Fix typos

Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
2022-01-03 01:00:27 +02:00 · 2022-01-03 01:00:27 +02:00 · e304aa87b3
parent e66c41725f
commit e304aa87b3
97 changed files with 132 additions and 132 deletions
--- a/4
+++ b/4
@ -603,7 +603,7 @@ my @disable_cascades = (
    # Without shared libraries, dynamic engines aren't possible.
    # This is due to them having to link with libcrypto and register features
    # using the ENGINE functionality, and since that relies on global tables,
-    # those *have* to be exacty the same as the ones accessed from the app,
+    # those *have* to be exactly the same as the ones accessed from the app,
    # which cannot be guaranteed if shared libraries aren't present.
    # (note that even with shared libraries, both the app and dynamic engines
    # must be linked with the same library)
@ -1800,7 +1800,7 @@ my %skipdir = ();
 my %disabled_info = ();         # For configdata.pm
 foreach my $what (sort keys %disabled) {
    # There are deprecated disablables that translate to themselves.
-    # They cause disabling cascades, but should otherwise not regiter.
+    # They cause disabling cascades, but should otherwise not register.
    next if $deprecated_disablables{$what};
    # The generated $disabled{"deprecated-x.y"} entries are special
    # and treated properly elsewhere
--- a/INSTALL.md
+++ b/INSTALL.md
@ -1597,7 +1597,7 @@ working incorrectly. If you think you encountered a bug, please
 Along with a short description of the bug, please provide the complete
 configure command line and the relevant output including the error message.

-Note: To make the output readable, pleace add a 'code fence' (three backquotes
+Note: To make the output readable, please add a 'code fence' (three backquotes
 ` ``` ` on a separate line) before and after your output:

     ```
--- a/README-ENGINES.md
+++ b/README-ENGINES.md
@ -8,7 +8,7 @@ The ENGINE API was introduced in OpenSSL version 0.9.6 as a low level
 interface for adding alternative implementations of cryptographic
 primitives, most notably for integrating hardware crypto devices.

-The ENGINE interface has its limitations and it has been superseeded
+The ENGINE interface has its limitations and it has been superseded
 by the [PROVIDER API](README-PROVIDERS.md), it is deprecated in OpenSSL
 version 3.0. The following documentation is retained as an aid for
 users who need to maintain or support existing ENGINE implementations.
--- a/apps/cmp.c
+++ b/apps/cmp.c
@ -1115,7 +1115,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
    if (opt_grant_implicitconf)
        (void)OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(srv_ctx, 1);

-    if (opt_failure != INT_MIN) { /* option has been set explicity */
+    if (opt_failure != INT_MIN) { /* option has been set explicitly */
        if (opt_failure < 0 || OSSL_CMP_PKIFAILUREINFO_MAX < opt_failure) {
            CMP_err1("-failure out of range, should be >= 0 and <= %d",
                     OSSL_CMP_PKIFAILUREINFO_MAX);
--- a/apps/include/http_server.h
+++ b/apps/include/http_server.h
@ -94,7 +94,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
 * Send an ASN.1-formatted HTTP response
 * cbio: destination BIO (typically as returned by http_server_get_asn1_req())
 *       note: cbio should not do an encoding that changes the output length
- * keep_alive: grant persistent connnection
+ * keep_alive: grant persistent connection
 * content_type: string identifying the type of the response
 * it: the response ASN.1 type
 * resp: the response to send
--- a/configdata.pm.in
+++ b/configdata.pm.in
@ -20,7 +20,7 @@
         # Unix form /VOLUME/DIR1/DIR2/FILE, which is what VMS perl supports
         # for 'use lib'.

-         # Start with spliting the native path
+         # Start with splitting the native path
         (my $vol, my $dirs, my $file) = File::Spec->splitpath($path);
         my @dirs = File::Spec->splitdir($dirs);

@ -88,7 +88,7 @@ unless (caller) {
    if (scalar @ARGV == 0) {
        # With no arguments, re-create the build file
        # We do that in two steps, where the first step emits perl
-        # snipets.
+        # snippets.

        my $buildfile = $target{build_file};
        my $buildfile_template = "$buildfile.in";
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@ -417,7 +417,7 @@ ___
 # If lsize < 3*16 bytes, treat them as the tail, interleave the
 # two blocks AES instructions.
 # There is one special case, if the original input data size dsize
-# = 16 bytes, we will treat it seperately to improve the
+# = 16 bytes, we will treat it separately to improve the
 # performance: one independent code block without LR, FP load and
 # store, just looks like what the original ECB implementation does.

@ -2162,7 +2162,7 @@ ___
 # will be processed specially, which be integrated into the 5*16 bytes
 # loop to improve the efficiency.
 # There is one special case, if the original input data size dsize
-# = 16 bytes, we will treat it seperately to improve the
+# = 16 bytes, we will treat it separately to improve the
 # performance: one independent code block without LR, FP load and
 # store.
 # Encryption will process the (length -tailcnt) bytes as mentioned
@ -3495,7 +3495,7 @@ $code.=<<___	if ($flavour =~ /64/);
 	cbnz	x2,.Lxts_dec_1st_done
 	vld1.32	{$dat0},[$inp],#16

-	// Decrypt the last secod block to get the last plain text block
+	// Decrypt the last second block to get the last plain text block
 .Lxts_dec_1st_done:
 	eor	$tmpin,$dat0,$iv1
 	ldr	$rounds,[$key1,#240]
--- a/crypto/bn/asm/rsaz-2k-avx512.pl
+++ b/crypto/bn/asm/rsaz-2k-avx512.pl
@ -88,7 +88,7 @@ ___
 # specified in the original algorithm as according to the Lemma 1 from the paper
 # [2], the result will be always < 2*m and can be used as a direct input to
 # the next AMM iteration.  This post-condition is true, provided the correct
-# parameter |s| (notion of the Lemma 1 from [2]) is choosen, i.e.  s >= n + 2 * k,
+# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e.  s >= n + 2 * k,
 # which matches our case: 1040 > 1024 + 2 * 1.
 #
 # [1] Gueron, S. Efficient software implementations of modular exponentiation.
--- a/crypto/bn/asm/rsaz-3k-avx512.pl
+++ b/crypto/bn/asm/rsaz-3k-avx512.pl
@ -75,7 +75,7 @@ if ($avx512ifma>0) {{{
 # specified in the original algorithm as according to the Lemma 1 from the paper
 # [2], the result will be always < 2*m and can be used as a direct input to
 # the next AMM iteration.  This post-condition is true, provided the correct
-# parameter |s| (notion of the Lemma 1 from [2]) is choosen, i.e.  s >= n + 2 * k,
+# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e.  s >= n + 2 * k,
 # which matches our case: 1560 > 1536 + 2 * 1.
 #
 # [1] Gueron, S. Efficient software implementations of modular exponentiation.
--- a/crypto/bn/asm/rsaz-4k-avx512.pl
+++ b/crypto/bn/asm/rsaz-4k-avx512.pl
@ -72,7 +72,7 @@ if ($avx512ifma>0) {{{
 # specified in the original algorithm as according to the Lemma 1 from the paper
 # [2], the result will be always < 2*m and can be used as a direct input to
 # the next AMM iteration.  This post-condition is true, provided the correct
-# parameter |s| (notion of the Lemma 1 from [2]) is choosen, i.e.  s >= n + 2 * k,
+# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e.  s >= n + 2 * k,
 # which matches our case: 2080 > 2048 + 2 * 1.
 #
 # [1] Gueron, S. Efficient software implementations of modular exponentiation.
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@ -598,7 +598,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
                break;
            }
            ossl_cmp_debug(ctx,
-                           "sucessfully validated PBM-based CMP message protection");
+                           "successfully validated PBM-based CMP message protection");
            return 1;
        }
        ossl_cmp_warn(ctx, "verifying PBM-based CMP message protection failed");
@ -628,7 +628,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
            /* use ctx->srvCert for signature check even if not acceptable */
            if (verify_signature(ctx, msg, scrt)) {
                ossl_cmp_debug(ctx,
-                               "sucessfully validated signature-based CMP message protection");
+                               "successfully validated signature-based CMP message protection");

