Removed duplicates in some man pages

Fixes openssl/openssl#11748

find-doc-nits: Check for duplicate options

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27088)

doc/man1/CA.pl.pod

@@ -6,6 +6,8 @@ CA.pl - friendlier interface for OpenSSL certificate programs
 
 =head1 SYNOPSIS
 
+=for openssl duplicate options
+
 B<CA.pl>
 B<-?> |
 B<-h> |

doc/man1/openssl-ciphers.pod.in

@@ -17,7 +17,6 @@ B<openssl> B<ciphers>
 [B<-tls1_1>]
 [B<-tls1_2>]
 [B<-tls1_3>]
-[B<-s>]
 [B<-psk>]
 [B<-srp>]
 [B<-stdname>]

doc/man1/openssl-cms.pod.in

@@ -7,6 +7,8 @@ openssl-cms - CMS command
 
 =head1 SYNOPSIS
 
+=for openssl duplicate options
+
 B<openssl> B<cms>
 [B<-help>]
 

doc/man1/openssl-pkcs12.pod.in

@@ -7,6 +7,8 @@ openssl-pkcs12 - PKCS#12 file command
 
 =head1 SYNOPSIS
 
+=for openssl duplicate options
+
 B<openssl> B<pkcs12>
 [B<-help>]
 [B<-passin> I<arg>]
@@ -174,7 +176,7 @@ see the L</PKCS#12 output (export) options> section.
 =item B<-out> I<filename>
 
 The filename to write certificates and private keys to, standard output by
-default.  They are all written in PEM format.
+default. They are all written in PEM format.
 
 =item B<-info>
 

doc/man1/openssl-rehash.pod.in

@@ -10,6 +10,7 @@ openssl-rehash, c_rehash - Create symbolic links to files named by the hash
 values
 
 =head1 SYNOPSIS
+=for openssl duplicate options
 
 B<openssl>
 B<rehash>

doc/man1/openssl-s_client.pod.in

@@ -59,7 +59,6 @@ B<openssl> B<s_client>
 [B<-msg>]
 [B<-timeout>]
 [B<-mtu> I<size>]
-[B<-no_etm>]
 [B<-no_ems>]
 [B<-keymatexport> I<label>]
 [B<-keymatexportlen> I<len>]
@@ -84,29 +83,14 @@ B<openssl> B<s_client>
 [B<-max_pipelines>]
 [B<-read_buf>]
 [B<-ignore_unexpected_eof>]
-[B<-bugs>]
 [B<-no_tx_cert_comp>]
 [B<-no_rx_cert_comp>]
-[B<-comp>]
-[B<-no_comp>]
 [B<-brief>]
-[B<-legacy_server_connect>]
-[B<-no_legacy_server_connect>]
-[B<-allow_no_dhe_kex>]
-[B<-prefer_no_dhe_kex>]
-[B<-sigalgs> I<sigalglist>]
-[B<-curves> I<curvelist>]
-[B<-cipher> I<cipherlist>]
-[B<-ciphersuites> I<val>]
-[B<-serverpref>]
 [B<-starttls> I<protocol>]
-[B<-name> I<hostname>]
 [B<-xmpphost> I<hostname>]
 [B<-name> I<hostname>]
 [B<-tlsextdebug>]
-[B<-no_ticket>]
 [B<-sess_out> I<filename>]
-[B<-serverinfo> I<types>]
 [B<-sess_in> I<filename>]
 [B<-serverinfo> I<types>]
 [B<-status>]
@@ -485,10 +469,6 @@ Enable send/receive timeout on DTLS connections.
 
 Set MTU of the link layer to the specified size.
 
-=item B<-no_etm>
-
-Disable Encrypt-then-MAC negotiation.
-
 =item B<-no_ems>
 
 Disable Extended master secret negotiation.
@@ -623,11 +603,6 @@ option is enabled the peer does not need to send the close_notify alert and a
 closed connection will be treated as if the close_notify alert was received.
 For more information on shutting down a connection, see L<SSL_shutdown(3)>.
 
