Fix legitimate spelling errors

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29462)

crypto/evp/ctrl_params_translate.c

@@ -2869,7 +2869,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
          * function to put it to good use, or maybe affect it.
          *
          * NOTE: even though EVP_PKEY_CTX_ctrl return value is documented
-         * as return positive on Success and 0 or negative on falure. There
+         * as return positive on Success and 0 or negative on failure. There
          * maybe parameters (e.g. ecdh_cofactor), which actually return 0
          * as success value. That is why we do POST_PARAMS_TO_CTRL for 0
          * value as well

crypto/modes/asm/aes-gcm-avx512.pl

@@ -2592,7 +2592,7 @@ ___
     $code .= <<___;
         vpclmulqdq        \$0x01,@{[XWORD($GH1L)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_P1)]}
         vpslldq           \$8,@{[XWORD($RED_P1)]},@{[XWORD($RED_P1)]}                    # ; shift-L 2 DWs
-        vpxorq            @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]}      # ; first phase of the reduct
+        vpxorq            @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]}      # ; first phase of the reduction
 ___
   }
 
@@ -3222,7 +3222,7 @@ ___
     $code .= <<___;
         vpclmulqdq        \$0x01,@{[XWORD($GH1L)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_P1)]}
         vpslldq           \$8,@{[XWORD($RED_P1)]},@{[XWORD($RED_P1)]}                    # ; shift-L 2 DWs
-        vpxorq            @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]}      # ; first phase of the reduct
+        vpxorq            @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]}      # ; first phase of the reduction
 ___
   }
 

doc/designs/functions-for-explicitly-fetched-signature-algorithms.md

@@ -54,7 +54,7 @@ and `EVP_PKEY_verify()` remain supported.
 Some more recent verification algorithms need to obtain the signature
 before processing the data.
 This is particularly important for streaming modes of operation.
-This design proposes a mechanism to accomodate these algorithms
+This design proposes a mechanism to accommodate these algorithms
 and modes of operation.
 
 New public API - API Reference

doc/man1/openssl-verification-options.pod

@@ -581,7 +581,7 @@ keyCertSign bit set if the keyUsage extension is present.
 
 The extKeyUsage (EKU) extension places additional restrictions on
 certificate use. If this extension is present (whether critical or not)
-in an end-entity certficiate, the key is allowed only for the uses specified,
+in an end-entity certificate, the key is allowed only for the uses specified,
 while the special EKU B<anyExtendedKeyUsage> allows for all uses.
 
 Note that according to RFC 5280 section 4.2.1.12,
@@ -639,7 +639,7 @@ This is used as a workaround if the basicConstraints extension is absent.
 =item B<Netscape SSL Server> (C<nssslserver>)
 
 In addition to what has been described for B<sslserver>, for a Netscape
-SSL client to connect to an SSL server, its EE certficate must have the
+SSL client to connect to an SSL server, its EE certificate must have the
 B<keyEncipherment> bit set if the keyUsage extension is present. This isn't
 always valid because some cipher suites use the key for digital signing.
 Otherwise it is the same as a normal SSL server.
@@ -660,19 +660,19 @@ This is used as a workaround if the basicConstraints extension is absent.
 
 =item B<S/MIME Signing> (C<smimesign>)
 
-In addition to the common S/MIME checks, for target certficiates
+In addition to the common S/MIME checks, for target certificates
 the key usage must allow for C<digitalSignature> and/or B<nonRepudiation>.
 
 =item B<S/MIME Encryption> (C<smimeencrypt>)
 
-In addition to the common S/MIME checks, for target certficiates
+In addition to the common S/MIME checks, for target certificates
 the key usage must allow for C<keyEncipherment>.
 
 =item B<CRL Signing> (C<crlsign>)
 
 For target certificates, the key usage must allow for C<cRLSign>.
 
-For all other certifcates the normal CA checks apply.
+For all other certificates the normal CA checks apply.
 Except in this case the basicConstraints extension must be present.
 