                return 1;
            }
@ -668,7 +668,7 @@ static int check_transactionID_or_nonce(ASN1_OCTET_STRING *expected,
 * Any msg->extraCerts are prepended to ctx->untrusted.
 *
 * Ensures that:
- * its sender is of appropriate type (curently only X509_NAME) and
+ * its sender is of appropriate type (currently only X509_NAME) and
 *     matches any expected sender or srvCert subject given in the ctx
 * it has a valid body type
 * its protection is valid (or invalid/absent, but only if a callback function
--- a/crypto/context.c
+++ b/crypto/context.c
@ -402,7 +402,7 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index,
     * The alloc call ensures there's a value there. We release the ctx->lock
     * for this, because the allocation itself may recursively call
     * ossl_lib_ctx_get_data for other indexes (never this one). The allocation
-     * will itself aquire the ctx->lock when it actually comes to store the
+     * will itself acquire the ctx->lock when it actually comes to store the
     * allocated data (see ossl_lib_ctx_generic_new() above). We call
     * ossl_crypto_alloc_ex_data_intern() here instead of CRYPTO_alloc_ex_data().
     * They do the same thing except that the latter calls CRYPTO_get_ex_data()
--- a/crypto/ec/ec2_oct.c
+++ b/crypto/ec/ec2_oct.c
@ -272,7 +272,7 @@ int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
    }

    /*
-     * The first octet is the point converison octet PC, see X9.62, page 4
+     * The first octet is the point conversion octet PC, see X9.62, page 4
     * and section 4.4.2.  It must be:
     *     0x00          for the point at infinity
     *     0x02 or 0x03  for compressed form
--- a/crypto/encode_decode/encoder_lib.c
+++ b/crypto/encode_decode/encoder_lib.c
@ -523,7 +523,7 @@ static int encoder_process(struct encoder_process_data_st *data)

        OSSL_TRACE_BEGIN(ENCODER) {
            BIO_printf(trc_out,
-                       "[%d]    Skipping because recusion level %d failed\n",
+                       "[%d]    Skipping because recursion level %d failed\n",
                       data->level, new_data.level);
        } OSSL_TRACE_END(ENCODER);
    }
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@ -2153,7 +2153,7 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
      OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
    /*
     * The "rsa_oaep_label" ctrl_str expects the value to always be hex.
-     * This is accomodated by default_fixup_args() above, which mimics that
+     * This is accommodated by default_fixup_args() above, which mimics that
     * expectation for any translation item where |ctrl_str| is NULL and
     * |ctrl_hexstr| is non-NULL.
     */
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@ -239,7 +239,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
             * This might be requested by a later call to EVP_MD_CTX_get0_md().
             * In that case the "explicit fetch" rules apply for that
             * function (as per man pages), i.e. the ref count is not updated
-             * so the EVP_MD should not be used beyound the lifetime of the
+             * so the EVP_MD should not be used beyond the lifetime of the
             * EVP_MD_CTX.
             */
            ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
--- a/crypto/ffc/ffc_params_generate.c
+++ b/crypto/ffc/ffc_params_generate.c
@ -435,7 +435,7 @@ static int generate_q_fips186_2(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd,
        }
        if (r != 0)
            goto err; /* Exit if error */
-        /* Try another iteration if it wasnt prime - was in old code.. */
+        /* Try another iteration if it wasn't prime - was in old code.. */
        generate_seed = 1;
    }
 err:
--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@ -58,7 +58,7 @@ struct sockaddr_un {
 /*
 * HPNS:
 *
- *  Our current MQ 5.3 EGD requies compatability-mode sockets
+ *  Our current MQ 5.3 EGD requires compatability-mode sockets
 *  This code forces the mode to compatibility if required
 *  and then restores the mode.
 *
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@ -1103,7 +1103,7 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
    if (!evp_pkey_ctx_set_params_strict(ctx, rsa_params))
        return 0;

-    /* Ownership is supposed to be transfered to the callee. */
+    /* Ownership is supposed to be transferred to the callee. */
    OPENSSL_free(label);
    return 1;
 }
--- a/crypto/x509/v3_ist.c
+++ b/crypto/x509/v3_ist.c
@ -17,7 +17,7 @@

 /*
 * Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
- * This extention is required to obtain the status of a qualified certificate at Russian Federation.
+ * This extension is required to obtain the status of a qualified certificate at Russian Federation.
 * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
 * Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/
 */
--- a/crypto/x509/v3_utf8.c
+++ b/crypto/x509/v3_utf8.c
@ -16,7 +16,7 @@

 /*
 * Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String)
- * This extention is required to obtain the status of a qualified certificate at Russian Federation.
+ * This extension is required to obtain the status of a qualified certificate at Russian Federation.
 * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
 * Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/
 */
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@ -47,7 +47,7 @@ static int x509v3_add_len_value(const char *name, const char *value,
    if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
        goto err;
    if (value != NULL) {
-        /* We don't allow embeded NUL characters */
+        /* We don't allow embedded NUL characters */
        if (memchr(value, 0, vallen) != NULL)
            goto err;
        tvalue = OPENSSL_strndup(value, vallen);
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@ -170,7 +170,7 @@ static int x509_pubkey_ex_d2i_ex(ASN1_VALUE **pval,

    /*
     * Try to decode with legacy method first.  This ensures that engines
-     * aren't overriden by providers.
+     * aren't overridden by providers.
     */
    if ((ret = x509_pubkey_decode(&pubkey->pkey, pubkey)) == -1) {
        /* -1 indicates a fatal error, like malloc failure */
--- a/demos/mac/gmac.c
+++ b/demos/mac/gmac.c
@ -85,7 +85,7 @@ int main(int argc, char **argv)
        goto end;
    }

-    /* GMAC requries a GCM mode cipher to be specified */
+    /* GMAC requires a GCM mode cipher to be specified */
    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
                                            "AES-128-GCM", 0);

--- a/dev/release-aux/README.md
+++ b/dev/release-aux/README.md
@ -1,4 +1,4 @@
-Auxilliary files for dev/release.sh
+Auxillary files for dev/release.sh
 ===================================

 - release-state-fn.sh
--- a/dev/release.sh
+++ b/dev/release.sh
@ -224,7 +224,7 @@ elif $force; then
    :
 else
    echo >&2 "Not in master or any recognised release branch"
-    echo >&2 "Please 'git checkout' an approprite branch"
+    echo >&2 "Please 'git checkout' an appropriate branch"
    exit 1
 fi
 orig_HEAD=$(git rev-parse HEAD)
@ -369,7 +369,7 @@ for fixup in "$HERE/dev/release-aux"/fixup-*-release.pl; do
        perl -pi $fixup $file
 done

-$VERBOSE "== Comitting updates and tagging"
+$VERBOSE "== Committing updates and tagging"
 git add -u
 git commit $git_quiet -m "Prepare for release of $release_text"
 if [ -n "$reviewers" ]; then
--- a/doc/internal/man3/OPTIONS.pod
+++ b/doc/internal/man3/OPTIONS.pod
@ -155,7 +155,7 @@ on multiple lines; each entry should use B<OPT_MORE_STR>, like this:
        {OPT_MORE_STR, 0, 0,
         "This flag is not really needed on Unix systems"},
        {OPT_MORE_STR, 0, 0,
-         "(Unix and descendents for ths win!)"}
+         "(Unix and descendents for the win!)"}

 Each subsequent line will be indented the correct amount.