-=item B<-bugs>
-
-There are several known bugs in SSL and TLS implementations. Adding this
-option enables various workarounds.
-
 =item B<-no_tx_cert_comp>
 
 Disables support for sending TLSv1.3 compressed certificates.
@@ -636,65 +611,11 @@ Disables support for sending TLSv1.3 compressed certificates.
 
 Disables support for receiving TLSv1.3 compressed certificate.
 
-=item B<-comp>
-
-Enables support for SSL/TLS compression.
-This option was introduced in OpenSSL 1.1.0.
-TLS compression is not recommended and is off by default as of
-OpenSSL 1.1.0. TLS compression can only be used in security level 1 or
-lower. From OpenSSL 3.2.0 and above the default security level is 2, so this
-option will have no effect without also changing the security level. Use the
-B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for
-more information.
-
-=item B<-no_comp>
-
-Disables support for SSL/TLS compression.
-TLS compression is not recommended and is off by default as of
-OpenSSL 1.1.0.
-
 =item B<-brief>
 
 Only provide a brief summary of connection parameters instead of the
 normal verbose output.
 
-=item B<-sigalgs> I<sigalglist>
-
-Specifies the list of signature algorithms that are sent by the client.
-The server selects one entry in the list based on its preferences.
-For example strings, see L<SSL_CTX_set1_sigalgs(3)>
-
-=item B<-curves> I<curvelist>
-
-Specifies the list of supported curves to be sent by the client. The curve is
-ultimately selected by the server.
-
-The list of available groups includes various built-in named EC curves, as well
-as X25519 and X448, FFDHE groups, and any additional groups implemented in the
-default or 3rd-party providers.
-The commands below list the available groups for TLS 1.2 and TLS 1.3,
-respectively:
-
-    $ openssl list -tls1_2 -tls-groups
-    $ openssl list -tls1_3 -tls-groups
-
-=item B<-cipher> I<cipherlist>
-
-This allows the TLSv1.2 and below cipher list sent by the client to be modified.
-This list will be combined with any TLSv1.3 ciphersuites that have been
-configured. Although the server determines which ciphersuite is used it should
-take the first supported cipher in the list sent by the client. See
-L<openssl-ciphers(1)> for more information.
-
-=item B<-ciphersuites> I<val>
-
-This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
-list will be combined with any TLSv1.2 and below ciphersuites that have been
-configured. Although the server determines which cipher suite is used it should
-take the first supported cipher in the list sent by the client. See
-L<openssl-ciphers(1)> for more information. The format for this list is a simple
-colon (":") separated list of TLSv1.3 ciphersuite names.
-
 =item B<-starttls> I<protocol>
 
 Send the protocol-specific message(s) to switch to TLS for communication.
@@ -729,10 +650,6 @@ this option is not specified, then "mail.example.com" will be used.
 
 Print out a hex dump of any TLS extensions received from the server.
 
-=item B<-no_ticket>
-
-Disable RFC4507bis session ticket support.
-
 =item B<-sess_out> I<filename>
 
 Output SSL session to I<filename>.