 =item B<OCSP Helper> (C<ocsphelper>)
@@ -680,7 +680,7 @@ Except in this case the basicConstraints extension must be present.
 For target certificates, no checks are performed at this stage,
 but special checks apply; see L<OCSP_basic_verify(3)>.
 
-For all other certifcates the normal CA checks apply.
+For all other certificates the normal CA checks apply.
 
 =item B<Timestamp Signing> (C<timestampsign>)
 
@@ -689,7 +689,7 @@ C<digitalSignature> and/or C<nonRepudiation> and must not include other bits.
 The EKU extension must be present and contain C<timeStamping> only.
 Moreover, it must be marked as critical.
 
-For all other certifcates the normal CA checks apply.
+For all other certificates the normal CA checks apply.
 
 =item B<Code Signing> (C<codesign>)
 
@@ -699,7 +699,7 @@ include <digitalSignature>, but must not include C<keyCertSign> nor C<cRLSign>.
 The EKU extension must be present and contain C<codeSign>,
 but must not include C<anyExtendedKeyUsage> nor C<serverAuth>.
 
-For all other certifcates the normal CA checks apply.
+For all other certificates the normal CA checks apply.
 
 =back
 

doc/man3/EVP_PKEY_sign.pod

@@ -40,7 +40,7 @@ signing a pre-computed message digest using the algorithm given by I<algo> and
 the key given through L<EVP_PKEY_CTX_new(3)> or L<EVP_PKEY_CTX_new_from_pkey(3)>.
 A context I<ctx> without a pre-loaded key cannot be used with this function.
 This function provides almost the same functionality as EVP_PKEY_sign_init_ex(),
-but is uniquely intended to be used with a pre-computed messsage digest, and
+but is uniquely intended to be used with a pre-computed message digest, and
 allows pre-determining the exact conditions for that message digest, if a
 composite signature algorithm (such as RSA-SHA256) was fetched.
 Following a call to this function, setting parameters that modifies the digest

doc/man3/OSSL_PROVIDER.pod

@@ -172,7 +172,7 @@ I<capability>. For each capability of that name supported by the provider it
 will call the callback I<cb> and supply a set of L<OSSL_PARAM(3)>s describing the
 capability. It will also pass back the argument I<arg>. For more details about
 capabilities and what they can be used for please see
-L<provider-base(7)/CAPABILTIIES>.
+L<provider-base(7)/CAPABILITIES>.
 
 =head1 RETURN VALUES
 

doc/man3/X509_STORE_CTX_new.pod

@@ -85,7 +85,7 @@ If I<ctx> is NULL nothing is done.
 X509_STORE_CTX_init() sets up I<ctx> for a subsequent verification operation.
 
 X509_STORE_CTX_init() initializes the internal state and resources of the
-given I<ctx>. Among others, it sets the verification parameters associcated
+given I<ctx>. Among others, it sets the verification parameters associated
 with the method name C<default>, which includes the C<any> purpose,
 and takes over callback function pointers from I<trust_store> (unless NULL).
 It must be called before each call to L<X509_verify_cert(3)> or

doc/man7/openssl-env.pod

@@ -61,7 +61,7 @@ Unless OpenSSL tracing support is generally disabled,
 enable trace output of specific parts of OpenSSL libraries, by name.
 This output usually makes sense only if you know OpenSSL internals well.
 