--- a/doc/internal/man3/ossl_random_add_conf_module.pod
+++ b/doc/internal/man3/ossl_random_add_conf_module.pod
@ -15,7 +15,7 @@ ossl_random_add_conf_module - internal random configuration module

 ossl_random_add_conf_module() adds the random configuration module
 for providers.
-This allows the type and parameters of the stardard setup of random number
+This allows the type and parameters of the standard setup of random number
 generators to be configured with an OpenSSL L<config(5)> file.

 =head1 RETURN VALUES
--- a/doc/internal/man7/EVP_PKEY.pod
+++ b/doc/internal/man7/EVP_PKEY.pod
@ -19,7 +19,7 @@ private/public key pairs, but has had other uses as well.

 =for comment "uses" could as well be "abuses"...

-The private/public key pair that an B<EVP_PKEY> contains is refered to
+The private/public key pair that an B<EVP_PKEY> contains is referred to
 as its "internal key" or "origin" (the reason for "origin" is
 explained further down, in L</Export cache for provider operations>),
 and it can take one of the following forms:
--- a/doc/man1/openssl-genpkey.pod.in
+++ b/doc/man1/openssl-genpkey.pod.in
@ -278,7 +278,7 @@ RFC5114 names "dh_1024_160", "dh_2048_224", "dh_2048_256".

 If this option is set, then the appropriate RFC5114 parameters are used
 instead of generating new parameters. The value I<num> can be one of
-1, 2 or 3 that are equivalant to using the option B<group> with one of
+1, 2 or 3 that are equivalent to using the option B<group> with one of
 "dh_1024_160", "dh_2048_224" or "dh_2048_256".
 All other options will be ignored if this value is set.

@ -333,7 +333,7 @@ The B<algorithm> option must be B<"DH">.
 =item "default"

 Selects a default type based on the B<algorithm>. This is used by the
-OpenSSL default provider to set the type for backwards compatability.
+OpenSSL default provider to set the type for backwards compatibility.
 If B<algorithm> is B<"DH"> then B<"generator"> is used.
 If B<algorithm> is B<"DHX"> then B<"fips186_2"> is used.

--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@ -274,7 +274,7 @@ See L<openssl-format-options(1)> for details.

 =item B<-pass> I<arg>

-the private key and certifiate file password source.
+the private key and certificate file password source.
 For more information about the format of I<arg>
 see L<openssl-passphrase-options(1)>.

--- a/doc/man1/openssl-verification-options.pod
+++ b/doc/man1/openssl-verification-options.pod
@ -92,7 +92,7 @@ It does not have a negative trust attribute rejecting the given use.
 =item *

 It has a positive trust attribute accepting the given use
-or (by default) one of the following compatibilty conditions apply:
+or (by default) one of the following compatibility conditions apply:
 It is self-signed or the B<-partial_chain> option is given
 (which corresponds to the B<X509_V_FLAG_PARTIAL_CHAIN> flag being set).

--- a/doc/man3/ASN1_aux_cb.pod
+++ b/doc/man3/ASN1_aux_cb.pod
@ -3,7 +3,7 @@
 =head1 NAME

 ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb
- ASN.1 auxilliary data
+- ASN.1 auxiliary data

 =head1 SYNOPSIS

@ -45,7 +45,7 @@ ASN.1 data structures can be associated with an B<ASN1_AUX> object to supply
 additional information about the ASN.1 structure. An B<ASN1_AUX> structure is
 associated with the structure during the definition of the ASN.1 template. For
 example an B<ASN1_AUX> structure will be associated by using one of the various
-ASN.1 template definition macros that supply auxilliary information such as
+ASN.1 template definition macros that supply auxiliary information such as
 ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(),
 ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb().

--- a/doc/man3/ASN1_item_sign.pod
+++ b/doc/man3/ASN1_item_sign.pod
@ -62,7 +62,7 @@ I<algor2> are ignored if they are NULL.
 ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of
 NULL for the I<id>, I<libctx> and I<propq>.

-ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters
+ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters
 contained in digest context I<ctx>.

 ASN1_item_verify_ex() is used to verify the signature I<signature> of internal
@ -77,7 +77,7 @@ See EVP_PKEY_CTX_set1_id() for further info.
 ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of
 NULL for the I<id>, I<libctx> and I<propq>.

-ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters
+ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters
 contained in digest context I<ctx>.


--- a/doc/man3/BIO_s_core.pod
+++ b/doc/man3/BIO_s_core.pod
@ -22,7 +22,7 @@ libcrypto into a provider supply an OSSL_CORE_BIO parameter. This represents
 a BIO within libcrypto, but cannot be used directly by a provider. Instead it
 should be wrapped using a BIO_s_core().

-Once a BIO is contructed based on BIO_s_core(), the associated OSSL_CORE_BIO
+Once a BIO is constructed based on BIO_s_core(), the associated OSSL_CORE_BIO
 object should be set on it using BIO_set_data(3). Note that the BIO will only
 operate correctly if it is associated with a library context constructed using
 OSSL_LIB_CTX_new_from_dispatch(3). To associate the BIO with a library context
--- a/doc/man3/BN_rand.pod
+++ b/doc/man3/BN_rand.pod
@ -59,7 +59,7 @@ BN_rand() is the same as BN_rand_ex() except that the default library context
 is always used.

 BN_rand_range_ex() generates a cryptographically strong pseudo-random
-number I<rnd>, of security stength at least I<strength> bits,
+number I<rnd>, of security strength at least I<strength> bits,
 in the range 0 E<lt>= I<rnd> E<lt> I<range> using the random number
 generator for the library context associated with I<ctx>. The parameter I<ctx>
 may be NULL in which case the default library context is used.
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@ -34,7 +34,7 @@ as determined by calling CONF_get1_default_config_file().
 If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
 used.
 The behaviour can be customized using B<flags>. Note that, the error suppressing
-can be overriden by B<config_diagnostics> as described in L<config(5)>.
+can be overridden by B<config_diagnostics> as described in L<config(5)>.

 CONF_modules_load_file() is the same as CONF_modules_load_file_ex() but
 has a NULL library context.
--- a/doc/man3/DH_get0_pqg.pod
+++ b/doc/man3/DH_get0_pqg.pod
@ -40,7 +40,7 @@ see L<openssl_user_macros(7)>:

 All of the functions described on this page are deprecated.
 Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
-return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
+return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.

 A DH object contains the parameters I<p>, I<q> and I<g>. Note that the I<q>
 parameter is optional. It also contains a public key (I<pub_key>) and
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@ -668,7 +668,7 @@ Note that the block size for a cipher may be different to the block size for
 the underlying encryption/decryption primitive.
 For example AES in CTR mode has a block size of 1 (because it operates like a
 stream cipher), even though AES has a block size of 16.
-Use EVP_CIPHER_get_block_size() to retreive the cached value.
+Use EVP_CIPHER_get_block_size() to retrieve the cached value.

 =item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>

--- a/doc/man3/EVP_KEYMGMT.pod
+++ b/doc/man3/EVP_KEYMGMT.pod
@ -124,7 +124,7 @@ otherwise 0.

 EVP_KEYMGMT_get0_name() returns the algorithm name, or NULL on error.

-EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if
+EVP_KEYMGMT_get0_description() returns a pointer to a description, or NULL if
 there isn't one.

 EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and
--- a/doc/man3/EVP_PKEY2PKCS8.pod
+++ b/doc/man3/EVP_PKEY2PKCS8.pod
@ -21,7 +21,7 @@ EVP_PKEY2PKCS8() converts a private key I<pkey> into a returned PKCS8 object.
 EVP_PKCS82PKEY_ex() converts a PKCS8 object I<p8> into a returned private key.
 It uses I<libctx> and I<propq> when fetching algorithms.