doc/man1/openssl-s_server.pod.in

@@ -7,6 +7,8 @@ openssl-s_server - SSL/TLS server program
 
 =head1 SYNOPSIS
 
+=for openssl duplicate options
+
 B<openssl> B<s_server>
 [B<-help>]
 [B<-port> I<+int>]
@@ -70,7 +72,6 @@ B<openssl> B<s_server>
 [B<-verify_quiet>]
 [B<-ign_eof>]
 [B<-no_ign_eof>]
-[B<-no_etm>]
 [B<-no_ems>]
 [B<-status>]
 [B<-status_verbose>]
@@ -91,30 +92,9 @@ B<openssl> B<s_server>
 [B<-max_pipelines> I<+int>]
 [B<-naccept> I<+int>]
 [B<-read_buf> I<+int>]
-[B<-bugs>]
 [B<-no_tx_cert_comp>]
 [B<-no_rx_cert_comp>]
-[B<-no_comp>]
-[B<-comp>]
-[B<-no_ticket>]
-[B<-serverpref>]
-[B<-legacy_renegotiation>]
-[B<-no_renegotiation>]
-[B<-no_resumption_on_reneg>]
-[B<-allow_no_dhe_kex>]
-[B<-prefer_no_dhe_kex>]
-[B<-prioritize_chacha>]
-[B<-strict>]
-[B<-sigalgs> I<val>]
-[B<-client_sigalgs> I<val>]
-[B<-groups> I<val>]
-[B<-curves> I<val>]
-[B<-named_curve> I<val>]
-[B<-cipher> I<val>]
-[B<-ciphersuites> I<val>]
 [B<-dhparam> I<infile>]
-[B<-record_padding> I<val>]
-[B<-debug_broken_protocol>]
 [B<-nbio>]
 [B<-psk_identity> I<val>]
 [B<-psk_hint> I<val>]
@@ -501,10 +481,6 @@ Ignore input EOF (default: when B<-quiet>).
 
 Do not ignore input EOF.
 
-=item B<-no_etm>
-
-Disable Encrypt-then-MAC negotiation.
-
 =item B<-no_ems>
 
 Disable Extended master secret negotiation.
@@ -613,11 +589,6 @@ effect if the buffer size is larger than the size that would otherwise be used
 and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
 further information).
 
-=item B<-bugs>
-
-There are several known bugs in SSL and TLS implementations. Adding this
-option enables various workarounds.
-
 =item B<-no_tx_cert_comp>
 
 Disables support for sending TLSv1.3 compressed certificates.
@@ -632,77 +603,12 @@ Disable negotiation of TLS compression.
 TLS compression is not recommended and is off by default as of
 OpenSSL 1.1.0.
 
-=item B<-comp>
-
-Enables support for SSL/TLS compression.
-This option was introduced in OpenSSL 1.1.0.
-TLS compression is not recommended and is off by default as of
-OpenSSL 1.1.0. TLS compression can only be used in security level 1 or
-lower. From OpenSSL 3.2.0 and above the default security level is 2, so this
-option will have no effect without also changing the security level. Use the
-B<-cipher> option to change the security level. See L<openssl-ciphers(1)> for
-more information.
-
-=item B<-no_ticket>
-
-Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
-is negotiated. See B<-num_tickets>.
-
 =item B<-num_tickets>
 
 Control the number of tickets that will be sent to the client after a full
 handshake in TLSv1.3. The default number of tickets is 2. This option does not
 affect the number of tickets sent after a resumption handshake.
 
-=item B<-serverpref>
-
-Use the server's cipher preferences, rather than the client's preferences.
-
-=item B<-prioritize_chacha>
-
-Prioritize ChaCha ciphers when preferred by clients. Requires B<-serverpref>.
-
-=item B<-no_resumption_on_reneg>
-
-Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
-
-=item B<-client_sigalgs> I<val>
-
-Signature algorithms to support for client certificate authentication
-(colon-separated list).
-
-=item B<-named_curve> I<val>
-
-Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
-
-The list of available groups includes various built-in named EC curves, as well
-as X25519 and X448, FFDHE groups, and any additional groups implemented in the
-default or 3rd-party providers.
-The commands below list the available groups for TLS 1.2 and TLS 1.3,
-respectively.
-
-    $ openssl list -tls1_2 -tls-groups
-    $ openssl list -tls1_3 -tls-groups
-
-=item B<-cipher> I<val>
-
-This allows the list of TLSv1.2 and below ciphersuites used by the server to be
-modified. This list is combined with any TLSv1.3 ciphersuites that have been
-configured. When the client sends a list of supported ciphers the first client
-cipher also included in the server list is used. Because the client specifies
-the preference order, the order of the server cipherlist is irrelevant. See
-L<openssl-ciphers(1)> for more information.
-
-=item B<-ciphersuites> I<val>
-
-This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
-This list is combined with any TLSv1.2 and below ciphersuites that have been
-configured. When the client sends a list of supported ciphers the first client
-cipher also included in the server list is used. Because the client specifies
-the preference order, the order of the server cipherlist is irrelevant. See
-L<openssl-ciphers(1)> command for more information. The format for this list is
-a simple colon (":") separated list of TLSv1.3 ciphersuite names.
-
 =item B<-dhparam> I<infile>
 
