certificates of the
-client. See the similar option of L<openssl-verify(1)> for additional
-details. Either this option or B<-CAfile> must be specified. (Optional)
+=item B<-CAfile> I<file>, B<-CApath> I<dir>
-
-=item B<-CAfile> I<trusted_certs.pem>
-
-The name of the file containing a set of trusted self-signed CA
-certificates in PEM format. See the similar option of
-L<openssl-verify(1)> for additional details. Either this option
-or B<-CApath> must be specified.
-(Optional)
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-untrusted> I<cert_file.pem>
Print out a usage message.
-=item B<-CAfile> I<file>
+=item B<-CAfile> I<file>, B<-no-CAfile>, B<-CApath> I<dir>, B<-no-CApath>
-A I<file> of trusted certificates.
-The file should contain one or more certificates in PEM format.
-
-=item B<-CApath> I<directory>
-
-A directory of trusted certificates. The certificates should have names
-of the form: F<I<hash>.0> or have symbolic links to them of this form
-(I<hash> is the hashed certificate subject name: see the L<openssl-x509(1)>
-B<-hash> option). Under Unix, L<openssl-rehash(1)> will automatically create
-symbolic links to a directory of certificates.
-
-=item B<-no-CAfile>
-
-Do not load the trusted CA certificates from the default file location.
-
-=item B<-no-CApath>
-
-Do not load the trusted CA certificates from the default directory location.
+See L<openssl(1)/Trusted Certificate Options> for more information.
=item B<-allow_proxy_certs>
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-rand> I<files>
+=item B<-rand> I<files>, B<-writerand> I<file>
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
-
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-engine> I<id>
=item B<-help>
Provides a terse summary of all options.
+If an option takes an argument, the "type" of argument is also given.
+
+=item B<-->
+
+This terminates the list of options. It is mostly useful if any filename
+parameters start with a minus sign:
+
+ openssl verify [flags...] -- -cert1.pem...
=back
=back
+=head2 Trusted Certificate Options
+
+Part of validating a certificate includes verifying that the chain of CA's
+can be traced up to an existing trusted root. The following options specify
+how to list the trusted roots, also known as trust anchors. A collection
+of trusted roots is called a I<trust store>.
+
+Note that OpenSSL does not provide a default set of trust anchors. Many
+Linux distributions include a system default and configure OpenSSL to point
+to that. Mozilla maintains an influential trust store that can be found at
+L<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/>.
+
+=over 4
+
+=item B<-CAfile> I<file>
+
+Load the specified file which contains one or more PEM-format certificates
+of CA's that are trusted.
+
+=item B<-no-CAfile>
+
+Do not load the default file of trusted certificates.
+
+=item B<-CApath> I<dir>
+
+Use the specified directory as a list of trust certificates. That is,
+files should be named with the hash of the X.509 SubjectName of each
+certificate. This is so that the library can extract the IssuerName,
+hash it, and directly lookup the file to get the issuer certificate.
+See L<openssl-rehash(1)> for information on creating this type of directory.
+
+=item B<-no-CApath>
+
+Do not use the default directory of trusted certificates.
+
+=back
+
+=head2 Random State Options
+
+Prior to OpenSSL 3.0, it was common for applications to store information
+about the state of the random-number generator in a file that was loaded
+at startup and rewritten upon exit. On modern operating systems, this is
+generally no longer necessary as OpenSSL will seed itself from the
+appropriate CPU flags, device files, and so on. These flags are still
+supported for special platforms or circumstances that might require them.
+
+It is generally an error to use the same seed file more than once and
+every use of B<-rand> should be paired with B<-writerand>.
+
+=over 4
+
+=item B<-rand> I<files>
+
+A file or files containing random data used to seed the random number
+generator.
+Multiple files can be specified separated by an OS-dependent character.
+The separator is C<;> for MS-Windows, C<,> for OpenVMS, and C<:> for
+all others. Another way to specify multiple files is to repeat this flag
+with different filenames.
+
+=item B<-writerand> I<file>
+
+Writes the seed data to the specified I<file> upon exit.
+This file can be used in a subsequent command invocation.
+
+=back
+
=head1 ENVIRONMENT
=over 4
=item B<-r> I<files>
-The files containing random data for seeding the random number
-generator. Multiple files can be specified, the separator is B<;> for
-MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional)
+See L<openssl(1)/Random State Options> for more information.
=item B<-g> I<EGD_socket>
require 5.10.0;
use warnings;
use strict;
+
use Pod::Checker;
use File::Find;
use File::Basename;
use lib catdir(dirname($0), "perl");
use OpenSSL::Util::Pod;
-my $debug = 0; # Set to 1 for debug output
+# Set to 1 for debug output
+my $debug = 0;
# Options.
our($opt_d);
my %public;
my $status = 0;
-my %mandatory_sections =
- ( '*' => [ 'NAME', 'DESCRIPTION', 'COPYRIGHT' ],
- 1 => [ 'SYNOPSIS', 'OPTIONS' ],
- 3 => [ 'SYNOPSIS', 'RETURN VALUES' ],
- 5 => [ ],
- 7 => [ ] );
+my %mandatory_sections = (
+ '*' => [ 'NAME', 'DESCRIPTION', 'COPYRIGHT' ],
+ 1 => [ 'SYNOPSIS', 'OPTIONS' ],
+ 3 => [ 'SYNOPSIS', 'RETURN VALUES' ],
+ 5 => [ ],
+ 7 => [ ]
+);