-EVP_PKCS82PKEY() is similiar to EVP_PKCS82PKEY_ex() but uses default values of
+EVP_PKCS82PKEY() is similar to EVP_PKCS82PKEY_ex() but uses default values of
 NULL for the I<libctx> and I<propq>.

 =head1 RETURN VALUES
--- a/doc/man3/EVP_PKEY_derive.pod
+++ b/doc/man3/EVP_PKEY_derive.pod
@ -32,7 +32,7 @@ EVP_PKEY_derive_set_peer_ex() sets the peer key: this will normally
 be a public key. The I<validate_peer> will validate the public key if this value
 is non zero.

-EVP_PKEY_derive_set_peer() is similiar to EVP_PKEY_derive_set_peer_ex() with
+EVP_PKEY_derive_set_peer() is similar to EVP_PKEY_derive_set_peer_ex() with
 I<validate_peer> set to 1.

 EVP_PKEY_derive() derives a shared secret using I<ctx>.
--- a/doc/man3/EVP_PKEY_gettable_params.pod
+++ b/doc/man3/EVP_PKEY_gettable_params.pod
@ -49,7 +49,7 @@ is allocated by the method.

 EVP_PKEY_get_utf8_string_param() get a key I<pkey> UTF8 string value into a
 buffer I<str> of maximum size I<max_buf_sz> associated with a name of
-I<key_name>.  The maximum size must be large enough to accomodate the string
+I<key_name>.  The maximum size must be large enough to accommodate the string
 value including a terminating NUL byte, or this function will fail.
 If I<out_len> is not NULL, I<*out_len> is set to the length of the string
 not including the terminating NUL byte. The required buffer size not including
--- a/doc/man3/EVP_PKEY_new.pod
+++ b/doc/man3/EVP_PKEY_new.pod
@ -62,7 +62,7 @@ see L<openssl_user_macros(7)>:
 B<EVP_PKEY> is a generic structure to hold diverse types of asymmetric keys
 (also known as "key pairs"), and can be used for diverse operations, like
 signing, verifying signatures, key derivation, etc.  The asymmetric keys
-themselves are often refered to as the "internal key", and are handled by
+themselves are often referred to as the "internal key", and are handled by
 backends, such as providers (through L<EVP_KEYMGMT(3)>) or B<ENGINE>s.

 Conceptually, an B<EVP_PKEY> internal key may hold a private key, a public
--- a/doc/man3/EVP_PKEY_todata.pod
+++ b/doc/man3/EVP_PKEY_todata.pod
@ -23,7 +23,7 @@ I<selection> is described in L<EVP_PKEY_fromdata(3)/Selections>.
 L<OSSL_PARAM_free(3)> should be used to free the returned parameters in
 I<*params>.

-EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback
+EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback
 I<export_cb> that gets passed the value of I<export_cbarg>.
 See L<openssl-core.h(7)> for more information about the callback. Note that the
 B<OSSL_PARAM> array that is passed to the callback is not persistent after the
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@ -131,7 +131,7 @@ in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
 If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
 and in I<bs>, else it takes them as untrusted intermediate CA certificates
 and uses them for constructing the validation path for the signer certificate.
-Certicate revocation status checks using CRLs is disabled during path validation
+Certificate revocation status checks using CRLs is disabled during path validation
 if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
 After successful path
 validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
--- a/doc/man3/OCSP_sendreq_new.pod
+++ b/doc/man3/OCSP_sendreq_new.pod
@ -40,7 +40,7 @@ These functions perform an OCSP POST request / response transfer over HTTP,
 using the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>.

 The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX> structure
-with the B<BIO> I<io> to be used for requests and reponse, the URL path I<path>,
+with the B<BIO> I<io> to be used for requests and response, the URL path I<path>,
 optionally the OCSP request I<req>, and a response header maximum line length
 of I<buf_size>. If I<buf_size> is zero a default value of 4KiB is used.
 The I<req> may be set to NULL and provided later using OCSP_REQ_CTX_set1_req()
--- a/doc/man3/OSSL_CMP_log_open.pod
+++ b/doc/man3/OSSL_CMP_log_open.pod
@ -89,7 +89,7 @@ As long as neither if the two is used any logging output is ignored.

 OSSL_CMP_log_close() may be called when all activities are finished to flush
 any pending CMP-specific log output and deallocate related resources.
-It may be called multiple times. It does get called at OpenSSL stutdown.
+It may be called multiple times. It does get called at OpenSSL shutdown.

 OSSL_CMP_print_to_bio() prints the given component info, filename, line number,
 severity level, and log message or error queue message to the given I<bio>.
--- a/doc/man3/OSSL_DECODER.pod
+++ b/doc/man3/OSSL_DECODER.pod
@ -116,7 +116,7 @@ multiple synonyms associated with it. In this case the first name from the
 algorithm definition is returned. Ownership of the returned string is retained
 by the I<decoder> object and should not be freed by the caller.

-OSSL_DECODER_get0_description() returns a pointer to a decription, or NULL if
+OSSL_DECODER_get0_description() returns a pointer to a description, or NULL if
 there isn't one.

 OSSL_DECODER_names_do_all() returns 1 if the callback was called for all
--- a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod
+++ b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod
@ -41,7 +41,7 @@ them up, so all the caller has to do next is call functions like
 L<OSSL_DECODER_from_bio(3)>.  The caller may use the optional I<input_type>,
 I<input_struct>, I<keytype> and I<selection> to specify what the input is
 expected to contain.  The I<pkey> must reference an B<EVP_PKEY *> variable
-that will be set to the newly created B<EVP_PKEY> on succesfull decoding.
+that will be set to the newly created B<EVP_PKEY> on successful decoding.
 The referenced variable must be initialized to NULL before calling the
 function.

@ -78,7 +78,7 @@ callback may be specified with the following functions.
 OSSL_DECODER_CTX_set_pem_password_cb(), OSSL_DECODER_CTX_set_passphrase_ui()
 and OSSL_DECODER_CTX_set_passphrase_cb() set up a callback method that the
 implementation can use to prompt for a pass phrase, giving the caller the
-choice of prefered pass phrase callback form.  These are called indirectly,
+choice of preferred pass phrase callback form.  These are called indirectly,
 through an internal B<OSSL_PASSPHRASE_CALLBACK> function.

 The internal B<OSSL_PASSPHRASE_CALLBACK> function caches the pass phrase, to
--- a/doc/man3/OSSL_ENCODER.pod
+++ b/doc/man3/OSSL_ENCODER.pod
@ -117,7 +117,7 @@ multiple synonyms associated with it. In this case the first name from the
 algorithm definition is returned. Ownership of the returned string is retained
 by the I<encoder> object and should not be freed by the caller.

-OSSL_ENCODER_get0_description() returns a pointer to a decription, or NULL if
+OSSL_ENCODER_get0_description() returns a pointer to a description, or NULL if
 there isn't one.

 OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all
--- a/doc/man3/OSSL_ENCODER_CTX.pod
+++ b/doc/man3/OSSL_ENCODER_CTX.pod
@ -80,7 +80,7 @@ as DER to PEM, as well as more specialized encoders like RSA to DER.
 The final output type must be given, and a chain of encoders must end with
 an implementation that produces that output type.

-At the beginning of the encoding process, a contructor provided by the
+At the beginning of the encoding process, a constructor provided by the
 caller is called to ensure that there is an appropriate provider-side object
 to start with.
 The constructor is set with OSSL_ENCODER_CTX_set_construct().
@ -148,7 +148,7 @@ The pointer that was set with OSSL_ENCODE_CTX_set_construct_data().