-The value of this environment varialble is a comma-separated list of names,
+The value of this environment variable is a comma-separated list of names,
 with the following available:
 
 =over 4

providers/implementations/kem/rsa_kem.c

@@ -301,7 +301,7 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
     /*
      * If outlen is specified, then it must report the length
      * of the out buffer on input so that we can confirm
-     * its size is sufficent for encapsulation
+     * its size is sufficient for encapsulation
      */
     if (outlen != NULL && *outlen < nlen) {
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH);
@@ -332,8 +332,7 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
 /**
  * rsasve_recover - Recovers a secret value from ciphertext using an RSA
  * private key.  Once, recovered, the secret value is considered to be a
- * shared secret.  Algorithm is preformed as per
- * NIST SP 800-56B Rev 2
+ * shared secret.  Algorithm is performed as per NIST SP 800-56B Rev 2
  * 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
  *
  * This function performs RSA decryption using the private key from the

providers/implementations/signature/rsa_sig.c

@@ -108,7 +108,7 @@ typedef struct {
     unsigned int mgf1_md_set : 1;
     /*
      * Flags to say what are the possible next external calls in what
-     * consitutes the life cycle of an algorithm.  The relevant calls are:
+     * constitutes the life cycle of an algorithm.  The relevant calls are:
      * - init
      * - update
      * - final

ssl/quic/quic_record_util.c

@@ -44,7 +44,7 @@ int ossl_quic_hkdf_extract(OSSL_LIB_CTX *libctx,
      * at least 8 bytes. It means that the length of destination connection ID
      * may be less than the minimum length for HKDF required by FIPS provider.
      *
-     * Therefore, we need to set `key-check` to zero to allow using destionation
+     * Therefore, we need to set `key-check` to zero to allow using destination
      * connection ID as IKM.
      */
     *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_FIPS_KEY_CHECK, &key_check);

ssl/t1_trce.c

@@ -1295,7 +1295,7 @@ static int ssl_print_certificate(BIO *bio, const SSL_CONNECTION *sc, int indent,
         x = NULL;
     }
     if (x == NULL)
-        BIO_puts(bio, "<UNPARSEABLE CERTIFICATE>\n");
+        BIO_puts(bio, "<UNPARSABLE CERTIFICATE>\n");
     else {
         BIO_puts(bio, "\n------details-----\n");
         X509_print_ex(bio, x, XN_FLAG_ONELINE, 0);
@@ -1524,7 +1524,7 @@ static int ssl_print_cert_request(BIO *bio, int indent, const SSL_CONNECTION *sc
         p = msg;
         nm = d2i_X509_NAME(NULL, &p, dlen);
         if (!nm) {
-            BIO_puts(bio, "<UNPARSEABLE DN>\n");
+            BIO_puts(bio, "<UNPARSABLE DN>\n");
         } else {
             X509_NAME_print_ex(bio, nm, 0, XN_FLAG_ONELINE);
             BIO_puts(bio, "\n");

test/bio_base64_test.c

@@ -229,7 +229,7 @@ static int test_bio_base64_run(test_case *t, int llen, int wscnt)
 
     /*
      * When the input is long enough, and the source bio is retriable, exercise
-     * retries by writting the input to the underlying BIO in two steps (1024
+     * retries by writing the input to the underlying BIO in two steps (1024
      * bytes, then the rest) and trying to decode some data after each write.
      */
     n1 = elen;

test/recipes/20-test_speed.t

@@ -118,7 +118,7 @@ ok(run(app(['openssl', 'speed', '-help'])),
 
 #Now test some invalid options. The speed app should fail
 ok(!run(app(['openssl', 'speed', 'blah'])),
-        "Test an unknwon algorithm");
+        "Test an unknown algorithm");
 
 ok(!run(app(['openssl', 'speed', '-evp', 'blah'])),
         "Test a unknown evp algorithm");

util/perl/TLSProxy/Proxy.pm

@@ -124,10 +124,10 @@ sub init
     my $test_client_port;
 
     # Sometimes, our random selection of client ports gets unlucky
-    # And we randomly select a port thats already in use.  This causes
+    # And we randomly select a port that's already in use.  This causes
     # this test to fail, so lets harden ourselves against that by doing
     # a test bind to the randomly selected port, and only continue once we
-    # find a port thats available.
+    # find a port that's available.
     my $test_client_addr = $have_IPv6 ? "[::1]" : "127.0.0.1";
     my $found_port = 0;
     for (my $i = 0; $i <= 10; $i++) {