+
# Print error message, set $status.
sub err {
$names{$n} = 1;
$foundfilename++ if $n eq $simplename;
$foundfilenames{$n} = 1
- if ((-f "$dirname/$n.pod.in" || -f "$dirname/$n.pod")
- && $n ne $simplename);
+ if -f "$dirname/$n.pod" && $n ne $simplename;
}
- err($id, "the following exist as other .pod or .pod.in files:",
+ err($id, "the following exist as other .pod files:",
sort keys %foundfilenames)
if %foundfilenames;
err($id, "$simplename (filename) missing from NAME section")
# Helper function to check if a given $thing is properly marked up
# option. It returns one of these values:
-#
-# undef if it's not an option
-# "" if it's a malformed option
-# $unwrapped the option with the outermost B<> wrapping removed.
+# undef if it's not an option
+# "" if it's a malformed option
+# $unwrapped the option with the outermost B<> wrapping removed.
sub normalise_option {
my $id = shift;
my $filename = shift;
# Checks of function name (man3) formatting. The man3 checks are
# easier than the man1 checks, we only check the names followed by (),
# and only the names that have POD markup.
-
sub functionname_check {
my $id = shift;
my $filename = shift;
'zeroes' => 'zeros'
);
+# Search manpage for words that have a different preferred use.
sub wording {
my $id = shift;
my $contents = shift;
if $contents =~ /\bepoch\b/;
}
+# Perform all sorts of nit/error checks on a manpage
sub check {
my $filename = shift;
my $dirname = basename(dirname($filename));
my $section = 3;
$section = $1 if $dirname =~ /man([1-9])/;
- foreach ((@{$mandatory_sections{'*'}}, @{$mandatory_sections{$section}})) {
- # Skip "return values" if not -s
+ foreach ( (@{$mandatory_sections{'*'}}, @{$mandatory_sections{$section}}) ) {
err($id, "missing $_ head1 section")
if $contents !~ /^=head1\s+${_}\s*$/m;
}
}
-my %dups;
-
+# Parse libcrypto.num, etc., and return sorted list of what's there.
sub parsenum {
my $file = shift;
my @apis;
return sort @apis;
}
+# Parse all the manpages, getting return map of what they document
+# (by looking at their NAME sections).
sub getdocced
{
my $dir = shift;
my %return;
+ my %dups;
- foreach my $pod ( glob("$dir/*.pod"), glob("$dir/*.pod.in") ) {
+ foreach my $pod ( glob("$dir/*.pod") ) {
my %podinfo = extract_pod_info($pod);
foreach my $n ( @{$podinfo{names}} ) {
$return{$n} = $pod;
return %return;
}
+# Map of documented functions; function => manpage
my %docced;
+# Map of links in each POD file; filename => [ "foo(1)", "bar(3)", ... ]
+my %link_map = ();
+# Map of names in each POD file; "name(s)" => filename
+my %name_map = ();
+# Load file of symbol names that we know aren't documented.
sub loadmissing($)
{
my $missingfile = shift;
return @missing;
}
+# Check for undocumented macros; ignore those in the "missing" file
+# and do simple check for #define in our header files.
sub checkmacros {
my $count = 0;
my %seen;
my @missing;
- if ($opt_o) {
+ if ( $opt_o ) {
@missing = loadmissing('util/missingmacro111.txt');
- } elsif ($opt_v) {
+ } elsif ( $opt_v ) {
@missing = loadmissing('util/missingmacro.txt');
}
if $count > 0;
}
+# Find out what is undocumented (filtering out the known missing ones)
+# and display them.
sub printem {
my $libname = shift;
my $numfile = shift;
my $count = 0;
my %seen;
- my @missing = loadmissing($missingfile) if ($opt_v);
+ my @missing = loadmissing($missingfile) if ( $opt_v );
foreach my $func ( parsenum($numfile) ) {
next if $docced{$func} || defined $seen{$func};
if $count > 0;
}
-
-# Collection of links in each POD file.
-# filename => [ "foo(1)", "bar(3)", ... ]
-my %link_collection = ();
-# Collection of names in each POD file.