 The constructor is expected to return a valid (non-NULL) pointer to a
 provider-native object that can be used as first input of an encoding chain,
-or NULL to indicate that an error has occured.
+or NULL to indicate that an error has occurred.

 These utility functions may be used by a constructor:

--- a/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod
+++ b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod
@ -78,7 +78,7 @@ following functions.
 OSSL_ENCODER_CTX_set_pem_password_cb(), OSSL_ENCODER_CTX_set_passphrase_ui()
 and OSSL_ENCODER_CTX_set_passphrase_cb() sets up a callback method that the
 implementation can use to prompt for a pass phrase, giving the caller the
-choice of prefered pass phrase callback form.  These are called indirectly,
+choice of preferred pass phrase callback form.  These are called indirectly,
 through an internal B<OSSL_PASSPHRASE_CALLBACK> function.

 =head2 Output types
--- a/doc/man3/OSSL_ESS_check_signing_certs.pod
+++ b/doc/man3/OSSL_ESS_check_signing_certs.pod
@ -46,7 +46,7 @@ while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
 As far as these lists are present, they must be nonempty.
 The certificate identified by their first entry must be the first element of
 I<chain>, i.e. the signer certificate.
-Any further certficates referenced in the list must also be found in I<chain>.
+Any further certificates referenced in the list must also be found in I<chain>.
 The matching is done using the given certificate hash algorithm and value.
 In addition to the checks required by RFCs 2624 and 5035,
 if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
--- a/doc/man3/OSSL_HTTP_REQ_CTX.pod
+++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod
@ -133,7 +133,7 @@ The function may need to be called again if its result is -1, which indicates
 L<BIO_should_retry(3)>.  In such a case it is advisable to sleep a little in
 between, using L<BIO_wait(3)> on the read BIO to prevent a busy loop.

-OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on successs
+OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on success
 in addition parses the response, which must be a DER-encoded ASN.1 structure,
 using the ASN.1 template I<it> and places the result in I<*pval>.

--- a/doc/man3/OSSL_HTTP_parse_url.pod
+++ b/doc/man3/OSSL_HTTP_parse_url.pod
@ -57,7 +57,7 @@ The path component is also optional and defaults to C</>.
 Each non-NULL result pointer argument I<pscheme>, I<puser>, I<phost>, I<pport>,
 I<ppath>, I<pquery>, and I<pfrag>, is assigned the respective url component.
 On success, they are guaranteed to contain non-NULL string pointers, else NULL.
-It is the reponsibility of the caller to free them using L<OPENSSL_free(3)>.
+It is the responsibility of the caller to free them using L<OPENSSL_free(3)>.
 If I<pquery> is NULL, any given query component is handled as part of the path.
 A string returned via I<*ppath> is guaranteed to begin with a C</> character.
 For absent scheme, userinfo, port, query, and fragment components
--- a/doc/man3/OSSL_PARAM.pod
+++ b/doc/man3/OSSL_PARAM.pod
@ -108,7 +108,7 @@ B<OSSL_PARAM_UTF8_STRING> in relation to C strings.  When setting
 parameters, the size should be set to the length of the string, not
 counting the terminating NUL byte.  When requesting parameters, the
 size should be set to the size of the buffer to be populated, which
-should accomodate enough space for a terminating NUL byte.
+should accommodate enough space for a terminating NUL byte.

 When I<requesting parameters>, it's acceptable for I<data> to be NULL.
 This can be used by the I<requestor> to figure out dynamically exactly
--- a/doc/man3/OSSL_PARAM_int.pod
+++ b/doc/man3/OSSL_PARAM_int.pod
@ -241,7 +241,7 @@ will be assigned the size the parameter's I<data> buffer should have.
 OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter
 pointed to by I<p>.
 The string is stored into I<*val> with a size limit of I<max_len>,
-which must be large enough to accomodate a terminating NUL byte,
+which must be large enough to accommodate a terminating NUL byte,
 otherwise this function will fail.
 If I<*val> is NULL, memory is allocated for the string (including the
 terminating  NUL byte) and I<max_len> is ignored.
@ -250,14 +250,14 @@ If memory is allocated by this function, it must be freed by the caller.
 OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to
 by I<p> to the value referenced by I<val>.
 If the parameter's I<data> field isn't NULL, its I<data_size> must indicate
-that the buffer is large enough to accomodate the string that I<val> points at,
+that the buffer is large enough to accommodate the string that I<val> points at,
 not including the terminating NUL byte, or this function will fail.
 A terminating NUL byte is added only if the parameter's I<data_size> indicates
 the buffer is longer than the string length, otherwise the string will not be
 NUL terminated.
 If the parameter's I<data> field is NULL, then only its I<return_size> field
 will be assigned the minimum size the parameter's I<data> buffer should have
-to accomodate the string, not including a terminating NUL byte.
+to accommodate the string, not including a terminating NUL byte.

 OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter
 pointed to by I<p>.
--- a/doc/man3/OSSL_STORE_LOADER.pod
+++ b/doc/man3/OSSL_STORE_LOADER.pod
@ -327,7 +327,7 @@ definition string, or NULL on error.
 OSSL_STORE_LOADER_is_a() returns 1 if I<loader> was identifiable,
 otherwise 0.

-OSSL_STORE_LOADER_get0_description() returns a pointer to a decription, or NULL if
+OSSL_STORE_LOADER_get0_description() returns a pointer to a description, or NULL if
 there isn't one.

 The functions with the types B<OSSL_STORE_open_fn>,
--- a/doc/man3/OSSL_trace_set_channel.pod
+++ b/doc/man3/OSSL_trace_set_channel.pod
@ -46,7 +46,7 @@ by attaching the B<BIO> I<bio> object as (simple) trace channel.
 OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add
 an extra line for each channel, to be output before and after group of
 tracing output.
-What constitues an output group is decided by the code that produces
+What constitutes an output group is decided by the code that produces
 the output.
 The lines given here are considered immutable; for more dynamic
 tracing prefixes, consider setting a callback with
--- a/doc/man3/PKCS12_decrypt_skey.pod
+++ b/doc/man3/PKCS12_decrypt_skey.pod
@ -21,7 +21,7 @@ decrypt functions
 PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I<bag>
 using the supplied password I<pass> of length I<passlen>.

-PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex
+PKCS12_decrypt_skey_ex() is similar to the above but allows for a library context
 I<ctx> and property query I<propq> to be used to select algorithm implementations.

 =head1 RETURN VALUES
--- a/doc/man3/PKCS12_gen_mac.pod
+++ b/doc/man3/PKCS12_gen_mac.pod
@ -21,7 +21,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure
 =head1 DESCRIPTION

 PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
-supplied password along with a set of already configured paramters.
+supplied password along with a set of already configured parameters.

 PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
 password.
--- a/doc/man3/RAND_bytes.pod
+++ b/doc/man3/RAND_bytes.pod
@ -37,7 +37,7 @@ and L<EVP_RAND(7)>.

 RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and
 RAND_priv_bytes() except that they both take additional I<strength> and
-I<ctx> parameters. The bytes genreated will have a security strength of at
+I<ctx> parameters. The bytes generated will have a security strength of at
 least I<strength> bits.
 The DRBG used for the operation is the public or private DRBG associated with
 the specified I<ctx>. The parameter can be NULL, in which case
--- a/doc/man3/RSA_get0_key.pod
+++ b/doc/man3/RSA_get0_key.pod
@ -54,7 +54,7 @@ see L<openssl_user_macros(7)>:

 All of the functions described on this page are deprecated.
 Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
-return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
+return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.