 The DH parameter file to use. The ephemeral DH cipher suites generate keys

doc/man1/openssl-smime.pod.in

@@ -130,7 +130,7 @@ See L<openssl-format-options(1)> for details.
 The key format; unspecified by default.
 See L<openssl-format-options(1)> for details.
 
-=item B<-stream>, B<-indef>, B<-noindef>
+=item B<-stream>, B<-indef>
 
 The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without

doc/man1/openssl-ts.pod.in

@@ -7,6 +7,8 @@ openssl-ts - Time Stamping Authority command
 
 =head1 SYNOPSIS
 
+=for openssl duplicate options
+
 B<openssl> B<ts>
 B<-help>
 

doc/man1/openssl.pod

@@ -6,6 +6,8 @@ openssl - OpenSSL command line program
 
 =head1 SYNOPSIS
 
+=for openssl duplicate options
+
 B<openssl>
 I<command>
 [ I<options> ... ]

util/find-doc-nits

@@ -276,7 +276,9 @@ sub files {
 
 # Print error message, set $status.
 sub err {
-    print join(" ", @_), "\n";
+    my $t = join(" ", @_);
+    $t =~ s/\n//g;
+    print $t, "\n";
     $status = 1
 }
 
@@ -560,8 +562,10 @@ sub option_check {
     my $id = shift;
     my $filename = shift;
     my $contents = shift;
+    my $nodups = 1;
 
     my $synopsis = ($contents =~ /=head1\s+SYNOPSIS(.*?)=head1/s, $1);
+    $nodups = 0 if $synopsis =~ /=for\s+openssl\s+duplicate\s+options/s;
 
     # Some pages have more than one OPTIONS section, let's make sure
     # to get them all
@@ -577,19 +581,26 @@ sub option_check {
     }
 
     my @synopsis;
+    my %listed;
     while ( $synopsis =~ /$markup_re/msg ) {
         my $found = $&;
         push @synopsis, $found if $found =~ /^B<-/;
         print STDERR "$id:DEBUG[option_check] SYNOPSIS: found $found\n"
             if $debug;
         my $option_uw = normalise_option($id, $filename, $found);
-        err($id, "Malformed option [2] in SYNOPSIS: $found")
-            if defined $option_uw && $option_uw eq '';
+        if ( defined $option_uw ) {
+            err($id, "Malformed option [2] in SYNOPSIS: $found")
+                if $option_uw eq '';
+            err($id, "Duplicate option in SYNOPSIS $option_uw\n")
+                if $nodups && defined $listed{$option_uw};
+            $listed{$option_uw} = 1;
+        }
     }
 
     # In OPTIONS, we look for =item paragraphs.
     # (?=^\s*$) detects an empty line.
     my @options;
+    my %described;
     while ( $options =~ /=item\s+(.*?)(?=^\s*$)/msg ) {
         my $item = $&;
 
@@ -601,8 +612,13 @@ sub option_check {
                 if ($1 // '') ne '' && $found =~ /^B<\s*-/;
 
             my $option_uw = normalise_option($id, $filename, $found);
-            err($id, "Malformed option in OPTIONS: $found")
-                if defined $option_uw && $option_uw eq '';
+            if ( defined $option_uw ) {
+                err($id, "Malformed option in OPTIONS: $found")
+                    if $option_uw eq '';
+                err($id, "Duplicate option in OPTIONS $option_uw\n")
+                    if $nodups && defined $described{$option_uw};
+                $described{$option_uw} = 1;
+            }
             if ($found =~ /^B<-/) {
                 push @options, $found;
                 err($id, "OPTIONS entry $found missing from SYNOPSIS")