-# "name(s)" => filename
-my %name_collection = ();
-
+# Collect all the names in a manpage.
sub collectnames {
my $filename = shift;
$filename =~ m|man(\d)/|;
my $section = $1;
- my $simplename = basename(basename($filename, ".in"), ".pod");
+ my $simplename = basename($filename, ".pod");
my $id = "${filename}:1:";
my $contents = '';
$contents =~ /=head1 NAME([^=]*)=head1 /ms;
my $tmp = $1;
- unless (defined $tmp) {
+ unless ( defined $tmp ) {
err($id, "weird name section");
return;
}
map { s|/|-|g; $_ } # Treat slash as dash
map { s/^\s+//g; s/\s+$//g; $_ } # Trim prefix and suffix blanks
split(/,/, $tmp);
- unless (grep { $simplename eq $_ } @names) {
+ unless ( grep { $simplename eq $_ } @names ) {
err($id, "missing $simplename");
push @names, $simplename;
}
foreach my $name (@names) {
next if $name eq "";
- if ($name =~ /\s/) {
+ if ( $name =~ /\s/ ) {
err($id, "'$name' contains white space")
}
my $name_sec = "$name($section)";
- if (! exists $name_collection{$name_sec}) {
- $name_collection{$name_sec} = $filename;
- } elsif ($filename eq $name_collection{$name_sec}) {
+ if ( !exists $name_map{$name_sec} ) {
+ $name_map{$name_sec} = $filename;
+ } elsif ( $filename eq $name_map{$name_sec} ) {
err($id, "$name_sec repeated in NAME section of",
- $name_collection{$name_sec});
+ $name_map{$name_sec});
} else {
err($id, "$name_sec also in NAME section of",
- $name_collection{$name_sec});
+ $name_map{$name_sec});
}
}
my @foreign_names =
map { map { s/\s+//g; $_ } split(/,/, $_) }
$contents =~ /=for\s+comment\s+foreign\s+manuals:\s*(.*)\n\n/;
- foreach (@foreign_names) {
- $name_collection{$_} = undef; # It still exists!
+ foreach ( @foreign_names ) {
+ $name_map{$_} = undef; # It still exists!
}
my @links = $contents =~ /L<
# a one digit section number
([^\/>\(]+\(\d\))
/gx;
- $link_collection{$filename} = [ @links ];
+ $link_map{$filename} = [ @links ];
}
+# Look for L<> ("link") references that point to files that do not exist.
sub checklinks {
- foreach my $filename (sort keys %link_collection) {
- foreach my $link (@{$link_collection{$filename}}) {
+ foreach my $filename (sort keys %link_map) {
+ foreach my $link (@{$link_map{$filename}}) {
err("${filename}:1:", "reference to non-existing $link")
- unless exists $name_collection{$link};
+ unless exists $name_map{$link};
}
}
}
}
}
-# Cipher/digests to skip if not documented
+# Cipher/digests to skip if they show up as "not implemented"
+# because they are, via the "-*" construct.
my %skips = (
'aes128' => 1,
'aes192' => 1,
'digest' => 1,
);
+# Check the flags of a command and see if everything is in the manpage
sub checkflags {
my $cmd = shift;
my $doc = shift;
close CFH;
# See what's in the command not the manpage.
- my @undocced = ();
- foreach my $k ( keys %cmdopts ) {
- push @undocced, $k unless $docopts{$k};
- }
- if ( scalar @undocced > 0 ) {
- foreach ( @undocced ) {
- next if /-/; # Skip the -- end-of-flags marker
- err("$doc: undocumented option -$_");
- }
+ my @undocced = sort grep { !defined $docopts{$_} } keys %cmdopts;
+ foreach ( @undocced ) {
+ next if /-/; # Skip the -- end-of-flags marker
+ err("$doc: undocumented option -$_");
}
# See what's in the command not the manpage.
- my @unimpl = ();
- foreach my $k ( keys %docopts ) {
- push @unimpl, $k unless $cmdopts{$k};
- }
- if ( scalar @unimpl > 0 ) {
- foreach ( @unimpl ) {
- next if defined $skips{$_} || defined $localskips{$_};
- err("$cmd documented but not implemented -$_");
- }
+ my @unimpl = sort grep { !defined $cmdopts{$_} } keys %docopts;
+ foreach ( @unimpl ) {
+ next if defined $skips{$_} || defined $localskips{$_};
+ err("$cmd documented but not implemented -$_");
}
}
+##
+## MAIN()
+## Do the work requested by the various getopt flags.
+## The flags are parsed in alphabetical order, just because we have
+## to have *some way* of listing them.
+##
+
if ( $opt_c ) {
my @commands = ();
}
if ( $opt_l ) {
- foreach (@ARGV ? @ARGV : (glob('doc/*/*.pod'), glob('doc/*/*.pod.in'),
- glob('doc/internal/*/*.pod'))) {
+ foreach ( @ARGV ? @ARGV : glob('doc/*/*.pod doc/internal/*/*.pod') ) {
collectnames($_);
}
checklinks();
if ( $opt_n ) {
publicize();
- foreach (@ARGV ? @ARGV : (glob('doc/*/*.pod'), glob('doc/*/*.pod.in'))) {
- check($_);
- }
- foreach (@ARGV ? @ARGV : glob('doc/internal/*/*.pod')) {
+ foreach ( @ARGV ? @ARGV : glob('doc/*/*.pod doc/internal/*/*.pod') ) {
check($_);
}
foreach ( keys %temp ) {
$docced{$_} = $temp{$_};
}
- if ($opt_o) {
+ if ( $opt_o ) {
printem('crypto', 'util/libcrypto.num', 'util/missingcrypto111.txt');
printem('ssl', 'util/libssl.num', 'util/missingssl111.txt');
} else {
projects / oweals / openssl.git / commitdiff