 An RSA object contains the components for the public and private key,
 B<n>, B<e>, B<d>, B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp>.  B<n> is
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
@ -73,9 +73,9 @@ the built-in parameter support described above. Applications wishing to supply
 their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or
 SSL_set0_tmp_dh_pkey() to supply the parameters for the B<SSL_CTX> or B<SSL>
 respectively. The parameters should be supplied in the I<dhpkey> argument as
-an B<EVP_PKEY> containg DH parameters. Ownership of the I<dhpkey> value is
+an B<EVP_PKEY> containing DH parameters. Ownership of the I<dhpkey> value is
 passed to the B<SSL_CTX> or B<SSL> object as a result of this call, and so the
-caller should not free it if the function call is succesful.
+caller should not free it if the function call is successful.

 The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same
 thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@ -221,7 +221,7 @@ X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for
 failure.

 X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and
-X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers pecified above
+X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers specified above
 or NULL if the respective value has not been set or on error.

 X509_VERIFY_PARAM_get_flags() returns the current verification flags.
--- a/doc/man3/X509_add_cert.pod
+++ b/doc/man3/X509_add_cert.pod
@ -31,7 +31,7 @@ The value B<X509_ADD_FLAG_DEFAULT>, which equals 0, means no special semantics.
 If B<X509_ADD_FLAG_UP_REF> is set then
 the reference counts of those certificates added successfully are increased.

-If B<X509_ADD_FLAG_PREPEND> is set then the certifcates are prepended to I<sk>.
+If B<X509_ADD_FLAG_PREPEND> is set then the certificates are prepended to I<sk>.
 By default they are appended to I<sk>.
 In both cases the original order of the added certificates is preserved.

--- a/doc/man3/X509_digest.pod
+++ b/doc/man3/X509_digest.pod
@ -44,9 +44,9 @@ X509_digest_sig() calculates a digest of the given certificate I<cert>
 using the same hash algorithm as in its signature, if the digest
 is an integral part of the certificate signature algorithm identifier.
 Otherwise, a fallback hash algorithm is determined as follows:
-SHA512 if the signature alorithm is ED25519,
+SHA512 if the signature algorithm is ED25519,
 SHAKE256 if it is ED448, otherwise SHA256.
-The output parmeters are assigned as follows.
+The output parameters are assigned as follows.
 Unless I<md_used> is NULL, the hash algorithm used is provided
 in I<*md_used> and must be freed by the caller (if it is not NULL).
 Unless I<md_is_fallback> is NULL,
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@ -350,7 +350,7 @@ to generate the function bodies.
 B<I<TYPE>_new>() allocates an empty object of the indicated type.
 The object returned must be released by calling B<I<TYPE>_free>().

-B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
+B<I<TYPE>_new_ex>() is similar to B<I<TYPE>_new>() but also passes the
 library context I<libctx> and the property query I<propq> to use when retrieving
 algorithms from providers. This created object can then be used when loading
 binary data using B<d2i_I<TYPE>>().
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@ -415,7 +415,7 @@ For example:
 =head2 Random Configuration

 The name B<random> in the initialization section names the section
-containing the random number generater settings.
+containing the random number generator settings.

 Within the random section, the following names have meaning:

--- a/doc/man7/EVP_PKEY-EC.pod
+++ b/doc/man7/EVP_PKEY-EC.pod
@ -15,7 +15,7 @@ The B<EC> keytype is implemented in OpenSSL's default provider.
 The normal way of specifying domain parameters for an EC curve is via the
 curve name "group". For curves with no curve name, explicit parameters can be
 used that specify "field-type", "p", "a", "b", "generator" and "order".
-Explicit parameters are supported for backwards compability reasons, but they
+Explicit parameters are supported for backwards compatibility reasons, but they
 are not compliant with multiple standards (including RFC5915) which only allow
 named curves.

@ -70,7 +70,7 @@ I<order> multiplied by the I<cofactor> gives the number of points on the curve.

 =item  "decoded-from-explicit" (B<OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS>) <integer>

-Gets a flag indicating wether the key or parameters were decoded from explicit
+Gets a flag indicating whether the key or parameters were decoded from explicit
 curve parameters. Set to 1 if so or 0 if a named curve was used.

 =item "use-cofactor-flag" (B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH>) <integer>
@ -95,7 +95,7 @@ point_conversion_forms please see L<EC_POINT_new(3)>. Valid values are
 Sets or Gets the type of group check done when EVP_PKEY_param_check() is called.
 Valid values are "default", "named" and "named-nist".
 The "named" type checks that the domain parameters match the inbuilt curve parameters,
-"named-nist" is similiar but also checks that the named curve is a nist curve.
+"named-nist" is similar but also checks that the named curve is a nist curve.
 The "default" type does domain parameter validation for the OpenSSL default provider,
 but is equivalent to "named-nist" for the OpenSSL fips provider.

--- a/doc/man7/crypto.pod
+++ b/doc/man7/crypto.pod
@ -206,7 +206,7 @@ If anything in this step fails, the next step is used as a fallback.

 As a fallback, try to fetch the operation type implementation from the same
 provider as the original L<EVP_PKEY(3)>'s L<EVP_KEYMGMT(3)>, still using the
-propery string from the B<EVP_PKEY_CTX>.
+property string from the B<EVP_PKEY_CTX>.

 =back

--- a/doc/man7/fips_module.pod
+++ b/doc/man7/fips_module.pod
@ -92,7 +92,7 @@ Obviously the include file location above should match the path and name of the
 FIPS module config file that you installed earlier.
 See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.

-For FIPS usage, it is recommened that the B<config_diagnostics> option is
+For FIPS usage, it is recommended that the B<config_diagnostics> option is
 enabled to prevent accidental use of non-FIPS validated algorithms via broken
 or mistaken configuration.  See L<config(5)>.

--- a/doc/man7/life_cycle-pkey.pod
+++ b/doc/man7/life_cycle-pkey.pod
@ -22,7 +22,7 @@ This state represents the PKEY after it has been allocated.
 =item decapsulate

 This state represents the PKEY when it is ready to perform a private key decapsulation
-opeartion.
+operation.

 =item decrypt

@ -40,7 +40,7 @@ operation.
 =item encapsulate

 This state represents the PKEY when it is ready to perform a public key encapsulation
-opeartion.
+operation.

 =item encrypt

--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@ -130,7 +130,7 @@ New algorithms provided via engines will still work.

 Engine-backed keys can be loaded via custom B<OSSL_STORE> implementation.
 In this case the B<EVP_PKEY> objects created via L<ENGINE_load_private_key(3)>
-will be concidered legacy and will continue to work.
+will be considered legacy and will continue to work.

 To ensure the future compatibility, the engines should be turned to providers.
 To prefer the provider-based hardware offload, you can specify the default
@ -624,7 +624,7 @@ set up with the default library context. Use L<X509_new_ex(3)>,
 L<X509_CRL_new_ex(3)>, L<X509_REQ_new_ex(3)> and L<X509_PUBKEY_new_ex(3)> if a
 library context is required.

-All functions listed below with a I<NAME> have a replacment function I<NAME_ex>
+All functions listed below with a I<NAME> have a replacement function I<NAME_ex>
 that takes B<OSSL_LIB_CTX> as an additional argument. Functions that have other
 mappings are listed along with the respective name.

@ -982,7 +982,7 @@ that refer to these categories.
 Any accessor that uses an ENGINE is deprecated (such as EVP_PKEY_set1_engine()).
 Applications using engines should instead use providers.

-Before providers were added algorithms were overriden by changing the methods
+Before providers were added algorithms were overridden by changing the methods
 used by algorithms. All these methods such as RSA_new_method() and RSA_meth_new()
 are now deprecated and can be replaced by using providers instead.

@ -1074,7 +1074,7 @@ See L<EVP_MAC(3)>, L<EVP_MAC-HMAC(7)>, L<EVP_MAC-CMAC(7)>, L<EVP_MAC-GMAC(7)>,
 L<EVP_MAC-KMAC(7)>, L<EVP_MAC-BLAKE2(7)>, L<EVP_MAC-Poly1305(7)> and
 L<EVP_MAC-Siphash(7)> for additional information.

-Note that the one-shot method HMAC() is still available for compatability purposes.
+Note that the one-shot method HMAC() is still available for compatibility purposes.

 =head4 Deprecated low-level validation functions

@ -1530,7 +1530,7 @@ See L</Deprecated low-level validation functions>

 EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags()

-See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as seperate
+See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as separate
 parameters for B<OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT>,
 B<OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE>, B<OSSL_PKEY_PARAM_EC_ENCODING>,
 B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH> and
--- a/doc/man7/openssl-glossary.pod
+++ b/doc/man7/openssl-glossary.pod
@ -12,7 +12,7 @@ openssl-glossary - An OpenSSL Glossary

 =item Algorithm

-Cryptograpic primitives such as the SHA256 digest, or AES encryption are
+Cryptographic primitives such as the SHA256 digest, or AES encryption are
 referred to in OpenSSL as "algorithms". There can be more than one
 implementation for any given algorithm available for use.

@ -45,7 +45,7 @@ L<OSSL_DECODER_CTX_new_for_pkey(3)>

 =item Default Provider

-An OpenSSL Provider that contains the most commmon OpenSSL algorithm
+An OpenSSL Provider that contains the most common OpenSSL algorithm
 implementations. It is loaded by default if no other provider is available. All
 the algorithm implementations in the Base Provider are also available in the
 Default Provider.
@ -81,7 +81,7 @@ Fetching is the process of looking through the available algorithm
 implementations, applying selection criteria (via a property query string), and
 finally choosing the implementation that will be used.

-Also see Explicit Fetching and Implict Fetching.
+Also see Explicit Fetching and Implicit Fetching.

 L<crypto(7)>

--- a/doc/man7/provider-kdf.pod
+++ b/doc/man7/provider-kdf.pod
@ -198,7 +198,7 @@ Sets the mode in the associated KDF ctx.

 =item "pkcs5" (B<OSSL_KDF_PARAM_PKCS5>) <integer>

-Enables or diables the SP800-132 compliance checks.
+Enables or disables the SP800-132 compliance checks.
 A mode of 0 enables the compliance checks.

 The checks performed are:
--- a/doc/man7/provider-object.pod
+++ b/doc/man7/provider-object.pod
@ -164,7 +164,7 @@ A human readable text that describes extra details on the object.

 =back

-When a provider-native object abtraction is used, it I<must> contain object
+When a provider-native object abstraction is used, it I<must> contain object
 data in at least one form (object data I<passed by value>, i.e. the "data"
 item, or object data I<passed by reference>, i.e. the "reference" item).
 Both may be present at once, in which case the OpenSSL library code that
--- a/include/openssl/core_dispatch.h
+++ b/include/openssl/core_dispatch.h
@ -511,7 +511,7 @@ OSSL_CORE_MAKE_FUNC(void,rand_clear_seed,
 * and key material, etc, essentially everything that manipulates the keys
 * themselves and their parameters.
 *
- * The key objects are commonly refered to as |keydata|, and it MUST be able
+ * The key objects are commonly referred to as |keydata|, and it MUST be able
 * to contain parameters if the key has any, the public key and the private
 * key.  All parts are optional, but their presence determines what can be
 * done with the key object in terms of encryption, signature, and so on.
--- a/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc
+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc
@ -8,7 +8,7 @@
 */

 /*
- * Crypto extention support for AES GCM.
+ * Crypto extension support for AES GCM.
 * This file is included by cipher_aes_gcm_hw.c
 */

--- a/providers/implementations/encode_decode/encode_key2any.c
+++ b/providers/implementations/encode_decode/encode_key2any.c
@ -168,7 +168,7 @@ static X509_PUBKEY *key_to_pubkey(const void *key, int key_nid,
 * EncryptedPrivateKeyInfo structure (defined by PKCS#8).  They require
 * that there's an intent to encrypt, anything else is an error.
 *
- * key_to_pki_* primarly produce encoded output with the private key data
+ * key_to_pki_* primarily produce encoded output with the private key data
 * in a PrivateKeyInfo structure (also defined by PKCS#8).  However, if
 * there is an intent to encrypt the data, the corresponding key_to_epki_*
 * function is used instead.
--- a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c
+++ b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c
@ -69,7 +69,7 @@ int ossl_kdf_data_up_ref(KDF_DATA *kdfdata)

    /* This is effectively doing a new operation on the KDF_DATA and should be
     * adequately guarded again modules' error states.  However, both current
-     * calls here are guarded propery in exchange/kdf_exch.c.  Thus, it
+     * calls here are guarded properly in exchange/kdf_exch.c.  Thus, it
     * could be removed here.  The concern is that something in the future
     * might call this function without adequate guards.  It's a cheap call,
     * it seems best to leave it even though it is currently redundant.
--- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c
+++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
@ -109,7 +109,7 @@ int ossl_mac_key_up_ref(MAC_KEY *mackey)

    /* This is effectively doing a new operation on the MAC_KEY and should be
     * adequately guarded again modules' error states.  However, both current
-     * calls here are guarded propery in signature/mac_legacy.c.  Thus, it
+     * calls here are guarded properly in signature/mac_legacy.c.  Thus, it
     * could be removed here.  The concern is that something in the future
     * might call this function without adequate guards.  It's a cheap call,
     * it seems best to leave it even though it is currently redundant.
--- a/providers/implementations/signature/sm2_sig.c
+++ b/providers/implementations/signature/sm2_sig.c
@ -9,7 +9,7 @@

 /*
 * ECDSA low level APIs are deprecated for public use, but still ok for
- * internal use - SM2 implemetation uses ECDSA_size() function.
+ * internal use - SM2 implementation uses ECDSA_size() function.
 */
 #include "internal/deprecated.h"

@ -66,9 +66,9 @@ typedef struct {
    EC_KEY *ec;

    /*
-     * Flag to termine if the 'z' digest needs to be computed and fed to the
+     * Flag to determine if the 'z' digest needs to be computed and fed to the
     * hash function.
-     * This flag should be set on initialization and the compuation should
+     * This flag should be set on initialization and the computation should
     * be performed only once, on first update.
     */
    unsigned int flag_compute_z_digest : 1;
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -2899,7 +2899,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). We use the special padding type
-     * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automaticaly decrypt the
+     * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automatically decrypt the
     * RSA, check the padding and check that the client version is as expected
     * in the premaster secret. If any of that fails then the function appears
     * to return successfully but with a random result. The call below could
--- a/test/cmp_vfy_test.c
+++ b/test/cmp_vfy_test.c
@ -417,7 +417,7 @@ static int execute_msg_check_test(CMP_VFY_TEST_FIXTURE *fixture)
                                               fixture->additional_arg)))
        return 0;

-    if (fixture->expected == 0) /* error expected aready during above check */
+    if (fixture->expected == 0) /* error expected already during above check */
        return 1;
    return
        TEST_int_eq(0,
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@ -2929,9 +2929,9 @@ static int test_pkey_ctx_fail_without_provider(int tst)

    /*
     * We check for certain algos in the null provider.
-     * If an algo is expected to have a provider keymgmt, contructing an
+     * If an algo is expected to have a provider keymgmt, constructing an
     * EVP_PKEY_CTX is expected to fail (return NULL).
-     * Otherwise, if it's expected to have legacy support, contructing an
+     * Otherwise, if it's expected to have legacy support, constructing an
     * EVP_PKEY_CTX is expected to succeed (return non-NULL).
     */
    switch (tst) {
--- a/test/param_build_test.c
+++ b/test/param_build_test.c
@ -294,7 +294,7 @@ static int builder_limit_test(void)
    }
    if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
        goto err;
-    /* Count the elements in the params arrary, expecting n */
+    /* Count the elements in the params array, expecting n */
    for (i = 0; params[i].key != NULL; i++);
    if (!TEST_int_eq(i, n))
        goto err;
@ -306,7 +306,7 @@ static int builder_limit_test(void)
    if (!TEST_true(OSSL_PARAM_BLD_push_int(bld, "g", 2))
        || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
        goto err;
-    /* Count the elements in the params arrary, expecting 1 */
+    /* Count the elements in the params array, expecting 1 */
    for (i = 0; params[i].key != NULL; i++);
    if (!TEST_int_eq(i, 1))
        goto err;
--- a/test/params_api_test.c
+++ b/test/params_api_test.c
@ -78,7 +78,7 @@ static int test_param_type_extra(OSSL_PARAM *param, const unsigned char *cmp,
    const int signd = param->data_type == OSSL_PARAM_INTEGER;

    /*
-     * Set the unmodified sentinal directly because there is no param array
+     * Set the unmodified sentinel directly because there is no param array
     * for these tests.
     */
    param->return_size = OSSL_PARAM_UNMODIFIED;
--- a/test/params_test.c
+++ b/test/params_test.c
@ -46,7 +46,7 @@ struct object_st {
     */
    double p2;
    /*
-     * Documented as an arbitrarly large unsigned integer.
+     * Documented as an arbitrarily large unsigned integer.
     * The data size must be large enough to accommodate.
     * Assumed data type OSSL_PARAM_UNSIGNED_INTEGER
     */
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@ -87,7 +87,7 @@ use constant {
 };

 # The TLSv1.2 in SSLv2 ClientHello need to run at security level 0
-# because in a SSLv2 ClientHello we can't send extentions to indicate
+# because in a SSLv2 ClientHello we can't send extensions to indicate
 # which signature algorithm we want to use, and the default is SHA1.

 #Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello
--- a/test/recipes/90-test_threads.t
+++ b/test/recipes/90-test_threads.t
@ -34,7 +34,7 @@ if ($no_fips) {
 }

 # Merge the configuration files into one filtering the contents so the failure
-# condition is reproducable.  A working FIPS configuration without the install
+# condition is reproducible.  A working FIPS configuration without the install
 # status is required.

 open CFGBASE, '<', $config_path;
--- a/test/ssl-tests/28-seclevel.cnf.in
+++ b/test/ssl-tests/28-seclevel.cnf.in
@ -36,7 +36,7 @@ our @tests_ec = (
    {
        # The Ed448 signature algorithm will not be enabled.
        # Because of the config order, the certificate is first loaded, and
-        # then the security level is chaged. If you try this with s_server
+        # then the security level is changed. If you try this with s_server
        # the order will be reversed and it will instead fail to load the key.
        name => "SECLEVEL 5 server with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
@ -48,7 +48,7 @@ our @tests_ec = (
    },
    {
        # The client will not sent the Ed448 signature algorithm, so the server
-        # doesn't have a useable signature algorithm for the certificate.
+        # doesn't have a usable signature algorithm for the certificate.
        name => "SECLEVEL 5 client with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@ -856,7 +856,7 @@ static int test_ccs_change_cipher(void)
    size_t readbytes;

    /*
-     * Create a conection so we can resume and potentially (but not) use
+     * Create a connection so we can resume and potentially (but not) use
     * a different cipher in the second connection.
     */
    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
--- a/test/tls-provider.c
+++ b/test/tls-provider.c
@ -313,7 +313,7 @@ static const OSSL_DISPATCH xor_keyexch_functions[] = {

 static const OSSL_ALGORITHM tls_prov_keyexch[] = {
    /*
-     * Obviously this is not FIPS approved, but in order to test in conjuction
+     * Obviously this is not FIPS approved, but in order to test in conjunction
     * with the FIPS provider we pretend that it is.
     */
    { "XOR", "provider=tls-provider,fips=yes", xor_keyexch_functions },
@ -442,7 +442,7 @@ static const OSSL_DISPATCH xor_kem_functions[] = {

 static const OSSL_ALGORITHM tls_prov_kem[] = {
    /*
-     * Obviously this is not FIPS approved, but in order to test in conjuction
+     * Obviously this is not FIPS approved, but in order to test in conjunction
     * with the FIPS provider we pretend that it is.
     */
    { "XOR", "provider=tls-provider,fips=yes", xor_kem_functions },
@ -758,7 +758,7 @@ static const OSSL_DISPATCH xor_keymgmt_functions[] = {

 static const OSSL_ALGORITHM tls_prov_keymgmt[] = {
    /*
-     * Obviously this is not FIPS approved, but in order to test in conjuction
+     * Obviously this is not FIPS approved, but in order to test in conjunction
     * with the FIPS provider we pretend that it is.
     */
    { "XOR", "provider=tls-provider,fips=yes", xor_keymgmt_functions },
--- a/util/add-depends.pl
+++ b/util/add-depends.pl
@ -214,7 +214,7 @@ my %procedures = (
            #
            #   Hinweis: Einlesen der Datei:   {whatever header file}
            #
-            # To accomodate, we need to use a very general regular expression
+            # To accommodate, we need to use a very general regular expression
            # to parse those lines.
            #
            # Since there's no object file name at all in that information,
--- a/util/check-format.pl
+++ b/util/check-format.pl
@ -62,7 +62,7 @@
 #   except within if ... else constructs where some branch contains more than one
 #   statement. Since the exception is hard to recognize when such branches occur
 #   after the current position (such that false positives would be reported)
-#   the tool by checks for this rule by defaul only for do/while/for bodies.
+#   the tool by checks for this rule by default only for do/while/for bodies.
 #   Yet with the --1-stmt option false positives are preferred over negatives.
 #   False negatives occur if the braces are more than two non-empty lines apart.
 #
@ -316,7 +316,7 @@ sub check_indent { # used for lines outside multi-line string literals
            $contents_before) if !$sloppy_cmt && $count_before != $count;
    }
    # ... but allow normal indentation for the current line, else above check will be done for the line before
-    if (($in_comment == 0 || $in_comment < 0) # (no commment,) intra-line comment or end of multi-line comment
+    if (($in_comment == 0 || $in_comment < 0) # (no comment,) intra-line comment or end of multi-line comment
        && m/^(\s*)@[\s@]*$/) { # line begins with '@', no code follows (except '\')
        if ($count == $ref_indent) { # indentation is like for (normal) code in this line
            s/^(\s*)@/$1*/; # blind first '@' as '*' to prevent above delayed check for the line before
@ -511,7 +511,7 @@ while (<>) { # loop over all lines of all input files

    # do/prepare checks within multi-line comments
    my $self_test_exception = $self_test ? "@" : "";
-    if ($in_comment > 0) { # this still includes the last line of multi-line commment
+    if ($in_comment > 0) { # this still includes the last line of multi-line comment
        my ($head, $any_symbol, $cmt_text) = m/^(\s*)(.?)(.*)$/;
        if ($any_symbol eq "*") {
            report("no space after leading '*' in multi-line comment") if $cmt_text =~ m|^[^/\s$self_test_exception]|;
@ -851,7 +851,7 @@ while (<>) { # loop over all lines of all input files
             $line_opening_brace == $line_before)
            && $contents_before =~ m/;/) { # there is at least one terminator ';', so there is some stmt
            # TODO do not report cases where a further else branch
-            # follows with a block containg more than one line/statement
+            # follows with a block containing more than one line/statement
            report_flexibly($line_before, "'$keyword_opening_brace' { 1 stmt }", $contents_before);
        }
    }